Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CLOUDP-205313: patch dbuser update to support external DB #2378

Merged
merged 1 commit into from
Oct 19, 2023

Conversation

matt-condon
Copy link
Collaborator

@matt-condon matt-condon commented Oct 19, 2023

Proposed changes

Jira ticket: CLOUDP-205313

dbuser update arn:aws:iam::**********:user/my-test-user --projectId ********** --role readWrite --authDB $external

Before fix:


{"detail":"No user with username arn:aws:iam::**********:user/my-test-user exists.","error":404,"errorCode":"USERNAME_NOT_FOUND","parameters":["arn:aws:iam::**********:user/my-test-user"],"reason":"Not Found"}
Error: https://cloud-dev.mongodb.com/api/atlas/v2/groups/**********/databaseUsers/admin/arn:aws:iam::**********:user%2Fmy-test-user PATCH: HTTP 404 Not Found (Error code: "USERNAME_NOT_FOUND") Detail: No user with username arn:aws:iam::**********:user/my-test-user exists. Reason: Not Found. Params: [arn:aws:iam::**********:user/my-test-user]
Exiting.

After fix:

{"awsIAMType":"USER","databaseName":"$external","groupId":"**********","labels":[],"ldapAuthType":"NONE","links":[{"href":"https://cloud.mongodb.com/api/atlas/v2/groups/**********/databaseUsers/$external/arn:aws:iam::**********:user%2Fmy-test-user","rel":"self"}],"oidcAuthType":"NONE","roles":[{"databaseName":"admin","roleName":"readWrite"}],"scopes":[],"username":"arn:aws:iam::**********:user/my-test-user","x509Type":"NONE"}
Successfully updated database user 'arn:aws:iam::**********:user/my-test-user'.

Closes #2338

Checklist

  • I have signed the MongoDB CLA
  • I have added tests that prove my fix is effective or that my feature works
  • I have added any necessary documentation in document requirements section listed in CONTRIBUTING.md (if appropriate)
  • I have addressed the @mongodb/docs-cloud-team comments (if appropriate)
  • I have updated test/README.md (if an e2e test has been added)
  • I have run make fmt and formatted my code

Further comments

@matt-condon matt-condon requested a review from a team as a code owner October 19, 2023 09:34
@matt-condon matt-condon requested a review from a team October 19, 2023 09:34
@matt-condon matt-condon marked this pull request as draft October 19, 2023 09:34
Copy link
Collaborator

@blva blva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor ask if possible, otherwise I can approve

}

func (opts *UpdateOpts) validateAuthDB() error {
if opts.authDB == "" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[q] what does the API return if you don't set this value?

Copy link
Collaborator Author

@matt-condon matt-condon Oct 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It maintains the previous behavior (setting the DatabaseName from the convert.getAuthDB(out) method)

The intent was to avoid breaking the existing behaviour for programmatic users who won't have the flag set

// GetAuthDB determines the authentication database based on the type of user.
// LDAP, X509 and AWSIAM should all use $external.
// SCRAM-SHA should use admin.
func GetAuthDB(user *atlasv2.CloudDatabaseUser) string {
// base documentation https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/database_user
_, isX509 := adminX509Type[pointer.GetOrDefault(user.X509Type, "")]
_, isIAM := awsIAMType[pointer.GetOrDefault(user.AwsIAMType, "")]
// just USER is external
isLDAP := user.LdapAuthType != nil && *user.LdapAuthType == userLdapAuthType
if isX509 || isIAM || isLDAP {
return ExternalAuthDB
}
return defaultUserDatabase
}
var adminX509Type = map[string]struct{}{
"MANAGED": {},
"CUSTOMER": {},
}
var awsIAMType = map[string]struct{}{
"USER": {},
"ROLE": {},
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay, works for me

@@ -118,6 +131,7 @@ func UpdateBuilder() *cobra.Command {

cmd.Flags().StringVarP(&opts.username, flag.Username, flag.UsernameShort, "", usage.DBUsername)
cmd.Flags().StringVarP(&opts.password, flag.Password, flag.PasswordShort, "", usage.DBUserPassword)
cmd.Flags().StringVar(&opts.authDB, flag.AuthDB, "", usage.AtlasAuthDB)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we set admin as default here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same consideration as above

@matt-condon matt-condon marked this pull request as ready for review October 19, 2023 10:36
Copy link
Contributor

@davidhou17 davidhou17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@matt-condon matt-condon merged commit 4c06b4b into master Oct 19, 2023
16 checks passed
@matt-condon matt-condon deleted the CLOUDP-205313 branch October 19, 2023 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Mongo Atlas cli - dbuser update doesn't support external DB (X509 certs users)
3 participants