Managing MongoDB users
You can add and delete users as well as manage their individual settings and database access permissions.
Getting a list of users
- Go to the folder page
and select Managed Service for MongoDB. - Click the name of the cluster you need and select the
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To get a list of cluster users, run the following command:
yc managed-mongodb user list \
--cluster-name <cluster_name>
You can request the cluster name with a list of clusters in the folder.
To get a list of users, use the list REST API method for the User resource or the UserService/List gRPC API call and provide the cluster ID in the clusterId
request parameter.
You can get the cluster ID with a list of clusters in the folder.
Adding a user
-
Go to the folder page
and select Managed Service for MongoDB. -
Click the cluster name and select the
-
Click Add.
-
Enter the DB user name and password.
Note
A username may contain letters, numbers, hyphens, and underscores, but must start with a letter or an underscore.
The password must be between 8 and 128 characters.
-
Configure the roles for the user:
- Click Add database and select the database where you want to grant a role.
- Add roles using
You can grant multiple roles to a user in different databases.
-
Click Add.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To create a user in a cluster:
-
See the description of the create user CLI command:
yc managed-mongodb user create --help
-
Specify the user properties in the create command:
yc managed-mongodb user create <username> \ --cluster-name <cluster_name> \ --password <user_password> \ --permission database=<DB_name>,role=<role>,role=<other_role>,... \ --permission database=<other_DB_name>,role=<role>,...
Note
A username may contain letters, numbers, hyphens, and underscores, but must start with a letter or an underscore.
The password must be between 8 and 128 characters.
You can request the cluster name with a list of clusters in the folder.
-
Open the current Terraform configuration file with an infrastructure plan.
For more information about creating this file, see Creating a MongoDB cluster.
-
Add a
user
block to the Managed Service for MongoDB cluster description:resource "yandex_mdb_mongodb_cluster" "<cluster_name>" { ... user { name = "<username>" password = "<password>" permission { database_name = "<DB_name>" roles = [ "<list_of_user_roles>" ] } } }
Where
database_name
is the name of the DB the access is granted to.Note
A username may contain letters, numbers, hyphens, and underscores, but must start with a letter or an underscore.
The password must be between 8 and 128 characters.
-
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
Timeouts
The Terraform provider sets the following timeouts for Managed Service for MongoDB cluster operations:
- Creating a cluster, including by restoring one from a backup: 30 minutes.
- Editing a cluster: 60 minutes.
Operations exceeding the set timeout are interrupted.
Add the timeouts
block to the cluster description, for example:
resource "yandex_mdb_mongodb_cluster" "<cluster_name>" {
...
timeouts {
create = "1h30m" # An hour and a half
update = "2h" # Two hours
}
}
To add a user, use the create REST API method for the User resource or the UserService/Create gRPC API call and provide the following in the request:
- Cluster ID in the
clusterId
parameter. To find out the cluster ID, get a list of clusters in the folder. - User settings in the
userSpec
parameter:- Username in the
name
parameter. - User password in the
password
parameter. - Database permissions (one or more
permissions
parameters, one for each database):- Database name, in the
databaseName
parameter. To find out the name, get a list of databases in the cluster. - Database permissions in the
roles
parameter.
- Database name, in the
- Username in the
Changing users
-
Go to the folder page
and select Managed Service for MongoDB. -
Click the cluster name and select the
-
To edit a user password, click
Note
The password must be between 8 and 128 characters.
-
To change the user's roles:
- Click
- To add a role, click
- To delete a role, click
- Click
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To change a user's password or list of roles:
-
See the description of the CLI's update user command:
yc managed-mongodb user update --help
-
Specify the user properties in the update command:
yc managed-mongodb user update <username> \ --cluster-name <cluster_name> \ --password <user_password> \ --permission database=<DB_name>,role=<role>,role=<other_role>,... \ --permission database=<other_DB_name>,role=<role>,...
Note
The password must be between 8 and 128 characters.
To grant a user access to a database with a defined list of roles:
-
View a description of the CLI command to grant users permissions:
yc managed-mongodb user grant-permission --help
-
Specify the properties of the user in the grant permissions command:
yc managed-mongodb user grant-permission <username> \ --cluster-name <cluster_name> \ --database <DB_name> \ --role <comma-separated_list_of_roles>
To revoke user database access:
-
View a description of the CLI command to revoke users' permissions:
yc managed-mongodb user revoke-permission --help
-
Specify the properties of the user in the revoke permissions command:
yc managed-mongodb user revoke-permission <username> \ --cluster-name <cluster_name> \ --database <DB_name>
This command completely blocks the user's access to the specified database.
You can request the cluster name with a list of clusters in the folder, the DB name with a list of databases in the cluster, and the user's name with a list of users in the cluster.
-
Open the current Terraform configuration file with an infrastructure plan.
For more information about creating this file, see Creating a MongoDB cluster.
-
In the Managed Service for MongoDB cluster description, find the
user
block for the required user. -
Change the values of the
password
andpermission
fields:resource "yandex_mdb_mongodb_cluster" "<cluster_name>" { ... user { name = "<username>" password = "<new_password>" permission { database_name = "<DB_name>" roles = [ "<new_list_of_user_roles>" ] } } }
Note
The password must be between 8 and 128 characters.
-
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
Timeouts
The Terraform provider sets the following timeouts for Managed Service for MongoDB cluster operations:
- Creating a cluster, including by restoring one from a backup: 30 minutes.
- Editing a cluster: 60 minutes.
Operations exceeding the set timeout are interrupted.
Add the timeouts
block to the cluster description, for example:
resource "yandex_mdb_mongodb_cluster" "<cluster_name>" {
...
timeouts {
create = "1h30m" # An hour and a half
update = "2h" # Two hours
}
}
To update a user, use the update REST API method for the User resource or the UserService/Update gRPC API call and provide the following in the request:
- ID of the cluster in which the user is located, in the
clusterId
parameter. To find out the cluster ID, get a list of clusters in the folder. - Username, in the
userName
parameter. To find out the name, get a list of users in the cluster. - Name of the database for which you want to change the list of user roles in the
permissions.databaseName
parameter. To find out the name, get a list of databases in the cluster. - Array of the new list of user roles in the
permissions.roles
parameter. - List of user settings to be updated, in the
updateMask
parameter.
Warning
This API method overrides all parameters of the object being modified that were not explicitly passed in the request to the default values. To avoid this, list the settings you want to change in the updateMask
parameter (one line separated by commas).
Deleting a user
- Go to the folder page
and select Managed Service for MongoDB. - Click the cluster name and select the
- Click
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To remove a user, run:
yc managed-mongodb user delete <username> \
--cluster-name <cluster_name>
You can request the cluster name with a list of clusters in the folder.
-
Open the current Terraform configuration file with an infrastructure plan.
For more information about creating this file, see Creating a MongoDB cluster.
-
Delete the user block with a description of the required
user
from the Managed Service for MongoDB cluster description. -
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
For more information, see the Terraform provider documentation
Timeouts
The Terraform provider sets the following timeouts for Managed Service for MongoDB cluster operations:
- Creating a cluster, including by restoring one from a backup: 30 minutes.
- Editing a cluster: 60 minutes.
Operations exceeding the set timeout are interrupted.
Add the timeouts
block to the cluster description, for example:
resource "yandex_mdb_mongodb_cluster" "<cluster_name>" {
...
timeouts {
create = "1h30m" # An hour and a half
update = "2h" # Two hours
}
}
To delete a user, use the delete REST API method for the User resource or the UserService/Delete gRPC API call and provide the following in the request:
- Cluster ID in the
clusterId
parameter. To find out the cluster ID, get a list of clusters in the folder. - Username to delete in the
userName
parameter. To find out the name, get a list of users in the cluster.
Examples
Add a user with read-only permissions
To add a new user (user2
) to an existing cluster with read-only access to the db1
database:
- Go to the folder page
and select Managed Service for MongoDB. - Click the cluster name and select the
- Click Add.
- Enter the
user2
username and password (from 8 to 128 characters). - Select the
db1
database from the Add database drop-down list. - Select the
read
role from the drop-down list next to thedb1
database. - Click Add.
Run the following command:
yc managed-mongodb user create user2 \
--cluster-name <cluster_name> \
--password <user_password> \
--permission database=db1,role=read
Modify user permissions
To grant read-only access to the db2
database to user1
of cluster1
:
- Go to the folder page
and select Managed Service for MongoDB. - Click the
cluster1
name and select the - Click
user1
and select Configure. - Click Add database and select
db2
as your database. - Click
read
role from the drop-down list next to thedb2
database. - Click Save.
Run the following command:
yc managed-mongodb user grant-permission user1 \
--cluster-name cluster1 \
--database db2 \
--role read
-
Open the current Terraform configuration file with an infrastructure plan.
For more information about creating this file, see Creating a MongoDB cluster.
-
In the Managed Service for MongoDB cluster description, find the
user
block foruser1
. -
Add a
permission
section:resource "yandex_mdb_mongodb_cluster" "cluster1" { ... user { name = "user1" password = "<password>" ... permission { database_name = "db2" roles = [ "read" ] } } }
-
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
-
For more information, see the Terraform provider documentation