Docs Menu
Docs Home
/
MongoDB Atlas
/

Atlas Stream Processing Security

On this page

  • Atlas Stream Processing Organization and Project Access
  • Stream Processing Instance Access
  • Networking
  • Restricting Access to Specific stream processing instances
  • Execution Profiles
  • Go to the Stream Processing page for your project.
  • Click Save changes.

Atlas provides a system for managing user permissions at the organization, project, and database levels. Atlas Stream Processing extends this system with additional roles and privileges specific to stream processing tasks, as well as the ability to restrict user permissions to specific stream processing instances.

Users manage stream processing instances and their associated connection registries at the project level. Atlas Stream Processing provides the Project Stream Processing Owner role for this purpose. A user with this role can perform any stream processing instance or connection registry management action, and manage the databases and database users within the project. Assign this role to a user to enable them to perform all the actions necessary to configure an Atlas Stream Processing project without granting any unnecessary permissions to features in accordance with the principle of least privilege.

If necessary, you can perform any of the actions authorized by the Project Stream Processing Owner role as a user with either the Project Owner or Organization Owner roles.

You can access an existing stream processing instance and manage stream processors as a database user, analogous to how you access an Atlas cluster. The roles and actions assigned to your database users determine which operations they can perform on stream processors within a stream processing instance. Atlas Stream Processing provides the following privilege actions:

  • processStreamProcessor

  • createStreamProcessor

  • startStreamProcessor

  • stopStreamProcessor

  • dropStreamProcessor

  • listStreamProcessors

  • sampleStreamProcessor

  • streamProcessorStats

  • listConnections

You can assign exactly those privilege actions to a database user or custom role that you need. Alternatively, a database user with the atlasAdmin or readWriteAnyDatabase can perform all of these actions.

Atlas Stream Processing currently doesn't support VPC peering for connections to Apache Kafka. After adding a connection to a Apache Kafka cluster to your connection registry, you must add Atlas IP addresses to an access list for that cluster.

To identify the necessary Atlas IP addresses, run the following command:

curl -H 'Accept: application/vnd.atlas.2023-11-15+json' -s \
'https://cloud.mongodb.com/api/atlas/v2/unauth/controlPlaneIPAddresses'

This returns a list of available Atlas IP addresses, grouped by provider and region. Identify all outbound IP addresses for the provider-region pair in which the target stream processing instance is deployed, and add these to your Kafka cluster's access list.

For more information, see Allow Access to or from the Atlas Control Plane.

By default, a user with Atlas Stream Processing privilege actions can perform the associated operations on all stream processing instances. You can restrict the application of these privileges to specific stream processing instances.

1
  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Database Access under the Security heading.

2

Click Edit in the row of the user whose permissions you want to modify.

3

In the modal window, toggle the switch labeled Restrict Access to Specific Clusters /Federated Database Instances/Stream Processing Instances on.

4

Find the names of the stream processing instances for which you want to grant the user privileges. Check the box next to a name to grant the user privileges for that stream processing instance. Uncheck the box to deny the user privileges for that stream processing instance

5

You can configure the database user role that you use when connecting to an Atlas database as either a $source or a $merge sink. This allows you to prevent Atlas Stream Processing-specific database users from gaining indirect access to the cluster hosting that database through the credentials of the elevated-privilege Atlas user that configures the stream processing instance and its connections.

Note

In accordance with the principle of least privilege, define a custom role with only those privileges a user needs to perform their desired operations.

1
  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Stream Processing under the Services heading.

2

In the pane of the stream processing instance you want to configure, click Configure.

3

Click the Connection Registry tab. In the row of the Atlas database connection you want to configure, click .

4

From the Execute As drop-down menu, select the role to use when connecting to the database.

5
← Stream Processor Windows