Docs Menu
Docs Home
/
MongoDB Atlas
/

Security

On this page

  • Organization and Project Access
  • Stream Processing Instance Access
  • Networking
  • Restricting Access to Specific stream processing instances
  • Execution Profiles
  • In Atlas, go to the Stream Processing page for your project.
  • Click Save changes.
  • Auditing

Atlas provides a system for managing user permissions at the organization, project, and database levels. Atlas Stream Processing extends this system with additional roles and privileges specific to stream processing tasks, as well as the ability to restrict user permissions to specific stream processing instances.

Users manage stream processing instances and their associated connection registries at the project level. Atlas Stream Processing provides the Project Stream Processing Owner role for this purpose. A user with this role can perform any stream processing instance or connection registry management action, and manage the databases and database users within the project. Assign this role to a user to enable them to perform all the actions necessary to configure an Atlas Stream Processing project without granting any unnecessary permissions to features in accordance with the principle of least privilege.

If necessary, you can perform any of the actions authorized by the Project Stream Processing Owner role as a user with either the Project Owner or Organization Owner roles.

You can access an existing stream processing instance and manage stream processors as a database user, analogous to how you access an Atlas cluster. The roles and actions assigned to your database users determine which operations they can perform on stream processors within a stream processing instance. Atlas Stream Processing provides the following privilege actions:

  • processStreamProcessor

  • createStreamProcessor

  • startStreamProcessor

  • stopStreamProcessor

  • dropStreamProcessor

  • listStreamProcessors

  • sampleStreamProcessor

  • streamProcessorStats

  • listConnections

You can assign exactly those privilege actions to a database user or custom role that you need. Alternatively, a database user with the atlasAdmin or readWriteAnyDatabase can perform all of these actions.

Atlas Stream Processing supports connections to both Atlas clusters and external streaming data sources such as Apache Kafka. Connections within Atlas do not require manual configuration. To connect to an external streaming data source, you must add Atlas IP addresses to your external streaming data source's access list.

To identify the necessary Atlas IP addresses, run the following command:

curl -H 'Accept: application/vnd.atlas.2023-11-15+json' -s \
'https://cloud.mongodb.com/api/atlas/v2/unauth/controlPlaneIPAddresses'

This returns a list of available Atlas IP addresses, grouped by provider and region. Identify all outbound IP addresses for the provider-region pair in which the target stream processing instance is deployed, and add these to your external data source's access list. To learn more, see Allow Access to or from the Atlas Control Plane.

When you configure a connection to an external streaming data source, you can choose between access over public IP addresses, or over a VPC peering connection. To learn more, see Add a Connection to the Connection Registry.

By default, a user with Atlas Stream Processing privilege actions can perform the associated operations on all stream processing instances. You can restrict the application of these privileges to specific stream processing instances.

1
  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Database Access under the Security heading.

    The Database Access page displays.

2

Click Edit in the row of the user whose permissions you want to modify.

3

In the modal window, toggle the switch labeled Restrict Access to Specific Clusters /Federated Database Instances/Stream Processing Instances on.

4

Find the names of the stream processing instances for which you want to grant the user privileges. Check the box next to a name to grant the user privileges for that stream processing instance. Uncheck the box to deny the user privileges for that stream processing instance

5

You can configure the database user role that you use when connecting to an Atlas database as either a $source or a $merge sink. This allows you to prevent Atlas Stream Processing-specific database users from gaining indirect access to the cluster hosting that database through the credentials of the elevated-privilege Atlas user that configures the stream processing instance and its connections.

Note

In accordance with the principle of least privilege, define a custom role with only those privileges a user needs to perform their desired operations.

1
  1. If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your project from the Projects menu in the navigation bar.

  3. In the sidebar, click Stream Processing under the Services heading.

    The Stream Processing page displays.

2

In the pane of the stream processing instance you want to configure, click Configure.

3

Click the Connection Registry tab. In the row of the Atlas database connection you want to configure, click .

4

From the Execute As drop-down menu, select the role to use when connecting to the database.

5

Atlas Stream Processing auditing lets administrators track authentication and entity management events on their stream processing instances. Each time an auditable event occurs on a given stream processing instance, Atlas Stream Processing writes that event to the log for that stream processing instance. A log persists for the lifetime of the stream processing instance to which it belongs, and Atlas Stream Processing never truncates old events. If you delete a stream processing instance, the log belonging to that stream processing instance persists for an additional 30 days.

To download audit logs for your stream processing instance, see Download Audit Logs.

Atlas Stream Processing supports auditing the following authentication events:

Event
Description
Successful Authentication
Occurs when a user successfully connects to a stream processing instance
Failed Authentication
Occurs when a user fails to connect to a stream processing instance
Connection Termination
Occurs when a user closes their connection

Atlas Stream Processing supports auditing the following entity management events:

startStreamProcessor
Occurs when a user starts a stream processor
createStreamProcessor
Occurs when a user creates a stream processor
stopStreamProcessor
Occurs when a user stops a stream processor
dropStreamProcessor
Occurs when a user deletes a stream processor
.process()
Occurs when a user issues a .process() call
.sample()
Occurs when a user issues a .sample() call
Audit log accessed
Occurs when a user attempts to download the audit log

Back

Stream Processor Windows