Skip to main content

๐Ÿ‘ RUN : RBAC challenge

tip
info

The provided scripts are incomplete. Replace all <CODE_BLOCK> with the correct code to complete the lab.

tip

Hint: Remember to add --projectId {project_id} Refer to documentations : atlas dbusers , atlas customDbRoles

1. Create a user for "MyNewCluster" database onlyโ€‹

# Create a user:'myNewClusterAdmin', password:'myNewClusterAdminPass', role: 'readWriteAnyDatabase'
# and scoped to "MyNewCluster" database
newClusterAdminUser = 'myNewClusterAdmin'
newClusterAdminPass = 'myNewClusterAdminPass'
!atlas dbusers create <CODE_BLOCK>
tip
Answer 
# Create a user:'myNewClusterAdmin', password:'myNewClusterAdminPass', role: 'readWriteAnyDatabase'
# and scoped to "MyNewCluster" database
newClusterAdminUser = 'myNewClusterAdmin'
newClusterAdminPass = 'myNewClusterAdminPass'
!atlas dbusers create --username {newClusterAdminUser} --password {newClusterAdminPass} --role readWriteAnyDatabase --scope 'MyNewCluster' --projectId {project_id}

2. Create user with read-only access to the 'salesDB' databaseโ€‹

#Create a role "salesRead" which access to read-only role to salesDB database
!atlas customDbRoles create <CODE_BLOCK>

#Create a user "salesReadUser" with password "salesReadPass" which has the "salesRead" role
salesReadUser = 'salesReadUser'
salesReadPass = 'salesReadPass'
!atlas dbusers create <CODE_BLOCK>
tip
Answer 
#Create a role "salesRead" which access to read-only role to salesDB database
!atlas customDbRoles create salesRead --inheritedRole read@salesDB --projectId {project_id}

#Create a user "salesReadUser" with password "salesReadPass" which has the "salesRead" role
salesReadUser = 'salesReadUser'
salesReadPass = 'salesReadPass'
!atlas dbusers create --username salesReadUser --password salesReadPass --role salesRead --projectId {project_id}

3. Test that 'salesReadUser' cannot insert data into the 'salesDB' database.โ€‹

# Get connection string
connection = !atlas clusters connectionStrings describe MyNewCluster --projectId {project_id}

# Replace connection string with username and password
new_connection = connection[1].replace('mongodb+srv://', f'mongodb+srv://{salesReadUser}:{salesReadPass}@')

# Attempt to insert data
client = MongoClient(new_connection)
db = client['salesDB']
collection = db['mycollection']
try:
  data = {'name': 'John Doe', 'age': 30}
  result = collection.insert_one(data)
  print(f"Inserted document with ID: {result.inserted_id}")
except Exception as e:
  print(f"Error inserting data: {e}")

4. Test that 'myNewClusterAdmin' can insert data into the 'salesDB' database.โ€‹

# Get connection string
connection = !atlas clusters connectionStrings describe MyNewCluster --projectId {project_id}

# Replace connection string with username and password
new_connection = connection[1].replace('mongodb+srv://', f'mongodb+srv://{newClusterAdminUser}:{newClusterAdminPass}@')

# Attempt to insert data
client = MongoClient(new_connection)
db = client['salesDB']
collection = db['mycollection']
try:
  data = {'name': 'John Doe', 'age': 30}
  result = collection.insert_one(data)
  print(f"Inserted document with ID: {result.inserted_id}")
except Exception as e:
  print(f"Error inserting data: {e}")

Next Stepsโ€‹

Start the chapter on Queryable Encryption for data encryption.