Docs Menu

Manage Database Users

On this page

  • Prerequisites
  • Add a Database User
  • Delete a Database User
Important

Atlas Open Service Broker is deprecated. Use the MongoDB Atlas Operator instead.

You can create and delete Atlas database users through the Atlas Open Service Broker.

Before managing database users, you must deploy a replica set.

To create a database user, you first define a ServiceBinding resource in Kubernetes. Then, the Atlas Open Service Broker creates a corresponding database user in Atlas.

1
  1. Copy the following resource definition example.

    This is a YAML file that you can modify to meet your desired configuration.

    apiVersion: servicecatalog.k8s.io/v1beta1
    kind: ServiceBinding
    metadata:
    name: <USER_NAME>
    namespace: <NAMESPACE>
    spec:
    instanceRef:
    name: <CLUSTER_NAME>
  2. Open your preferred text editor and paste the resource definition into a new text file.
2

The highlighted settings are required to create a database user:

Key
Description
Example
metadata.name
The name of the service binding resource in Kubernetes.
atlas-user-1
metadata.namespace
The Kubernetes namespace where the service binding resource is created.
atlas
spec.intanceRef.name
The name of the ServiceInstance resource in Kubernetes that corresponds to your Atlas cluster.
my-atlas-cluster

When you create a database user, the Atlas Open Service Broker randomly generates an Atlas username and password for the user. The Service Catalog automatically stores the users's Atlas username, password, and connection URI in a Kubernetes secret.

If you do not specify additional settings, the database user is created with the following default attributes:

  • SCRAM-SHA authentication on the admin database
  • readWriteAnyDatabase permissions on the admin database
3

You can configure additional settings for the user under the spec.parameters.user key. These settings correspond to the request body parameters of the Create a Database User Public API method.

Important

The following API parameters are overwritten by the required Atlas Open Service Broker settings from the previous step and should not be specified:

  • databaseName
  • groupId
  • password
  • username
Example

This example resource definition creates:

  1. a Kubernetes resource called atlas-user-1 in the atlas namespace and
  2. an Atlas database user with the following configuration:

    • SCRAM-SHA authentication on the admin database with randomly generated username and password
    • readWrite permissions to the listingsAndReviews collection on the sample_airbnb database
    • dbAdmin permissions to the sample_geospatial database
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
name: atlas-user-1
namespace: atlas
spec:
instanceRef:
name: my-atlas-cluster
parameters:
user:
roles:
- databaseName: sample_airbnb
collectionName: listingsAndReviews
roleName: readWrite
- databaseName: sample_geospatial
roleName: dbAdmin
4
5

Invoke the following Kubernetes command to create your database user:

kubectl apply -f atlas-user-1.yaml
6

To view the status of the new user within the Kubernetes cluster, pass the metadata.name from replica-set.yaml into the following command:

svcat describe instance <METADATA.NAME> -n <METADATA.NAMESPACE>

The status of the user appears under Bindings.

Example
Bindings:
NAME STATUS
+---------------+--------+
atlas-user-1 Ready

To see a detailed view of the user, pass the metadata.name from atlas-user-1.yaml into the following command:

svcat describe binding <METADATA.NAME> -n <METADATA.NAMESPACE>

The command returns the details of the user.

Example
Name: atlas-user-1
Namespace: atlas
Status: Ready - Injected bind result @ 2019-08-24 20:57:43 +0000 UTC
Secret: atlas-user-1
Instance: my-replica-set
Parameters:
user:
roles:
- collectionName: listingsAndReviews
databaseName: sample_airbnb
roleName: readWrite
- databaseName: sample_geospatial
roleName: dbAdmin
Secret Data:
password 44 bytes
uri 58 bytes
username 36 bytes
7

The connection details for the user are stored in a secret that has the same name and namespace as the ServiceBinding resource. The secret is base64-encoded by Kubernetes and contains the Atlas username, password, and URI of the user.

  1. Pass metadata.name and metadata.namespace from atlas-user-1.yaml into the following command to retrieve the Kubernetes secret for the user:

    kubectl get secret <METADATA.NAME> -n <METADATA.NAMESPACE> -o yaml

    The command returns the base64-encoded Atlas password, URI, and username of the user:

    Example
    apiVersion: v1
    data:
    password: MlFhTnB4NzNoaEYwZWFKFMCjRUlNU2Iwbk5OMnJPT0JGZnZOeldKMS16Zz0=
    uri: bW9uZ29kYitzcnY6Ly8wMTY5YjA5My1jNTEyLTExZTktOGQyMC1kbjZyNy5tb25nb2RiLXFhLm5ldA==
    username: NTJjMzVlNjctYzdhMy0xMWKR7ThkMjAtMDI0MmFjMTEwMDA3
    kind: Secret
    metadata:
    creationTimestamp: "2019-08-26T01:46:30Z"
    name: atlas-user-1
    namespace: atlas
    ownerReferences:
    - apiVersion: servicecatalog.k8s.io/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: ServiceBinding
    name: atlas-user-1
    uid: 52c35ea1-c7a3-11e9-8d20-0242ac113457
    resourceVersion: "79692"
    selfLink: /api/v1/namespaces/atlas/secrets/atlas-user-1
    uid: 14829566-4859-4b47-97f6-d0a2f7425906
    type: Opaque
  2. Pass data.username from the secret into the following command to decode the user's Atlas username:

    echo '<DATA.USERNAME>' | base64 --decode

    The command returns the decoded Atlas username:

    Example
    52c35e67-c7a3-11e9-8d20-0374ac110007

    Repeat the command with data.password and data.uri to decode the user's Atlas password and URI.

    echo '<DATA.PASSWORD>' | base64 --decode
    echo '<DATA.URI>' | base64 --decode
Tip
Connecting to your Atlas cluster

To connect to your deployment, pass the decoded Atlas URI and username into the following command:

mongo <DECODED_URI> --username <DECODED_USERNAME>

When you are prompted for the password, enter the user's decoded Atlas password.

To delete a database user, pass the metadata.name from the ServiceBinding resource to one of the following commands:

kubectl delete servicebindings <METADATA.NAME> \
-n <METADATA.NAMESPACE>

To confirm that the user has been deleted, pass the metadata.name from the cluster resource into the following command:

svcat describe instance <METADATA.NAME> -n <METADATA.NAMESPACE>

The command returns No bindings defined under Bindings.

Give Feedback
MongoDB logo
© 2021 MongoDB, Inc.

About

  • Careers
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2021 MongoDB, Inc.