# MongoDB Atlas User Authentication, Project Management, and Role-Based Access Control

This notebook demonstrates how to authenticate with the Atlas CLI, create projects and clusters, and implement user authentication and role-based access control in MongoDB Atlas using X509 certificates and User/Password authentication methods.

## Prerequisites

1. MongoDB Atlas account
2. Atlas CLI installed


In [3]:
# prompt: Install Atlas CLI using this link https://fastdl.mongodb.org/mongocli/mongodb-atlas-cli_1.29.0_linux_x86_64.deb

!wget https://fastdl.mongodb.org/mongocli/mongodb-atlas-cli_1.29.0_linux_x86_64.deb
!dpkg -i mongodb-atlas-cli_1.29.0_linux_x86_64.deb


--2024-10-01 10:51:59--  https://fastdl.mongodb.org/mongocli/mongodb-atlas-cli_1.29.0_linux_x86_64.deb
Resolving fastdl.mongodb.org (fastdl.mongodb.org)... 108.156.152.3, 108.156.152.61, 108.156.152.53, ...
Connecting to fastdl.mongodb.org (fastdl.mongodb.org)|108.156.152.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20935008 (20M) [application/x-gzip]
Saving to: ‘mongodb-atlas-cli_1.29.0_linux_x86_64.deb.1’


2024-10-01 10:51:59 (113 MB/s) - ‘mongodb-atlas-cli_1.29.0_linux_x86_64.deb.1’ saved [20935008/20935008]

[1mdpkg:[0m [1;31merror:[0m cannot access archive 'mongodb-atlas-cli_latest_linux_x86_64.deb': No such file or directory


## 1. Atlas CLI Authentication

First, let's authenticate with the Atlas CLI using your web browser.

In [4]:
# Authenticate with Atlas CLI
!atlas auth login


To verify your account, copy your one-time verification code:
9M4V-3FTD

Paste the code in the browser when prompted to activate your Atlas CLI. Your code will expire after 10 minutes.

To continue, go to https://account.mongodb.com/account/connect
/usr/bin/xdg-open: 882: www-browser: not found
/usr/bin/xdg-open: 882: links2: not found
/usr/bin/xdg-open: 882: elinks: not found
/usr/bin/xdg-open: 882: links: not found
/usr/bin/xdg-open: 882: lynx: not found
/usr/bin/xdg-open: 882: w3m: not found
xdg-open: no method available for opening 'https://account.mongodb.com/account/connect'
There was an issue opening your browser
Successfully logged in as pavel.duchovny@mongodb.com.
[KSelect one default organization and one default project.
7[?25l8[0G[2K[0;1;92m? [0m[0;1;99mChoose a default organization:[0m  [0;36m[Use arrows to move, type to filter][0m
[0;1;36m> 60531ad03394206878026140 - [0;36mDataLakesTests[0m
[0;39m  5c548814ff7a25e1ae98fa94 - [0;36mDeveloper Relations[0m


If you use Google collab I recommend opening the prompted URL and inputing the provided token. Once authenticated stop the task.

## 2. Creating Projects and Clusters

Now that we're authenticated, let's create a new project and cluster.

In [9]:
# Create a new project
import getpass

org_id = getpass.getpass('Enter your org ID: ')
!atlas projects create MySecureProj --orgId {org_id}

Enter your org ID: ··········
Project '66fbd62c6e3d955383c69afe' created.


In [12]:
# Create a new cluster in the project
project_id = getpass.getpass('Enter your project ID: ')
!atlas clusters create MyNewCluster --provider AWS --region US_EAST_1 --tier M0 --projectId {project_id}

Enter your project ID: ··········


Replace `your_project_id` with the ID of the project you just created. This command creates a new M0 cluster on AWS in the US East region. Adjust the parameters as needed for your use case.

## 3. User/Password Authentication

Let's create a user with User/Password authentication and assign roles.

In [14]:
# Create a new database user with read and write roles
!atlas dbusers create --username myUser --password mySecurePassword --role readWriteAnyDatabase --projectId {project_id}

Database user 'myUser' successfully created.


This command creates a new user named 'myUser' with the password 'mySecurePassword' and assigns the 'readWriteAnyDatabase' role, which allows read and write access to all databases in the cluster.

## Test a connection using the username/password

1. Add `0.0.0.0/0` temporary into the atlas project

In [21]:

from datetime import datetime, timedelta

# Calculate the date and time 24 hours from now
delete_after = (datetime.utcnow() + timedelta(hours=24)).isoformat() + 'Z'



!atlas accessLists create --currentIp --projectId {project_id} --deleteAfter "{delete_after}"


Created a new IP access list.


In [28]:
!pip install pymongo dnspython

Collecting pymongo
  Downloading pymongo-4.10.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (22 kB)
Collecting dnspython
  Downloading dnspython-2.6.1-py3-none-any.whl.metadata (5.8 kB)
Downloading pymongo-4.10.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.4 MB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m1.4/1.4 MB[0m [31m17.3 MB/s[0m eta [36m0:00:00[0m
[?25hDownloading dnspython-2.6.1-py3-none-any.whl (307 kB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m307.7/307.7 kB[0m [31m19.4 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: dnspython, pymongo
Successfully installed dnspython-2.6.1 pymongo-4.10.0


2. Get the atlas connection string and use it

In [29]:
connection = !atlas clusters connectionStrings describe  MyNewCluster --projectId {project_id}

username = 'myUser'
password = 'mySecurePassword'

new_connection = connection[1].replace('mongodb+srv://', f'mongodb+srv://{username}:{password}@')
print(new_connection)

from pymongo import MongoClient
client = MongoClient(new_connection)

client.list_database_names()


mongodb+srv://myUser:mySecurePassword@mynewcluster.ajhx3.mongodb.net


['admin', 'local']

## 4. X509 Certificate Authentication

Now, let's create a user that authenticates using an X509 certificate.

In [30]:
# Generate an X509 certificate for a new user
!atlas dbusers create --username myX509User --x509Type MANAGED --role readAnyDatabase --projectId {project_id}

Database user 'myX509User' successfully created.


This command creates a new user named 'myX509User' with a managed X509 certificate and assigns the 'readAnyDatabase' role, which allows read access to all databases in the cluster.

After running this command, Atlas can now generate and manage the X509 certificate for this user.

## Lets use the X509

The code creates a certificate, saves it and then passes it to the driver

In [52]:
# Generate and save the certificate
!atlas dbusers certs create --username myX509User --monthsUntilExpiration 1 --projectId {project_id} > /tmp/cert.pem

# Update the connection string
username='myX509User'
connection = !atlas clusters connectionStrings describe MyNewCluster --projectId {project_id}
new_connection = connection[1].replace('.net', '.net?authSource=%24external&authMechanism=MONGODB-X509&retryWrites=true&w=majority&appName=MyNewCluster')
print(new_connection)

# Connect using the certificate
from pymongo import MongoClient
client = MongoClient(new_connection,
                     tlsCertificateKeyFile='/tmp/cert.pem')

# Access the database
client.list_database_names()



mongodb+srv://mynewcluster.ajhx3.mongodb.net?authSource=%24external&authMechanism=MONGODB-X509&retryWrites=true&w=majority&appName=MyNewCluster


['admin', 'local']

## 5. Role-Based Access Control (RBAC)

Let's explore how to assign different roles to users for fine-grained access control.

In [55]:
# Create a user with specific database access
!atlas dbusers create --username dbAdmin --password secureAdminPass --role readWriteAnyDatabase --scope 'MyNewCluster'  --projectId {project_id}

Database user 'dbAdmin' successfully created.


This command creates a user 'readWriteAnyDatabase' with database read/write  privileges, but only for the 'MyNewCluster' database.

In [58]:
# Create a user with read-only access to a specific database
!atlas customDbRoles create salesRead --inheritedRole read@salesDB --projectId {project_id}
!atlas dbusers create --username readOnlyUser --password readOnlyPass --role salesRead --projectId {project_id}

Error: https://cloud.mongodb.com/api/atlas/v2/groups/66fbd62c6e3d955383c69afe/customDBRoles/roles POST: HTTP 409 Conflict (Error code: "ATLAS_CUSTOM_ROLE_NAME_ALREADY_EXISTS") Detail: A custom role with the name salesRead already exists. Reason: Conflict. Params: [salesRead]
Database user 'readOnlyUser' successfully created.


This command creates a user 'readOnlyUser' with read-only access to the 'salesDB' database.

In [59]:
# prompt: Lets try to insert data into the salesDB with a readonly user

# Assuming you have the connection string and credentials for the readOnlyUser
username = 'readOnlyUser'
password = 'readOnlyPass'

connection = !atlas clusters connectionStrings describe MyNewCluster --projectId {project_id}
new_connection = connection[1].replace('mongodb+srv://', f'mongodb+srv://{username}:{password}@')

client = MongoClient(new_connection)
db = client['salesDB']
collection = db['mycollection']

try:
  # Attempt to insert data
  data = {'name': 'John Doe', 'age': 30}
  result = collection.insert_one(data)
  print(f"Inserted document with ID: {result.inserted_id}")
except Exception as e:
  print(f"Error inserting data: {e}")


Error inserting data: user is not allowed to do action [insert] on [salesDB.mycollection], full error: {'ok': 0, 'errmsg': 'user is not allowed to do action [insert] on [salesDB.mycollection]', 'code': 8000, 'codeName': 'AtlasError'}


In [60]:
# prompt: Use the readWriteAnyDatabase user dbAdmin to succeed

# Assuming you have the connection string and credentials for the readOnlyUser
username = 'dbAdmin'
password = 'secureAdminPass'

connection = !atlas clusters connectionStrings describe MyNewCluster --projectId {project_id}
new_connection = connection[1].replace('mongodb+srv://', f'mongodb+srv://{username}:{password}@')

client = MongoClient(new_connection)
db = client['salesDB']
collection = db['mycollection']

try:
  # Attempt to insert data
  data = {'name': 'John Doe', 'age': 30}
  result = collection.insert_one(data)
  print(f"Inserted document with ID: {result.inserted_id}")
except Exception as e:
  print(f"Error inserting data: {e}")


Inserted document with ID: 66fbe5b9e2dda5f9a5a4bdd9


## 6. Viewing and Managing Users

You can view and manage existing users using the Atlas CLI.

In [61]:
# List all database users
!atlas dbusers list --projectId {project_id}

USERNAME       DATABASE
myUser         admin
myX509User     $external
dbAdmin        admin
readOnlyUser   admin


## 7. Modifying User Roles

You can update user roles as needed.

In [63]:
# Update user roles
!atlas dbusers update myUser --role readWriteAnyDatabase,dbAdminAnyDatabase --projectId {project_id}

Successfully updated database user 'myUser'.


This command updates the roles for 'myUser' to include both read-write access and database administration privileges for all databases.

## Conclusion

This notebook demonstrated how to authenticate with the Atlas CLI, create projects and clusters, and manage user authentication in MongoDB Atlas using both User/Password and X509 certificate methods. We also explored role-based access control to provide fine-grained permissions to users.

Remember to always follow security best practices:
1. Use strong, unique passwords for each user
2. Implement the principle of least privilege when assigning roles
3. Regularly review and audit user access
4. Use X509 certificates for enhanced security when possible
5. Keep your Atlas CLI authentication credentials secure

For more information, refer to the [MongoDB Atlas documentation](https://docs.atlas.mongodb.com/).