Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mongo Atlas cli - dbuser update doesn't support external DB (X509 certs users) #2338

Closed
MartinPerru opened this issue Oct 5, 2023 · 8 comments · Fixed by #2378 or #2398
Closed

Mongo Atlas cli - dbuser update doesn't support external DB (X509 certs users) #2338

MartinPerru opened this issue Oct 5, 2023 · 8 comments · Fixed by #2378 or #2398
Assignees

Comments

@MartinPerru
Copy link

MartinPerru commented Oct 5, 2023

Describe the bug
We want to update roles to a X509 cert managed dbuser, which is using $external database.
It seems to be supported only for users using admin database (SCRAM) , but not for users using $external database.

To Reproduce
Steps to reproduce the behavior:

  1. Run: atlas dbusers update myUser-test --role backup
  2. See error:
Error: https://cloud.mongodb.com/api/atlas/v2/groups/*******/databaseUsers/admin/myUser-test PATCH: HTTP 404 Not Found (Error code: "USERNAME_NOT_FOUND") Detail: No user with username myUser-test exists. Reason: Not Found. Params: [myUser-test]

Expected behavior
When we are updating another user that uses admin database we get the expected behavior (user's role updated)
Example with a SCRAM user called "prueba"

atlas dbuser update prueba --role backup

{
  "awsIAMType": "NONE",
  "databaseName": "admin",
  "groupId": "******",
  "ldapAuthType": "NONE",
  "links": [
    {
      "href": "https://cloud.mongodb.com/api/atlas/v2/groups/*******/databaseUsers/admin/prueba",
      "rel": "self"
    }
  ],
  "oidcAuthType": "NONE",
  "roles": [
    {
      "databaseName": "admin",
      "roleName": "backup"
    }
  ],
  "username": "prueba",
  "x509Type": "NONE"
}

Json output of the atlas dbuser list command with myUser-test that uses external database:

    {
      "awsIAMType": "NONE",
      "databaseName": "$external",
      "groupId": "******",
      "ldapAuthType": "NONE",
      "links": [
        {
          "href": "https://cloud.mongodb.com/api/atlas/v2/groups/*****/databaseUsers/$external/myUser-test",
          "rel": "self"
        }
      ],
      "oidcAuthType": "NONE",
      "roles": [
        {
          "databaseName": "admin",
          "roleName": "backup"
        }
      ],
      "username": "myUser-test",
      "x509Type": "MANAGED"
    }

Desktop (please complete the following information):

  • OS: tested locally with MacOs Monterrey , also with a docker container (image ubuntu:20.04)
  • Atlas (from master) / focal/mongodb-org/7.0

Additional context
We can see in the error that the url of the api always uses the admin database.
Comparing files updates.go with delete.go or describe.go in the repo https://github.com/mongodb/mongodb-atlas-cli/tree/master/internal/cli/atlas/dbusers, we are seeing that the first one haven't a parameter , --authDB, to specify the database name for the user.

@MartinPerru
Copy link
Author

MartinPerru commented Oct 8, 2023

I have tested with the Mongo Atlas API, and It can be done with this curl command:

curl --location --request PATCH 'https://cloud.mongodb.com/api/atlas/v2/groups/******/databaseUsers/$external/myUser-test' \
--header 'Accept: application/vnd.atlas.2023-02-01+json' \
--header 'Content-type: application/json' \
--data '
{
  "awsIAMType": "NONE",
  "databaseName": "$external",
  "groupId": "******",
  "ldapAuthType": "NONE",
  "links": [
    {
      "href": "https://cloud.mongodb.com/api/atlas/v2/groups/******/databaseUsers/$external/myUser-test",
      "rel": "self"
    }
  ],
  "oidcAuthType": "NONE",
  "roles": [
    {
      "databaseName": "admin",
      "roleName": "readWriteAnyDatabase"
    }
  ],
  "username": "myUser-test",
  "x509Type": "MANAGED"
}

'

@MartinPerru
Copy link
Author

Looking at the update.go file I saw this line in update method:

out.DatabaseName = convert.GetAuthDB(out)

It should detect if dbuser is external or not using the user type but it does not work.
Maybe we can use something like this:

	if opts.authDB != convert.ExternalAuthDB {
		out.DatabaseName = convert.AdminDB
	} else {
		out.DatabaseName = convert.ExternalAuthDB
	}

And request the parameter , authDB ,from the user.

@wtrocki
Copy link
Member

wtrocki commented Oct 12, 2023

We are going to look into this issue

@MartinPerru
Copy link
Author

Hello team.
In my tests it doesn't seem to be fixed, anything about the SDK? I know it's another problem now, the first problem is fine.

./atlas dbusers update --role readWriteAnyDatabase --authDB '$external' myUser-test Error: https://cloud.mongodb.com/api/atlas/v2/groups/******/databaseUsers/$external/myUser-test PATCH: HTTP 409 Conflict (Error code: "DATABASE_USERNAME_CANNOT_BE_CHANGED") Detail: Cannot modify the username of an existing database user. Reason: Conflict. Params: []

@matt-condon matt-condon self-assigned this Oct 20, 2023
@matt-condon
Copy link
Collaborator

Hi @MartinPerru

./atlas dbusers update --role readWriteAnyDatabase --authDB '$external' myUser-test Error: https://cloud.mongodb.com/api/atlas/v2/groups/******/databaseUsers/$external/myUser-test PATCH: HTTP 409 Conflict (Error code: "DATABASE_USERNAME_CANNOT_BE_CHANGED") Detail: Cannot modify the username of an existing database user. Reason: Conflict. Params: []

I see Params: [], where in the initial post we could see Params: [myUser-test]

Could you try moving the username input before the args and let me know if that solves the problem?

./atlas dbusers update --role readWriteAnyDatabase --authDB '$external' myUser-test

@MartinPerru
Copy link
Author

MartinPerru commented Oct 20, 2023

Hi Matt , It doesn't work.

./atlas dbusers update myUser-test  --role readWriteAnyDatabase --authDB '$external'
Error: https://cloud.mongodb.com/api/atlas/v2/groups/****/databaseUsers/$external/myUser-test PATCH: HTTP 409 Conflict (Error code: "DATABASE_USERNAME_CANNOT_BE_CHANGED") Detail: Cannot modify the username of an existing database user. Reason: Conflict. Params: []

➜  atlas git:(master) ✗ ./atlas dbusers update  --role readWriteAnyDatabase myUser-test --authDB '$external'
Error: https://cloud.mongodb.com/api/atlas/v2/groups/****/databaseUsers/$external/myUser-test PATCH: HTTP 409 Conflict (Error code: "DATABASE_USERNAME_CANNOT_BE_CHANGED") Detail: Cannot modify the username of an existing database user. Reason: Conflict. Params: []

It's like you said. The username is not being recognized and that is why an attempt is made to change it.

@MartinPerru
Copy link
Author

But this is weird.

./atlas dbusers update   --role readWriteAnyDatabase --authDB '$external'  myUser
Error: https://cloud.mongodb.com/api/atlas/v2/groups/****/databaseUsers/$external/myUser PATCH: HTTP 404 Not Found (Error code: "USERNAME_NOT_FOUND") Detail: No user with username myUser exists. Reason: Not Found. Params: [myUser]

If the user exists then Params is empty, but is not the same if the user doesn't exist.

@matt-condon
Copy link
Collaborator

Ah I understand - the x509Type isn't inferred from the context so it also needs to be provided as a parameter, raising a fix now.
Thanks for flagging this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants