[DOCS-16628] Improve API docs specification on databaseName in role assignment for database users Created: 22/Jan/24 Updated: 02/Feb/24 |
|
| Status: | Needs Triage |
| Project: | Documentation |
| Component/s: | API, Atlas |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Fiona Rowan | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
| Participants: | |
| Days since reply: | 5 days ago |
| Description |
|
In the API docs for creating / updating a database user, the "roles" assignment currently look as follows (please note the "databaseName" attribute):
The description currently looks identical to "databaseName" attribute on the top-level database user in the same request body, but is not helpful for role assignment written as is. This value is not the database against which the user authenticates, but the scope of the role being assigned. Let's tweak the description for roles.databaseName to be something like the following (worth double-checking with product on exact language here): Database where the role is defined and where the role and can grant access down to a collection-level of granularity. Note that custom database roles are always created in the admin database in Atlas. Please refer to documentation for MongoDB built-in database roles to determine which database scope is appropriate when assigning those roles based on the access you'd like to grant the given database user. |
| Comments |
| Comment by Matteo Vesprini-Heidrich [ 02/Feb/24 ] |
|
Our new arrangement should be that the docs team will handle these API doc changes for us. |
| Comment by Memento Slack Bot [ 22/Jan/24 ] |
|
Slack Thread captured from #ask-cloud-atlas-clusters by fiona.rowan@mongodb.com
Based on the condition in mms it looks like `databasename == 'admin'` is required for a custom DB role. Is this something that should instead be inherited from the custom role? instead of having the user specify 'admin' database Please feel free to redirect to another channel if needed.
maybe sue.nguyen@mongodb.com could weigh in on whether specifying `admin` by default for Atlas-managed user-defined roles is desirable, or if we intentionally want users to be aware of the implications?
So the issue here is either we should call this out somewhere in the documentation for users AND if possible, call out the rationale behind having users specify `admin` database for custom roles IMO a doc update is a feasible option > is this problem specific to just Terraform only?
hope this makes sense - let me know if there are further questions here on how Atlas handles roles!
|