Navigation

Manage Database Users for X.509 Deployments

The Kubernetes Operator supports managing database users for deployments running with TLS and X.509 internal cluster authentication enabled.

Important

The Kubernetes Operator does not support other authentication mechanisms in deployments it creates. In an Operator-created deployment, you cannot use Ops Manager to:

  • Add other authentication methods to users.
  • Manage users not using X.509 authentication.

After enabling X.509 authentication, you can add X.509 users using the Ops Manager interface or the CustomResourceDefinition.

Prerequisites

Before managing database users, you must deploy a replica set or sharded cluster with TLS and X.509 enabled.

If you need to generate X.509 certificates for your MongoDB users, see Generate X.509 Client Certificates.

Add a Database User

1

Copy the following example ConfigMap.

---
apiVersion: mongodb.com/v1
kind: MongoDBUser
metadata:
  name: <resource-name>
spec:
  username: <rfc2253-subject>
  project: <my-configmap> # Should match metadata.name in your project's ConfigMap.
  db: "$external"
  roles:
    - db: <database-name>
      name: <role-name>
...
2

Open your preferred text editor and paste the example ConfigMap into a new text file.

3

Change the five highlighted lines.

Use the following table to guide you through changing the highlighted lines in the ConfigMap:

Key Type Description Example
metadata.name string The name of the database user resource. mms-user-1
spec.username string

The subject line of the x509 client certificate signed by the Kubernetes Certificate Authority (Kube CA).

Important

The username must comply with the RFC 2253 LDAPv3 Distinguished Name standard.

To get the subject line of the X.509 certificate, run the following command:

openssl x509 -noout \
  -subject -in <my-cert.pem> \
  -nameopt RFC2253
CN=mms-user,U=My Organizational Unit,O=My Org,L=New York,ST=New York,C=US
spec.project string The name of the project containing the MongoDB database where user will be added. my-project
spec.roles.db string The database the role can act on. admin
spec.roles.name string The name of the role to grant the database user. The role name can be any built-in MongoDB role or custom role that exists in Cloud Manager or Ops Manager. readWriteAnyDatabase
3

Add any additional roles for the user to the ConfigMap.

You may grant additional roles to this user using the format defined in the following example:

---
apiVersion: mongodb.com/v1
kind: MongoDBUser
metadata:
  name: mms-user-1
spec:
  username: CN=mms-user,U=My Organizational Unit,O=My Org,L=New York,ST=New York,C=US
  project: my-project
  db: "$external"
  roles:
    - db: admin
      name: backup
    - db: admin
      name: restore
...
4

Create the user.

Invoke the following Kubernetes command to create your database user:

kubectl apply -f <database-user-conf>.yaml
5

View the newly created user in Cloud Manager or Ops Manager.

You can view the newly-created user in Cloud Manager or Ops Manager:

  1. From the Project’s Deployment view, click the Security tab.
  2. Click the MongoDB Users nested tab.

Delete a Database User

To delete a database user, pass the metadata.name from the user ConfigMap to the following command:

kubectl delete mdbu <metadata.name>