Managing MongoDB users
You can add and delete users as well as manage their individual settings and database access permissions.
Getting a list of users
- Go to the folder page
and select Managed Service for MongoDB. - Click the name of the cluster you need and select the
Users tab.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To get a list of cluster users, run the following command:
yc managed-mongodb user list \
--cluster-name <cluster_name>
You can request the cluster name with the list of clusters in the folder.
To get a list of users, use the list REST API method for the User resource or the UserService/List gRPC API call and provide the cluster ID in the clusterId
request parameter.
You can get the cluster ID with a list of clusters in the folder.
Creating a user
-
Go to the folder page
and select Managed Service for MongoDB. -
Click the name of the cluster you need and select the
Users tab. -
Click Create user.
-
Enter the DB user name and password.
Note
The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.
The password must be between 8 and 128 characters.
-
Configure the roles for the user:
- Click Add database and select the database where you want to grant a role.
- Add roles using
.
You can grant multiple roles to a user in different databases.
-
Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To create a user in a cluster:
-
See the description of the create user CLI command:
yc managed-mongodb user create --help
-
Specify the user properties in the create command:
yc managed-mongodb user create <username> \ --cluster-name <cluster_name> \ --password <user_password> \ --permission database=<DB_name>,role=<role>,role=<other_role>,... \ --permission database=<other_DB_name>,role=<role>,...
Note
The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.
The password must be between 8 and 128 characters.
You can request the cluster name with the list of clusters in the folder.
-
Open the current Terraform configuration file with an infrastructure plan.
For more information about creating this file, see Creating clusters.
-
Add the
yandex_mdb_mongodb_user
resource:resource "yandex_mdb_mongodb_user" "<username>" { cluster_id = <cluster_ID> name = "<username>" password = "<password>" permission { database_name = "<DB_name>" roles = [ "<list_of_user_roles>" ] } }
Where
database_name
is the name of the DB you want to grant access to.Note
The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.
The password must be between 8 and 128 characters.
-
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
To create a user, use the create REST API method for the User resource or the UserService/Create gRPC API call and provide the following in the request:
- Cluster ID in the
clusterId
parameter. To find out the cluster ID, get a list of clusters in the folder. - User settings in the
userSpec
parameter:- Username in the
name
parameter. - User password in the
password
parameter. - Database access permissions (one or more
permissions
parameters, one for each database):- Database name in the
databaseName
parameter. To find out the name, get a list of databases in the cluster. - Database access permissions in the
roles
parameter.
- Database name in the
- Username in the
Changing users
-
Go to the folder page
and select Managed Service for MongoDB. -
Click the name of the cluster you need and select the
Users tab. -
To edit a user password, click
in the row with the user you need and select Change password.Note
The password must be between 8 and 128 characters.
-
To change the user's roles:
- Click
in the row with the user you need and select Configure. - To add a role, click
next to the appropriate database and select the role. - To delete a role, click
next to the role name.
- Click
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To change a user's password or list of roles:
-
See the description of the CLI's update user command:
yc managed-mongodb user update --help
-
Specify the user properties in the update command:
yc managed-mongodb user update <username> \ --cluster-name <cluster_name> \ --password <user_password> \ --permission database=<DB_name>,role=<role>,role=<other_role>,... \ --permission database=<other_DB_name>,role=<role>,...
Note
The password must be between 8 and 128 characters.
To grant a user access to a database with a defined list of roles:
-
View a description of the CLI command to grant users permissions:
yc managed-mongodb user grant-permission --help
-
Specify the properties of the user in the grant permissions command:
yc managed-mongodb user grant-permission <username> \ --cluster-name <cluster_name> \ --database <DB_name> \ --role <list_of_roles_separated_by_commas>
To revoke user database access:
-
View a description of the CLI command to revoke users' permissions:
yc managed-mongodb user revoke-permission --help
-
Specify the properties of the user in the revoke permissions command:
yc managed-mongodb user revoke-permission <username> \ --cluster-name <cluster_name> \ --database <DB_name>
This command denies the user all access to the specified database.
You can get the cluster name with the list of clusters in the folder, the DB name, with the list of databases in the cluster, and the user's name, with the list of users in the cluster.
-
Open the current Terraform configuration file with an infrastructure plan.
For more information about creating this file, see Creating clusters.
-
Find the
yandex_mdb_mongodb_user
resource. -
Update the
password
field value and field values underpermission
:resource "yandex_mdb_mongodb_user" "<username>" { cluster_id = <cluster_ID> name = "<username>" password = "<new_password>" permission { database_name = "<DB_name>" roles = [ "<new_list_of_user_roles>" ] } }
Note
The password must be between 8 and 128 characters.
-
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
To update a user, use the update REST API method for the User resource or the UserService/Update gRPC API call and provide the following in the request:
- ID of the cluster in which the user is located, in the
clusterId
parameter. To find out the cluster ID, get a list of clusters in the folder. - Username in the
userName
parameter. To find out the name, get a list of users in the cluster. - Name of the database for which you want to update the list of user roles, in the
permissions.databaseName
parameter. To find out the name, get a list of databases in the cluster. - Array with the new list of user roles in the
permissions.roles
parameter. - List of user settings to update, in the
updateMask
parameter.
Warning
The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask
parameter as a single comma-separated string.
Deleting a user
- Go to the folder page
and select Managed Service for MongoDB. - Click the name of the cluster you need and select the
Users tab. - Click
in the row with the user you need and select Delete.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To remove a user, run:
yc managed-mongodb user delete <username> \
--cluster-name <cluster_name>
You can request the cluster name with the list of clusters in the folder.
-
Open the current Terraform configuration file with an infrastructure plan.
For more information about creating this file, see Creating clusters.
-
Delete the
yandex_mdb_mongodb_user
resource with the user's description. -
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
To delete a user, use the delete REST API method for the User resource or the UserService/Delete gRPC API call and provide the following in the request:
- Cluster ID in the
clusterId
parameter. To find out the cluster ID, get a list of clusters in the folder. - Name of the user to delete in the
userName
parameter. To find out the name, get a list of users in the cluster.
Examples
Add a user with read-only permissions
To add a new user (user2
) to an existing cluster with read-only access to the db1
database:
- Go to the folder page
and select Managed Service for MongoDB. - Click the cluster name and select the
Users tab. - Click Create user.
- Enter the
user2
username and password (from 8 to 128 characters). - Select the
db1
database from the Add database drop-down list. - Select the
read
role from the drop-down list next to thedb1
database. - Click Create.
Run the following command:
yc managed-mongodb user create user2 \
--cluster-name <cluster_name> \
--password <user_password> \
--permission database=db1,role=read
-
Open the current Terraform configuration file with an infrastructure plan.
For more information about how to create this file, see Creating clusters.
-
Add the
yandex_mdb_mongodb_user
resource.resource "yandex_mdb_mongodb_user" "user2" { cluster_id = <cluster_ID> name = "user2" password = "<password>" permission { database_name = "db1" roles = [ "read" ] } }
-
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
Modify user permissions
To grant read-only access to the db2
database to user1
of cluster1
:
- Go to the folder page
and select Managed Service for MongoDB. - Click the
cluster1
name and select the Users tab. - Click
next touser1
and select Configure. - Click Add database and select
db2
as your database. - Click
and select theread
role from the drop-down list next to thedb2
database. - Click Save.
Run the following command:
yc managed-mongodb user grant-permission user1 \
--cluster-name cluster1 \
--database db2 \
--role read
-
Open the current Terraform configuration file with an infrastructure plan.
For more information about how to create this file, see Creating clusters.
-
Find the
yandex_mdb_mongodb_user
resource. -
Add a
permission
section:resource "yandex_mdb_mongodb_user" "user1" { cluster_id = <cluster_ID> name = "user1" password = "<password>" permission { database_name = "db2" roles = [ "read" ] } }
-
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
-
For more information, see the Terraform provider documentation