MongoDB Atlas: Access Control Scheme

After recently moving between Compose and mLab I finally landed on Mongo Atlas. Atlas is a recently released contender in the cloud hosted & managed Mongo service provider world. The biggest at a glance benefit is that it’s built and supported by the MongoDB team.

There are a lot of interesting aspects to MongoDB’s Atlas but I wanted to focus on one specific aspect: Access Control.

The Wrong Way

After creating an account in Mongo Atlas, you are given the opportunity to create ‘Clusters’ (there is no single database deployment package). In doing so, you are creating multiple databases, one primary and then various secondary instances.

My first reaction was to treat this like Google Cloud, Heroku, or various other PAAS offerings that are ‘project’ based. My original approach was…

1. Create xyz-develop, xyz-staging, and xyz-production clusters with their respective configurations.
2. Create a specific per environment user, for example a `xyz-develop` user who would have exclusive access to the xyz-develop database.
3. Configure the user with `readWrite` and `dbAdmin` privileges to the cluster, so that additional changes such as more shards, would be automatically part of the user's access control rights.

This however is not the recommended way, nor functional way to tackle this. MongoDB, in Atlas, does not provide cluster-level permissions. So users are able to be given rights to either all databases or specific databases, which isn’t super convenient, it’s too granular.

The Right Way

After failing to get the above to work and talking with the MongoDB Atlas team, it turns out they suggest a different approach. They encourage the heavy use of Atlas Groups.

Groups can be access once logged into MongoDB Atlas by visiting Settings > My Groups. The suggested approach then is to think of environments on the group level, versus on the pure user level. There are a few cons, but numerous benefits which I will mention below. With this in mind, the proper flow for creating environment based clusters and users with proper acccess control is…

1. Create xyz-develop, xyz-staging, and xyz-production groups.
2. Create xyz-develop, xyz-staging, and xyz-production clusters within their respective groups. For example the xyz-develop cluster would be solely within the xyz-develop group.
3. Then create a user within each respective group that has `dbAdmin` and `readWrite` privileges to all databases.
4. Repeat for each environment, save your passwords for each user, and voila you have per environment segmented access control.

While there isn’t an officially documented method from the MongoDB Atlas Team themselves, this has been confirmed with their support team as their suggested and supported approach to per environment access control.