Docs Menu

Docs HomeMongoDB Enterprise Kubernetes Operator

Manage Database Users Using X.509 Authentication

On this page

  • Supported Authentication Mechanisms
  • Prerequisites
  • Add a Database User
  • Delete a Database User

The Kubernetes Operator supports managing database users for deployments running with TLS and X.509 internal cluster authentication enabled.

The Kubernetes Operator supports SCRAM, LDAP, and X.509 authentication mechanisms in deployments it creates. In an Kubernetes Operator-created deployment, you cannot use Ops Manager to:

  • Configure other authentication mechanisms for deployments.

  • Manage users not using SCRAM, LDAP, or X.509 authentication.

After enabling X.509 authentication, you can add X.509 users using the Ops Manager interface or the CustomResourceDefinition.

Before managing database users, you must deploy a replica set or sharded cluster with TLS and X.509 enabled.

If you need to generate X.509 certificates for your MongoDB users, see Generate X.509 Client Certificates.

1

If you have not already, run the following command to execute all kubectl commands in the namespace you created.

Note

If you are deploying an Ops Manager resource in a multi-Kubernetes-cluster deployment:

  • Set the context to the name of the central cluster, such as: kubectl config set context "$MDB_CENTRAL_CLUSTER_FULL_NAME".

  • Set the --namespace to the same scope that you used for your multi-Kubernetes-cluster deployment, such as: kubectl config --namespace "mongodb".

kubectl config set-context $(kubectl config current-context) --namespace=<metadata.namespace>
2
---
apiVersion: mongodb.com/v1
kind: MongoDBUser
metadata:
name: <resource-name>
spec:
username: <rfc2253-subject>
db: "$external"
mongodbResourceRef:
name: '<MongoDB-Resource-name>'
roles:
- db: <database-name>
name: <role-name>
...
3
4

Use the following table to guide you through changing the relevant lines in the MongoDB User Resource Specification:

Key
Type
Description
Example
metadata.name
string

The name of the database user resource.

Resource names must be 44 characters or less.

mms-user-1
spec.username
string

The subject line of the x509 client certificate signed by the Kubernetes CA (Kube CA).

Important

The username must comply with the RFC 2253 LDAPv3 Distinguished Name standard.

To get the subject line of the X.509 certificate, run the following command:

openssl x509 -noout \
-subject -in <my-cert.pem> \
-nameopt RFC2253
CN=mms-user,U=My Organizational Unit,O=My Org,L=New York,ST=New York,C=US
spec.opsManager.configMapRef.name
string
The name of the project containing the MongoDB database where user will be added. The spec.cloudManager.configMapRef.name setting is an alias for this setting and can be used in its place.
my-project
spec.roles.db
string
The database the role can act on.
admin
spec.mongodbResourceRef.name
string
The name of the MongoDB resource to which this user is associated.
my-resource
spec.roles.name
string
The name of the role to grant the database user. The role name can be any built-in MongoDB role or custom role that exists in Cloud Manager or Ops Manager.
readWriteAnyDatabase
5

You may grant additional roles to this user using the format defined in the following example:

---
apiVersion: mongodb.com/v1
kind: MongoDBUser
metadata:
name: mms-user-1
spec:
username: CN=mms-user,U=My Organizational Unit,O=My Org,L=New York,ST=New York,C=US
project: my-project
db: "$external"
roles:
- db: admin
name: backup
- db: admin
name: restore
...
6

Invoke the following Kubernetes command to create your database user:

kubectl apply -f <database-user-conf>.yaml

When you create a new MongoDB database user, Kubernetes Operator automatically creates a new Kubernetes secret. The Kubernetes secret contains the following information about the new database user:

  • username: Username for the database user

  • password: Password for the database user

  • connectionString.standard: Standard connection string that can connect you to the database as this database user.

  • connectionString.standardSrv: DNS seed list connection string that can connect you to the database as this database user.

Note

Alternatively, you can specify an optional spec.connectionStringSecretName field in the MongoDB User Resource Specification to specify the name of the connection string secret that the Kubernetes Operator creates.

You can use these credentials to Connect to a MongoDB Database Resource from Inside Kubernetes.

7

You can view the newly-created user in Cloud Manager or Ops Manager:

  1. From the Project's Deployment view, click the Security tab.

  2. Click the MongoDB Users nested tab.

To delete a database user, pass the metadata.name from the user ConfigMap to the following command:

kubectl delete mdbu <metadata.name>