Docs Menu

Docs HomeAtlas App Services

MongoDB Data Source Configuration Files

On this page

  • Service Configuration
  • MongoDB Clusters
  • Federated database instances
  • Databases & Collections
  • Collection Schema
  • Relationships
  • Default Rules
  • Collection Rules
  • Rule Configurations
  • Roles
  • Filters
app/
└── data_sources/
└── <service name>/
├── config.json
└── <database>/
└── <collection>/
├── schema.json
├── relationships.json
└── rules.json
config.json
{
"name": "<Service Name>",
"type": "mongodb-atlas",
"config": {
"clusterName": "<Atlas Cluster Name>",
"readPreference": "<Read Preference>",
"wireProtocolEnabled": <Boolean>
}
}
Field
Description
name
String

Required. Default: mongodb-atlas

The service name used to refer to the cluster within this Atlas App Services app. The name may be at most 64 characters long and must only contain ASCII letters, numbers, underscores, and hyphens.

type
String
Required. For MongoDB Atlas clusters, this value is always "mongodb-atlas".
config.clusterName
String
Required. The name of the cluster in Atlas.
config.readPreference
String

The read preference mode for queries sent through the service.

Mode
Description
primary
App Services routes all read operations to the current replica set primary node. This is the default read preference mode.
App Services routes all read operations to the current replica set primary node if it's available. If the primary is unavailable, such as during an automatic failover, read requests are routed to a secondary node instead.
App Services routes all read operations to one of the current replica set secondary nodes.
App Services routes all read operations to one of the replica set's available secondary nodes. If no secondary is available, read requests are routed to the replica set primary instead.
App Services routes read operations to the replica set member that has the lowest network latency relative to the client.
config.wireProtocolEnabled
Boolean
/data_sources/<Service Name>/config.json
{
"name": "<Service Name>",
"type": "datalake",
"config": {
"dataLakeName": "<Federated database instance name>"
}
}
Field
Description
name
String

Required. Default: mongodb-datafederation

The service name used to refer to the Federated database instance within this App Services app. The name may be at most 64 characters long and must only contain ASCII letters, numbers, underscores, and hyphens.

type
String
Required. For a Federated database instance, this value is always "datalake".
config.dataLakeName
String
Required. The name of the Federated database instance in Atlas.

If you want to enforce a schema for a collection, define a schema.json configuration file that contains a JSON schema for the documents. The root level schema must be an object schema, which has the following form:

/data_sources/<data source>/<database>/<collection>/schema.json
{
"title": "<Object Type Name>",
"bsonType": "object",
"properties": {
"<Property Name>": { <Schema> },
...
}
}
/data_sources/<data source>/<database>/<collection>/relationships.json
{
"<Source Field Name>": {
"ref": "#/relationship/<Data Source Name>/<Database Name>/<Collection Name>",
"source_key": "<Source Field Name>",
"foreign_key": "<Foreign Field Name>",
"is_list": <Boolean>
},
...
}
Field
Description
ref
String

A JSON schema $ref string that specifies the foreign collection. The string has the following form:

#/relationship/<Data Source Name>/<Database Name>/<Collection Name>
source_key
String
The name of the field in this collection's schema that specifies which documents in the foreign collection to include in the relationship. A foreign document is included if source_key contains the value of its foreign_key field.
foreign_key
String
The name of the field in the foreign collection's schema that contains the value referenced by source_key.
is_list
Boolean

If true, the relationship may refer to multiple foreign documents (i.e. a "to-many" relationship). The source_key field must be an array with elements of the same type as the foreign_key field.

If false, the relationship may refer to zero or one foreign documents (i.e. a "to-one" relationship). The source_key field must be the same type as the foreign_key field.

Example

An ecommerce app defines a relationship between two collections: each document in store.orders references one or more documents in the store.items collection by including item _id values in the order's items array. Both collection are in the same linked cluster (mongodb-atlas) and database (store).

The relationship is defined for the orders collection:

/data_sources/mongodb-atlas/store/orders/relationships.json
{
"items": {
"ref": "#/relationship/mongodb-atlas/store/items",
"source_key": "items",
"foreign_key": "_id",
"is_list": true
}
}

You can define default rules that apply to all collections in a data source that don't have more specific collection-level rules defined.

You define default rules in the data source's default_rule.json configuration file.

/data_sources/<data source>/default_rule.json
{
"roles": [<Role>],
"filters": [<Filter>]
}
Field
Description
roles
Array<Role>
An array of Role configurations.
filters
Array<Filter>
An array of Filter configurations.

If the data source is not a synced cluster or a Federated data source, then you can define collection-level rules in a collection's rules.json configuration file.

/data_sources/<data source>/<database>/<collection>/rules.json
{
"database": "<Database Name>",
"collection": "<Collection Name>",
"roles": [<Role>],
"filters": [<Filter>]
}
Field
Description
database
String
The name of the database that holds the collection.
collection
String
The name of the collection.
roles
Array<Role>
An array of Role configurations.
filters
Array<Filter>
An array of Filter configurations.
{
"name": "<Role Name>",
"apply_when": { Expression },
"insert": { Expression },
"delete": { Expression },
"read": { Expression },
"write": { Expression },
"search": <Boolean>,
"fields": {
"<Field Name>": {
"read": { Expression },
"write": { Expression },
"fields": { Embedded Fields }
},
...
},
"additional_fields": {
"read": { Expression },
"write": { Expression }
},
}
Field
Description
name
string
The name of the role. Role names identify and distinguish between roles in the same collection. Limited to 100 characters or fewer.
apply_when
Expression
An expression that evaluates to true when this role applies to a user for a specific document.
read
Expression
Default: false

An expression that evaluates to true if the role has permission to read all fields in the document.

Document-level read permissions take priority over any field-level permissions. If a role has document-level read permissions, it applies to all fields in the document and cannot be overridden.

To define a default fallback alongside field-level rules, use additional_fields instead.

write
Expression
Default: false

An expression that evaluates to true if the role has permission to add, modify, or remove all fields in the document.

Document-level write permissions take priority over any field-level permissions. If a role has document-level write permissions, it applies to all fields in the document and cannot be overridden.

To define a default fallback alongside field-level rules, use additional_fields instead.

Important

Implicit Read Permission

Any time a role has write permission for a particular scope it also has read permission even if that is not explicitly defined.

Note

MongoDB Expansions

You can use MongoDB expansions, like %%root and %%prevRoot, in write JSON expressions.

insert
Expression
Default: true

An expression that evaluates to true if the role has permission to insert a new document into the collection.

Note

Document-level insert permission does not imply that a role can insert any document. The role must also have write permission for all fields in an inserted document for the insert to succeed.

delete
Expression
Default: true
An expression that evaluates to true if the role has permission to delete a document from the collection.
search
Boolean
Default: true

An expression that evaluates to true if the role has permission to search the collection using Atlas Search.

Important

App Services performs $search operations as a system user and enforces field-level rules on the returned search results. This means that a user may search on a field for which they do not have read access. In this case, the search is based on the specified field but no returned documents include the field.

fields
Document
Default: {}

A document where the value of each field defines the role's field-level read and write permissions for the corresponding field in a queried document.

"fields": {
"<Field Name>": {
"read": { Expression },
"write": { Expression },
"fields": <Fields Document>
},
...
}

Note

Permission Priority

Document-level read or write permissions override all field-level permissions of the same type. If permissions are defined for a field that contains an embedded document, those permissions override any permissions defined for the document's embedded fields.

fields.<Field Name>.read
Expression
Default: false
An expression that evaluates to true if the role has permission to read the field.
fields.<Field Name>.write
Expression
Default: false
An expression that evaluates to true if the role has permission to add, modify, or remove the field.
fields.<Field Name>.fields
Document
Default: {}

A fields document that defines read and write permissions for fields that are embedded within this field in a queried document.

See the Field-level Permissions for Embedded Documents role pattern for more information.

additional_fields
Document
Default: {}

A document that defines the role's field-level read and write permissions for any fields in a queried document that don't have explicitly defined permissions.

"additional_fields": {
"read": { Expression },
"write": { Expression }
}
additional_fields.read
Expression
Default: false
An expression that evaluates to true if the role has permission to read any field that does not have a field-level permission definition.
additional_fields.write
Expression
Default: false
An expression that evaluates to true if the role has permission to add, modify, or remove any field that does not have a field-level permission definition.
{
"name": "<Filter Name>",
"apply_when": { Expression },
"query": { MongoDB Query },
"projection": { MongoDB Projection }
}
Field
Description
name
String
Required. The name of the filter. Filter names are useful for identifying and distinguishing between filters. Limited to 100 characters or fewer.
apply_when
Expression

An expression that determines when this filter applies to an incoming MongoDB operation.

Important

Atlas App Services evaluates and applies filters before it reads any documents, so you cannot use MongoDB document expansions in a filter's Apply When expression. However, you can use other expansions like %%user, %%values, and %function

query
Object
Default: {}

A MongoDB query that App Services merges into a filtered operation's existing query.

Example

A filter withholds documents that have a score below 20 using the following query:

{ "score": { "$gte": 20 } }
projection
Object
Default: {}

A MongoDB projection that App Services merges into a filtered operation's existing projection.

Important

Projection Conflicts

MongoDB projections can be either inclusive or exclusive, i.e. they can either return only specified fields or withhold fields that are not specified. If multiple filters apply to a query, the filters must all specify the same type of projection, or the query will fail.

Example

A filter withholds the _internal field from all documents using the following projection:

{ "_internal": 0 }
←  User & Authentication Provider Configuration FilesAtlas Device Sync Configuration Files →
Give Feedback
© 2022 MongoDB, Inc.

About

  • Careers
  • Investor Relations
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2022 MongoDB, Inc.