Navigation

Manage Database Users using SCRAM Authentication

The Kubernetes Operator supports managing database users using SCRAM authentication on MongoDB deployments.

Considerations

Supported SCRAM Implementations

When you specify SCRAM as the authentication mechanism, the implementation of SCRAM used depends upon:

  • The version of MongoDB and
  • If the database is the Application Database or another database.
MongoDB Version Database SCRAM Implementation
3.6 or earlier Any except Application Database SCRAM-SHA-1
4.0 or later Any except Application Database SCRAM-SHA-256
Any Application Database SCRAM-SHA-1

Supported Authentication Mechanisms

The Kubernetes Operator supports only SCRAM and X.509 authentication mechanisms in deployments it creates. In an Operator-created deployment, you cannot use Ops Manager to:

  • Configure other authentication mechanisms for deployments.
  • Manage users not using SCRAM or X.509 authentication.

After enabling SCRAM authentication, you can add SCRAM users using the Ops Manager interface or the MongoDBUser CustomResourceDefinition.

Prerequisites

Before managing database users, you must deploy a standalone, replica set, or sharded cluster.

Add a Database User

Create User Secret

1

Configure kubectl to default to your namespace.

If you have not already, run the following command to execute all kubectl commands in the namespace you created:

kubectl config set-context $(kubectl config current-context) --namespace=<namespace>
2

Copy the following example secret.

You can choose to use a cleartext password:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
apiVersion: v1
kind: Secret
metadata:
  name: <mms-user-1-password>
  # corresponds to user.spec.passwordSecretKeyRef.name
type: Opaque
stringData:
  password: <my-plain-text-password>
  # corresponds to user.spec.passwordSecretKeyRef.key
...

or you can choose to use a Base64-encoded password:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
apiVersion: v1
kind: Secret
metadata:
  name: <mms-user-1-password>
  # corresponds to user.spec.passwordSecretKeyRef.name
type: Opaque
data:
  password: <base-64-encoded-password>
  # corresponds to user.spec.passwordSecretKeyRef.key
...

Note

Make sure to copy the desired password configuration. Plaintext passwords use stringData.password and Base64-encoded passwords use data.password

3

Create a new User Secret YAML file.

  1. Open your preferred text editor.
  2. Paste this User Secret into a new text file.
4

Change the highlighted lines.

Use the following table to guide you through changing the highlighted lines in the Secret:

Key Type Description Example
metadata.name string

Name of the database password secret.

Resource names must be 44 characters or less.

mms-scram-user-1-password
stringData.password string

Plaintext password for the desired user.

Note

Use this option and value or data.password. You can’t use both.

<my-plain-text-password>
data.password string

Base64-encoded password for the desired user.

Note

  • Use this option and value or stringData.password. You can’t use both.
  • You must encode your password into Base64 yourself then paste the resulting value with this option. There are tools for most every platform and multiple web-based tools as well.
<my-base64-encoded-password>
5

Save the User Secret file with a .yaml extension.

Create MongoDBUser

1

Copy the following example MongoDBUser.

---
apiVersion: mongodb.com/v1
kind: MongoDBUser
metadata:
  name: <mms-scram-user-1>
spec:
  passwordSecretKeyRef:
    name: <mms-user-1-password>
    # Match to metadata.name of the User Secret
    key: password
  username: "<mms-scram-user-1>"
  db: "admin" #
  mongodbResourceRef:
    name: "<my-replica-set>"
    # Match to MongoDB resource using authenticaiton
  roles:
    - db: "admin"
      name: "clusterAdmin"
    - db: "admin"
      name: "userAdminAnyDatabase"
    - db: "admin"
      name: "readWrite"
    - db: "admin"
      name: "userAdminAnyDatabase"
...
2

Create a new MongoDBUser file.

  1. Open your preferred text editor.
  2. Paste this MongoDBUser into a new YAML file.
3

Change the highlighted lines.

Use the following table to guide you through changing the highlighted lines in the MongoDBUser YAML file:

Key Type Description Example
metadata.name string

Name of the database user resource.

Resource names must be 44 characters or less.

mms-scram-user-1
spec.username string Name of the database user. mms-scram-user-1
spec.passwordSecretKeyRef.name string metadata.name value of the secret that stores the user’s password. my-resource
spec.mongodbResourceRef.name string Name of the MongoDB resource to which this user is associated. my-resource
spec.roles.db string Database on which the role can act. admin
spec.roles.name string Name of the role to grant the database user. The role name can be any built-in MongoDB role or custom role that exists in Cloud Manager or Ops Manager. readWriteAnyDatabase
3

Add any additional roles for the user to the MongoDBUser.

You may grant additional roles to this user.

4

Save the MongoDBUser file with a .yaml extension.

5

Create the user.

Invoke the following Kubernetes command to create your database user:

kubectl apply -f <database-user-conf>.yaml
6

View the newly created user in Cloud Manager or Ops Manager.

You can view the newly-created user in Cloud Manager or Ops Manager:

  1. From the Project’s Deployment view, click the Security tab.
  2. Click the MongoDB Users nested tab.

Delete a Database User

To delete a database user, pass the metadata.name from the user MongoDBUser to the following command:

kubectl delete mdbu <metadata.name>

Change Authentication Mechanism

To change your user authenication from SCRAM to X.509:

  1. Disable authentication.

    Under spec.security.authentication, change enabled to false.

    spec:
      security:
        authentication:
          enabled : false
    
  2. Reapply the user’s resource definition.

  3. Wait for the MongoDBResource to reach the running state.

  4. Enable SCRAM authentication.

    Under spec.security.authentication, change enabled to true and set modes to ["SCRAM"].

    spec:
      security:
        authentication:
          enabled : true
          modes: ["SCRAM"]
    
  5. Reapply the MongoDBUser resource.

  6. Wait for the MongoDBResource to reach the running state.