Security
On this page
Atlas provides a system for managing user permissions at the organization, project, and database levels. Atlas Stream Processing extends this system with additional roles and privileges specific to stream processing tasks, as well as the ability to restrict user permissions to specific stream processing instances.
Organization and Project Access
Users manage stream processing instances and their associated connection registries at
the project level. Atlas Stream Processing provides the Project Stream Processing Owner
role for this purpose. A user with this role can
perform any stream processing instance or connection registry management action, and manage the
databases and database users within the project. Assign this role to a
user to enable them to perform all the actions necessary to configure
an Atlas Stream Processing project without granting any unnecessary permissions
to features in accordance with the principle of least privilege.
If necessary, you can perform any of the actions authorized by the
Project Stream Processing Owner
role as a user with either the
Project Owner
or Organization Owner
roles.
Stream Processing Instance Access
You can access an existing stream processing instance and manage stream processors as a database user, analogous to how you access an Atlas cluster. The roles and actions assigned to your database users determine which operations they can perform on stream processors within a stream processing instance. Atlas Stream Processing provides the following privilege actions:
processStreamProcessor
createStreamProcessor
startStreamProcessor
stopStreamProcessor
dropStreamProcessor
listStreamProcessors
sampleStreamProcessor
streamProcessorStats
listConnections
You can assign exactly those privilege actions to a database user or
custom role that you need. Alternatively, a
database user with the atlasAdmin
or
readWriteAnyDatabase
can perform all of these actions.
Networking
Atlas Stream Processing supports connections to both Atlas clusters and external streaming data sources such as Apache Kafka. Connections within Atlas do not require manual configuration. To connect to an external streaming data source, you must add Atlas IP addresses to your external streaming data source's access list.
To identify the necessary Atlas IP addresses, run the following command:
curl -H 'Accept: application/vnd.atlas.2023-11-15+json' -s \ 'https://cloud.mongodb.com/api/atlas/v2/unauth/controlPlaneIPAddresses'
This returns a list of available Atlas IP addresses, grouped by provider and region. Identify all outbound IP addresses for the provider-region pair in which the target stream processing instance is deployed, and add these to your external data source's access list. To learn more, see Allow Access to or from the Atlas Control Plane.
When you configure a connection to an external streaming data source, you can choose between access over public IP addresses, or over a VPC peering connection. To learn more, see Add a Connection to the Connection Registry.
Restricting Access to Specific stream processing instances
By default, a user with Atlas Stream Processing privilege actions can perform the associated operations on all stream processing instances. You can restrict the application of these privileges to specific stream processing instances.
In Atlas, go to the Database Access page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Database Access under the Security heading.
The Database Access page displays.
Click Edit in the row of the user whose permissions you want to modify.
In the modal window, toggle the switch labeled Restrict Access to Specific Clusters /Federated Database Instances/Stream Processing Instances on.
Find the names of the stream processing instances for which you want to grant the user privileges. Check the box next to a name to grant the user privileges for that stream processing instance. Uncheck the box to deny the user privileges for that stream processing instance
Execution Profiles
You can configure the database user role that you use when connecting
to an Atlas database as either a $source
or a
$merge
sink. This allows you to prevent
Atlas Stream Processing-specific database users from gaining indirect access to
the cluster hosting that database through the credentials of the
elevated-privilege Atlas user that configures the stream processing instance and its
connections.
Note
In accordance with the principle of least privilege, define a custom role with only those privileges a user needs to perform their desired operations.
In Atlas, go to the Stream Processing page for your project.
If it's not already displayed, select the organization that contains your project from the Organizations menu in the navigation bar.
If it's not already displayed, select your project from the Projects menu in the navigation bar.
In the sidebar, click Stream Processing under the Services heading.
The Stream Processing page displays.
In the pane of the stream processing instance you want to configure, click Configure.
Click the Connection Registry tab. In the row of the Atlas database connection you want to configure, click .
From the Execute As drop-down menu, select the role to use when connecting to the database.
Auditing
Atlas Stream Processing auditing lets administrators track authentication and entity management events on their stream processing instances. Each time an auditable event occurs on a given stream processing instance, Atlas Stream Processing writes that event to the log for that stream processing instance. A log persists for the lifetime of the stream processing instance to which it belongs, and Atlas Stream Processing never truncates old events. If you delete a stream processing instance, the log belonging to that stream processing instance persists for an additional 30 days.
To download audit logs for your stream processing instance, see Download Audit Logs.
Atlas Stream Processing supports auditing the following authentication events:
Event | Description |
---|---|
Successful Authentication | Occurs when a user successfully connects to a stream processing instance |
Failed Authentication | Occurs when a user fails to connect to a stream processing instance |
Connection Termination | Occurs when a user closes their connection |
Atlas Stream Processing supports auditing the following entity management events:
startStreamProcessor | Occurs when a user starts a stream processor |
---|---|
createStreamProcessor | Occurs when a user creates a stream processor |
stopStreamProcessor | Occurs when a user stops a stream processor |
dropStreamProcessor | Occurs when a user deletes a stream processor |
.process() | Occurs when a user issues a .process() call |
.sample() | Occurs when a user issues a .sample() call |
Audit log accessed | Occurs when a user attempts to download the audit log |