Building Service-Based Atlas Cluster Management
Rate this article
However, since the management roles were built for a wide use case of our customers there are some customers who need more fine-grained permissions for specific teams or user types. Although, at the moment the management roles are predefined, with the help of a simple Realm service and the programmatic API we can allow user access for very specific management/provisioning features without exposing them to a wider sudo all ability.
To better understand this scenario I want to focus on the specific use case of database user creation for the application teams. In this scenario perhaps each developer per team may need its own user and specific database permissions. With the current Atlas user roles you will need to grant the team a
Cluster Manager Role, which allows them
to change cluster properties as well as pause and resume a cluster. In
some cases this power is unnecessary for your users.
Your developers will submit their requests to a pre-built service which will authenticate them and request an input for the user description. Furthermore, the service will validate the input and post it to the Atlas Admin API without exposing any additional information or API keys.
The user will receive a confirmation that the user was created and ready to use.
To make the service more accessible for users I am using a form-based service called , you can choose many other available form builders (e.g ). This form will gather the information and password/secret for the service authentication from the user and pass it to the Realm webhook which will perform the action.
MongoDB Realm is a serverless platform and mobile database. In our case we will use the following features:
This is the webhook configuration that will call our Realm Function each time the form is sent:
The function below receives the request. Fetch the needed API information and sends the Atlas Admin API command. The result of which is returned to the Form.
Once the webhook is set and ready we can use it as a webhook url input in the Typeform configuration.
The Realm webhook url can now be placed in the Typform webhook section. Now the submitted data on the form will be forwarded via Webhook integration to our webhook:
To strengthen the security around our Realm app we can strict the allowed domain for the webhook request origin. Go to Realm application "Manage" - "Settings" > "Allowed Request Origins":
If you go to the Atlas UI under the Database Access tab you will see the created user.
Now our developers will be able to create users quickly without being exposed to any unnecessary privileges or human errors.
The webhook code can be converted to a function that can be called from other webhooks or triggers allowing us to build sophisticated controlled and secure provisioning methods. For example, we can configure a scheduled trigger that pulls any newly created clusters and continuously provision any new required users for our applications or edit any existing users to add the needed new set of permissions.