<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:15:46 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DOCS-16628] Improve API docs specification on databaseName in role assignment for database users</title>
                <link>https://jira.mongodb.org/browse/DOCS-16628</link>
                <project id="10380" key="DOCS">Documentation</project>
                    <description>&lt;p&gt;In the &lt;a href=&quot;https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Database-Users/operation/createDatabaseUser&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;API docs&lt;/a&gt; for creating / updating a database user, the &quot;roles&quot; assignment currently look as follows (please note the &quot;databaseName&quot; attribute):&#160;&lt;/p&gt;

&lt;p&gt;&lt;span class=&quot;image-wrap&quot; style=&quot;&quot;&gt;&lt;img src=&quot;https://jira.mongodb.org/secure/attachment/505460/505460_Screenshot+2024-01-22+at+2.24.13%E2%80%AFPM.png&quot; style=&quot;border: 0px solid black&quot; /&gt;&lt;/span&gt;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;The description currently looks identical to &quot;databaseName&quot; attribute on the top-level database user in the same request body, but is not helpful for role assignment written as is. This value is not the database against which the user authenticates, but the scope of the role being assigned.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Let&apos;s tweak the description for roles.databaseName to be something like the following (worth double-checking with product on exact language here):&lt;/b&gt;&#160;&lt;/p&gt;

&lt;p&gt;Database where the role is defined and where the role and can grant access down to a collection-level of granularity. Note that custom database roles are always created in the admin database in Atlas. Please refer to documentation for MongoDB built-in database roles to determine which database scope is appropriate when assigning those roles based on the access you&apos;d like to grant the given database user.&lt;/p&gt;</description>
                <environment></environment>
        <key id="2553175">DOCS-16628</key>
            <summary>Improve API docs specification on databaseName in role assignment for database users</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="10049" iconUrl="https://jira.mongodb.org/images/icons/statuses/information.png" description="">Needs Triage</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="fiona.rowan@mongodb.com">Fiona Rowan</reporter>
                        <labels>
                    </labels>
                <created>Mon, 22 Jan 2024 19:37:41 +0000</created>
                <updated>Fri, 2 Feb 2024 21:39:46 +0000</updated>
                                                                            <component>API</component>
                    <component>Atlas</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="6064004" author="JIRAUSER1259754" created="Fri, 2 Feb 2024 21:39:46 +0000"  >&lt;p&gt;Our new arrangement should be that the docs team will handle these API doc changes for us.&lt;/p&gt;</comment>
                            <comment id="6031984" author="JIRAUSER1272564" created="Mon, 22 Jan 2024 19:42:49 +0000"  >&lt;p&gt;&lt;a href=&quot;https://mongodb.slack.com/archives/C060D1CB16F/p1705491292682049&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Slack Thread&lt;/a&gt; captured from #ask-cloud-atlas-clusters by &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=fiona.rowan%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;fiona.rowan@mongodb.com&quot;&gt;fiona.rowan@mongodb.com&lt;/a&gt;&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=aastha.mahendru%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;aastha.mahendru@mongodb.com&quot;&gt;aastha.mahendru@mongodb.com&lt;/a&gt;: Hi team,&lt;br/&gt;
I need some clarification for custom DB roles&lt;br/&gt;
We &lt;a href=&quot;https://github.com/mongodb/terraform-provider-mongodbatlas/issues/1522#issuecomment-1867583985&quot; title=&quot;received some input&amp;gt; from one of our Terraform users regarding database user creation with a custom DB role, specifically &amp;lt;https://github.com/10gen/mms/blob/9ded8521dda8f7c33f7f4b2b3a055e58f2dcb0ed/server/src/main/com/xgen/cloud/nds/project/_public/util/NDSDBUserUtils.java#L120&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;regarding this error&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Based on the condition in mms it looks like `databasename == &apos;admin&apos;` is required for a custom DB role. Is this something that should instead be inherited from the custom role? instead of having the user specify &apos;admin&apos; database&lt;br/&gt;
What is the reasoning behind having the user specifically mention `admin` database here?&lt;/p&gt;

&lt;p&gt;Please feel free to redirect to another channel if needed.&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=fiona.rowan%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;fiona.rowan@mongodb.com&quot;&gt;fiona.rowan@mongodb.com&lt;/a&gt;: I&apos;d say this is a Product question - you&apos;re right, we could automatically assign `admin` . it&apos;s not necessary from a &lt;a href=&quot;https://www.mongodb.com/docs/manual/core/security-user-defined-roles/#scope&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;MongoDB perspective&lt;/a&gt; to specify that specific database though - roles could be created in any database, but Atlas enforces all user-defined or custom roles are created in `admin` so that it may include privileges that apply to any database in the deployment.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;maybe &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=sue.nguyen%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;sue.nguyen@mongodb.com&quot;&gt;sue.nguyen@mongodb.com&lt;/a&gt; could weigh in on whether specifying `admin` by default for Atlas-managed user-defined roles is desirable, or if we intentionally want users to be aware of the implications?&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=sue.nguyen%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;sue.nguyen@mongodb.com&quot;&gt;sue.nguyen@mongodb.com&lt;/a&gt;: sorry for the delay.   Is this problem specific to just Terraform only?    If the only option is &#8220;admin&#8221; , allowing users to specify something different only to have it break doesn&#8217;t seem right&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=aastha.mahendru%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;aastha.mahendru@mongodb.com&quot;&gt;aastha.mahendru@mongodb.com&lt;/a&gt;: thanks for the insights &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=fiona.rowan%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;fiona.rowan@mongodb.com&quot;&gt;fiona.rowan@mongodb.com&lt;/a&gt; &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=sue.nguyen%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;sue.nguyen@mongodb.com&quot;&gt;sue.nguyen@mongodb.com&lt;/a&gt;&lt;br/&gt;
&amp;gt; If the only option is &#8220;admin&#8221; , allowing users to specify something different only to have it break doesn&#8217;t seem right&lt;br/&gt;
agreed, i think the question here is that it isn&apos;t specified anywhere in the documentation that for a custom role, user needs to specify the database to be &apos;admin&apos;. However, this is enforced in the code and `databaseName` under `roles` is a &lt;a href=&quot;https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Database-Users/operation/createDatabaseUser&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;required attribute in the API&lt;/a&gt; as well&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;So the issue here is either we should call this out somewhere in the documentation for users AND if possible, call out the rationale behind having users specify `admin` database for custom roles&lt;br/&gt;
OR let the API default database name to `admin`  without having the user specify it (and in this case `databaseName` under `roles` will need to be made Optional.&lt;/p&gt;

&lt;p&gt;IMO a doc update is a feasible option&lt;/p&gt;

&lt;p&gt;&amp;gt; is this problem specific to just Terraform only?&lt;br/&gt;
no this is on API level&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=sue.nguyen%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;sue.nguyen@mongodb.com&quot;&gt;sue.nguyen@mongodb.com&lt;/a&gt;: Based on the Admin API doc, the `databaseName` could be &#8220;$external&#8221; or &#8220;admin&#8221;.    Can a custom role be &#8220;$external&#8221;?&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=aastha.mahendru%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;aastha.mahendru@mongodb.com&quot;&gt;aastha.mahendru@mongodb.com&lt;/a&gt;: I am not sure about that unfortunately, &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=fiona.rowan%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;fiona.rowan@mongodb.com&quot;&gt;fiona.rowan@mongodb.com&lt;/a&gt; are you able to advise on that? would be good for my understanding as well&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=aastha.mahendru%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;aastha.mahendru@mongodb.com&quot;&gt;aastha.mahendru@mongodb.com&lt;/a&gt;: hey &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=fiona.rowan%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;fiona.rowan@mongodb.com&quot;&gt;fiona.rowan@mongodb.com&lt;/a&gt; just following up on this one again&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=fiona.rowan%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;fiona.rowan@mongodb.com&quot;&gt;fiona.rowan@mongodb.com&lt;/a&gt;: apologies for the delay - a couple things:&lt;br/&gt;
&#8226; &quot;$external&quot; database name is reserved for defining a MongoDB user. the `databaseName` we&apos;re referring to has to do with assigning a user a role, and that `databaseName` indicates the database the assigned role should be scoped to&lt;br/&gt;
&#8226; looking at that github issue again and the code, I just want to get on the same page about one point: custom roles are defined with the `admin` database by Atlas on the backend - the user doesn&apos;t have to specify the database when creating the custom role. they are only required to specify the database the role is scoped to when assigning to a user.&lt;br/&gt;
&#8226; there are built-in MongoDB roles, like `readWrite`, that do not need to be scoped to the `admin` database when assigned to a user, and can be scoped to any database name&lt;br/&gt;
always requiring that the user specifies the `databaseName` when assigning the role to a given user ensures the payload for assigning a role looks consistent regardless of whether they&apos;re assigning a built-in role or custom role. however, as mentioned in thread, Atlas could also auto-scope the database for a custom role to be `admin` if not specified by the user in the API payload.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;hope this makes sense - let me know if there are further questions here on how Atlas handles roles!&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=aastha.mahendru%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;aastha.mahendru@mongodb.com&quot;&gt;aastha.mahendru@mongodb.com&lt;/a&gt;: thanks &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=fiona.rowan%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;fiona.rowan@mongodb.com&quot;&gt;fiona.rowan@mongodb.com&lt;/a&gt;! makes sense, and totally understand the API consistency pov as well. I think given this we are going to update the Atlas Terraform documentation to mention that custom role assignment to a database user should include `databaseName = admin`.&lt;br/&gt;
I think same should be updated in the API spec as well, WDYT?&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=fiona.rowan%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;fiona.rowan@mongodb.com&quot;&gt;fiona.rowan@mongodb.com&lt;/a&gt;: yes that would make sense to me - I can file a ticket for the public API docs. thanks for raising this!&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=aastha.mahendru%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;aastha.mahendru@mongodb.com&quot;&gt;aastha.mahendru@mongodb.com&lt;/a&gt;: sounds great! please share the ticket here once you have it , thanks again!&lt;/li&gt;
&lt;/ul&gt;
</comment>
                    </comments>
                    <attachments>
                            <attachment id="505460" name="Screenshot 2024-01-22 at 2.24.13&#8239;PM.png" size="225675" author="fiona.rowan@mongodb.com" created="Mon, 22 Jan 2024 19:25:11 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 22 Jan 2024 19:42:49 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        5 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>matteo.vh@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            5 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>fiona.rowan@mongodb.com</customfieldvalue>
            <customfieldvalue>matteo.vh@mongodb.com</customfieldvalue>
            <customfieldvalue>memento@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i39h5b:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i2r5x0:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i393an:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>