MongoDB
Configuring the Veza integration for MongoDB and MongoDB Atlas
Overview
The Veza integration for MongoDB supports on-premise deployments and the MongoDB Atlas Database-as-a-service (DBaaS) platform. It enables discovery of standalone MongoDB clusters, MongoDB Atlas user permissions, and User permissions on MongoDB databases deployed in Atlas. After configuring the integration, you can use Veza Search, Workflows, and Insights to:
Show all Database Users, and the built-in or custom Database Roles a User has for each Database
Show the effective permissions Database Users have on the Databases and Clusters they have access to.
Show the effective permissions Users have on Clusters, Serverless Instances, and Global Clusters.
Show the Atlas Organizations and Projects accessible by Users in an Atlas Account, and what Atlas Roles users can assume.
Show Atlas Organizations that Atlas Users belong to, and the teams they belong to in those Organizations.
This documentation includes instructions to:
See notes and supported entities for more details.
Configuring MongoDB Atlas
Veza connects to MongoDB Atlas using API Keys. You will need to enter the Public Key and Private Key to configure the integration in Veza. Additionally, Veza will need a username and password of a MongoDB Atlas User authorized for each project in the Organization to discover.
You will need the
Organization Owner
permission to grant API access to your Atlas organization.The clusters to discover need to be accessible over internet, or allow communication with a deployed Insight Point. Follow this guide to configure network access for MongoDB Atlas. As a user with the Project Owner role, you will need to:
Using the UI: Under the Security section, click Network Access to open the IP Access List tab. Click Add IP Address.
Using Atlas CLI: Use atlas accessLists create:
Veza does not currently support the MongoDB Atlas Data API. If enabled, Veza will not detect programmatic access users might have to MongoDB data.
AWS IAM Roles (Early Access): AWS customers can optionally use the “Assume AWS Role” connection type when creating a MongoDB Atlas integration. This can be a new role or the same one used for the AWS integration. To configure the MongoDB connection, you will provide the:
Role ARN: The ARN of the AWS IAM role that will be used to perform the extraction.
External ID: AWS IAM role external ID (similar to the “External ID” input in AWS integration)
When creating MongoDB Atlas database users in the following section, instead of adding usernames and passwords, choose the option to use an AWS IAM role and use the role ARN.
Generate Atlas Administration API credentials for the MongoDB organization
Create an API Key within the Atlas Organization Veza will connect to. The API key must have the scope Organization Read Only
.
To create a key from the Atlas UI:
Open your organization's Access Manager page
Click Create API Key.
Give the key a name and description.
Assign a new role for the API key with the
Organization Read Only
scope.Click Next to view the Public and Private Keys.
Copy the keys and save them in a secure location. Note that the private key is only shown one time.
Add an API Access List Entry. Enter the IP address or CIDR block corresponding to your Veza Platform or Insight Point. Save the configuration.
Click Done.
See the Configure API Access documentation for more details.
Create a database user for each of the projects in the MongoDB organization
Add database users for each project in the Organization. To create a new user using password authentication with the Atlas UI:
On the left navigation, click Security > Database Access. Click Add New Database User.
Choose Password for the Authentication Method.
Enter a username and password. You can optionally Autogenerate the password. Note that the password and username must be the same for each project user you will create.
Grant the user the Built-in Role
AtlasAdmin
. This is the only role granting theviewRole
capability.Optionally, set a Temporary User duration. You can also opt to Restrict Access to specific clusters and federated databases.
Click Add User.
See the Add MongoDB Users documentation for more details.
Configuring MongoDB (standalone)
To discover a standalone MongoDB cluster, Veza connects as a local user with the following permissions:
listDatabases
on clusterfind
onsystem.users
collection in any databaseviewRole
on any collection in any database
You should deploy an Insight Point within the same network as the cluster for a secure connection.
Create local user and role
Connect to the standalone deployment and run the following command to create a role with the required permissions, and create a user with the role:
After creating a user and assigning the required permissions, configure the integration on Veza by providing the username, password, and the URI of the MongoDB cluster.
Configuring MongoDB on the Veza Platform
After preparing the required credentials, log in to Veza as an administrator to add the integration:
In Veza, open the Integrations page.
Click Add New and pick MongoDB or MongoDB Atlas as the type of integration to add
Enter the required information and Save the configuration
Standalone MongoDB
To create the MongoDB Atlas integration, you will need the database URI and the username and password created when Configuring MongoDB (standalone)
Field | Notes |
---|---|
Insight Point | Choose the Insight Point to use for the connection. |
Name | Enter a friendly name to identify the unique MongoDB integration |
Database URI | Cluster Connection String e.g. |
Username | Database user name for the integration |
Password | Database user password for the integration |
MongoDB Atlas
To create the MongoDB Atlas integration, you will need the API credentials, username, and password created when Configuring MongoDB Atlas
Field | Notes |
---|---|
Insight Point | Choose the Insight Point to use for the connection, or use the internal Veza Insight Point. |
Public Key | Public API Key created for the Atlas Organization |
Private Key | Private API Key created for the Atlas Organization |
Username | Username of the database user(s) for project-level discovery |
Password | Password of the database user(s) for project-level discovery |
To discover more than one Organizations in a single Account, click Add Key Pair to add additional API credentials.
Notes and Supported Entities
Veza supports the following entity types and entity attributes:
MongoDB Atlas Account
Represents the overarching account associated with MongoDB Atlas, typically belonging to an organization or individual.
MongoDB Atlas User
Represents a user account within MongoDB Atlas, identified by a unique ID and associated with an email address.
ID
E-mail
MongoDB Atlas Organization
Represents an organization in MongoDB Atlas, identifiable by its unique ID and organizational name.
ID
Name
MongoDB Atlas Organization Role
Denotes the role or permissions assigned to a user within a MongoDB Atlas organization, governing their access and privileges.
MongoDB Atlas Project
Represents a project in MongoDB Atlas, identified by a unique ID and a descriptive name, used for grouping related resources.
ID
Name
MongoDB Atlas Team
Represents a team within a MongoDB Atlas project, identifiable by a unique ID and a name, used for collaborative project management.
ID
Name
MongoDB Database Deployment
Refers to a specific deployment of a MongoDB database, characterized by a unique ID, a name, type, and an indication of its operational status (paused or active).
ID
Name
Type
Paused
MongoDB Database User
Represents a user account with specific access rights within a MongoDB database, defined by a username and the associated database name.
Username
Database Name
When configuring a standalone MongoDB cluster, Veza discovers the following entities:
MongoDB Cluster
Represents an independent MongoDB database cluster, typically running on a single server or a set of servers, used for data storage and retrieval.
MongoDB User
Denotes a user account associated with a standalone MongoDB cluster. MongoDB User entities have a unique ID and includes information about the associated database and the username for authentication.
ID
Database
Username
MongoDB Database
Represents an individual database within a cluster, used for organizing and storing collections of data.
MongoDB Role
Denotes a role or set of permissions assigned to a user within a standalone MongoDB cluster, governing their access and privileges to perform operations on databases and collections. It is identified by a unique ID.
ID
Last updated