Configuring the Veza integration for MongoDB and MongoDB Atlas
The Veza integration for MongoDB supports on-premise deployments and the MongoDB Atlas Database-as-a-service (DBaaS) platform. It enables discovery of standalone MongoDB clusters, MongoDB Atlas user permissions, and User permissions on MongoDB databases deployed in Atlas. After configuring the integration, you can use Veza Search, Workflows, and Insights to:
Show all Database Users, and the built-in or custom Database Roles a User has for each Database
Show the effective permissions Database Users have on the Databases and Clusters they have access to.
Show the effective permissions Users have on Clusters, Serverless Instances, and Global Clusters.
Show the Atlas Organizations and Projects accessible by Users in an Atlas Account, and what Atlas Roles users can assume.
Show Atlas Organizations that Atlas Users belong to, and the teams they belong to in those Organizations.
This documentation includes instructions to:
See notes and supported entities for more details.
Veza connects to MongoDB Atlas using API Keys. You will need to enter the Public Key and Private Key to configure the integration in Veza. Additionally, Veza will need a username and password of a MongoDB Atlas User authorized for each project in the Organization to discover.
You will need the Organization Owner permission to grant API access to your Atlas organization.
The clusters to discover need to be accessible over internet, or allow communication with a deployed Insight Point. Follow this guide to configure network access for MongoDB Atlas. As a user with the Project Owner role, you will need to:
Using the UI: Under the Security section, click Network Access to open the IP Access List tab. Click Add IP Address.
Using Atlas CLI: Use atlas accessLists create:
# Create an access list entry for the IP address 192.0.2.15 in the project with ID 5e2211c17a3e5a48f5497de3:
atlas accessList create 192.0.2.15 --type ipAddress --projectId 5e2211c17a3e5a48f5497de3 --comment "IP address for app server 2" --output jsonVeza does not currently support the MongoDB Atlas Data API. If enabled, Veza will not detect programmatic access users might have to MongoDB data.
Create an API Key within the Atlas Organization Veza will connect to. The API key must have the scope Organization Read Only.
To create a key from the Atlas UI:
Open your organization's Access Manager page
Click Create API Key.
Give the key a name and description.
Assign a new role for the API key with the Organization Read Only scope.
Click Next to view the Public and Private Keys.
Copy the keys and save them in a secure location. Note that the private key is only shown one time.
Add an API Access List Entry. Enter the IP address or CIDR block corresponding to your Veza Platform or Insight Point. Save the configuration.
Click Done.
See the Configure API Access documentation for more details.
Add database users for each project in the Organization. To create a new user using password authentication with the Atlas UI:
On the left navigation, click Security > Database Access. Click Add New Database User.
Choose Password for the Authentication Method.
Enter a username and password. You can optionally Autogenerate the password. Note that the password and username must be the same for each project user you will create.
Grant the user the Built-in Role AtlasAdmin. This is the only role granting the viewRole capability.
Optionally, set a Temporary User duration. You can also opt to Restrict Access to specific clusters and federated databases.
Click Add User.
See the Add MongoDB Users documentation for more details.
To discover a standalone MongoDB cluster, Veza connects as a local user with the following permissions:
listDatabases on cluster
find on system.users collection in any database
viewRole on any collection in any database
You should deploy an Insight Point within the same network as the cluster for a secure connection.
Connect to the standalone deployment and run the following command to create a role with the required permissions, and create a user with the role:
use admin
db.createRole(
{
role: "veza-extractor-role",
privileges: [
{ resource: { cluster: true }, actions: [ "listDatabases" ] },
{ resource: { db: "", collection: "system.users" }, actions: [ "find" ] },
{ resource: { db: "", collection: "" }, actions: [ "viewRole" ] }
],
roles: []
}
)
db.createUser(
{
user: "veza-extractor-user",
pwd: passwordPrompt(), // or cleartext password
roles: [
{ role: "veza-extractor-role", db: "admin" }
]
}
)After creating a user and assigning the required permissions, configure the integration on Veza by providing the username, password, and the URI of the MongoDB cluster.
After preparing the required credentials, log in to Veza as an administrator to add the integration:
In Veza, open the Integrations page.
Click Add New and pick MongoDB or MongoDB Atlas as the type of integration to add
Enter the required information and Save the configuration
To create the MongoDB Atlas integration, you will need the database URI and the username and password created when Configuring MongoDB (standalone)
Insight Point
Choose the Insight Point to use for the connection.
Name
Enter a friendly name to identify the unique MongoDB integration
Database URI
Cluster e.g. mongodb://mongodb0.example.com:28015
Username
Database user name for the integration
Password
Database user password for the integration
To create the MongoDB Atlas integration, you will need the API credentials, username, and password created when Configuring MongoDB Atlas
Insight Point
Choose the Insight Point to use for the connection, or use the internal Veza Insight Point.
Public Key
Public API Key created for the Atlas Organization
Private Key
Private API Key created for the Atlas Organization
Username
Username of the database user(s) for project-level discovery
Password
Password of the database user(s) for project-level discovery
To discover more than one Organizations in a single Account, click Add Key Pair to add additional API credentials.
Veza supports the following entity types and entity attributes:
Represents the overarching account associated with MongoDB Atlas, typically belonging to an organization or individual.
Represents a user account within MongoDB Atlas, identified by a unique ID and associated with an email address.
ID
Represents an organization in MongoDB Atlas, identifiable by its unique ID and organizational name.
ID
Name
Denotes the role or permissions assigned to a user within a MongoDB Atlas organization, governing their access and privileges.
Represents a project in MongoDB Atlas, identified by a unique ID and a descriptive name, used for grouping related resources.
ID
Name
Represents a team within a MongoDB Atlas project, identifiable by a unique ID and a name, used for collaborative project management.
ID
Name
Refers to a specific deployment of a MongoDB database, characterized by a unique ID, a name, type, and an indication of its operational status (paused or active).
ID
Name
Type
Paused
Represents a user account with specific access rights within a MongoDB database, defined by a username and the associated database name.
Username
Database Name
When configuring a standalone MongoDB cluster, Veza discovers the following entities:
Represents an independent MongoDB database cluster, typically running on a single server or a set of servers, used for data storage and retrieval.
Denotes a user account associated with a standalone MongoDB cluster. MongoDB User entities have a unique ID and includes information about the associated database and the username for authentication.
ID
Database
Username
Represents an individual database within a cluster, used for organizing and storing collections of data.
Denotes a role or set of permissions assigned to a user within a standalone MongoDB cluster, governing their access and privileges to perform operations on databases and collections. It is identified by a unique ID.
ID