Giters

jasonmimick / atlas-osb

DEPRECATED: See https://github.com/mongodb/atlas-osb

Home Page:https://github.com/mongodb/atlas-osb

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cf create-service-key bugs and errors

tanjoht opened this issue · comments

commented

BUG: cf create-service-key -c '{"User" : {"roles" : [ { "roleName" : "readWriteAnyDatabase", "databaseName" : "admin"} ] } }' → will create the database user with both the default role and the requested role

ERROR: cf create-service-key -c '{"User" : {"roles" : [ { "roleName" : "readWrite", "databaseName" : "default"} ] } }' → specifying the database user with the same role and databaseName as the default will result in error

commented

Hi @tanjoht
Please review the MongoDB Atlas documentation - user's can only be defined on the admin database.
https://docs.atlas.mongodb.com/security-add-mongodb-users/#database-user-authentication
This is working as designed.

Also - it would be helpful to enter a bit more descriptive notes for any issues. Just saying "BUG" doesn't really give any much to go on, let alone know what you're trying to do.

Details

BUG: cf create-service-key -c '{"User" : {"roles" : [ { "roleName" : "readWriteAnyDatabase", "databaseName" : "admin"} ] } }' → will create the database user with both the default role and the requested role

Why does this work?
Because if there is not any databaseName in the Bind() parameters, we will set it to admin for Atlas. And If you set the overrideBindDB in a plan, then whenever we Bind a user for the plan instance a Role for that settings also gets added to the user. Don't created users through this API if that behavior isn't desired, it's required to support the other need to forcefully put a particular string for the database name in all the connection strings.
If you have to have this and make it work to bind, then you need to make the 1st role for the user be on the database you want them to bind to. Here is an example of what I think you actually are trying to do:

 cf create-service-key T121 XXXX -c '{"User" : { "roles" : [ { "roleName" : "readWrite", "databaseName" : "default"}, {"roleName" : "readWriteAnyDatabase", "databaseName" : "admin"} ] } }'
Creating service key XXXX for service instance T121 as admin...
OK

And we can see this works like this:

 cf service-key T121 XXXX
Getting key XXXX for service instance T121 as admin...

{
 "connectionString": "mongodb+srv://5d6637b7-319d-411e-8aba-21344a91b471:2IK4BNtoklKZKkq38zvuJmPD4yA76iocwpVCqeU9F0w=@t121.9e1nk.mongodb.net/default",
 "database": "default",
 "password": "2IK4BNtoklKZKkq38zvuJmPD4yA76iocwpVCqeU9F0w=",
 "uri": "mongodb+srv://t121.9e1nk.mongodb.net",
 "username": "5d6637b7-319d-411e-8aba-21344a91b471"
}

And here you see the user has both roles as desired:

➜  atlas-osb git:(master) ✗ mongocli atlas dbusers list      
...
   {
                "databaseName": "admin",
                "ldapAuthType": "NONE",
                "x509Type": "NONE",
                "groupId": "5f2152182f51736b9e538a25",
                "roles": [
                        {
                                "roleName": "readWrite",
                                "databaseName": "default"
                        },
                        {
                                "roleName": "readWriteAnyDatabase",
                                "databaseName": "admin"
                        }
                ],
                "username": "5d6637b7-319d-411e-8aba-21344a91b471"
        }
]

ERROR: cf create-service-key -c '{"User" : {"roles" : [ { "roleName" : "readWrite", "databaseName" : "default"} ] } }' → specifying the database user with the same role and databaseName as the default will result in error

With a fresh install and cluster we CANNOT get any errors - this all works fine.

 cf create-service-key T121 Uuu1 -c '{"User" : { "databaseName" : "admin","roles" : [ { "roleName" : "readWrite", "databaseName" : "default"} ] } }'
Creating service key Uuu1 for service instance T121 as admin...
OK

➜  atlas-osb git:(master) ✗ cf create-service-key T121 VVVw -c '{"User" : { "roles" : [ { "roleName" : "readWrite", "databaseName" : "default"} ] } }'Creating service key VVVw for service instance T121 as admin...
OK

Note - it works when I specify the databaseName or not.
And here is the proof of what's get's created in Atlas:

➜  atlas-osb git:(master) ✗ mongocli atlas dbusers list
[
        {
                "databaseName": "admin",
                "ldapAuthType": "NONE",
                "x509Type": "NONE",
                "groupId": "5f2152182f51736b9e538a25",
                "roles": [
                        {
                                "roleName": "readWrite",
                                "databaseName": "default"
                        }
                ],
                "username": "test-user"
        },
        {
                "databaseName": "admin",
                "ldapAuthType": "NONE",
                "x509Type": "NONE",
                "groupId": "5f2152182f51736b9e538a25",
                "roles": [
                        {
                                "roleName": "readWrite",
                                "databaseName": "default"
                        }
                ],
                "username": "8fb1c110-de7e-4cf2-8389-b9ffbf39a484"
        },
        {
                "databaseName": "admin",
                "ldapAuthType": "NONE",
                "x509Type": "NONE",
                "groupId": "5f2152182f51736b9e538a25",
                "roles": [
                        {
                                "roleName": "readWrite",
                                "databaseName": "default"
                        }
                ],
                "username": "36788292-9b19-426f-bca3-ee3b424f124d"
        }
]