(DOCSP-14079): document custom roles (#298)

jwilliams-mongo · web-flow · commit ea9d93270f51 · 2021-01-27T08:58:52.000-06:00
* (DOCSP-14079): document custom roles

* (DOCSP-14079): fix tocs altered by vscode markdown extension

* (DOCSP-14079): copy review feedback
diff --git a/README.md b/README.md
@@ -13,6 +13,7 @@ Here is a talk from MongoDB Live 2020 about the Community Operator:
 
 - [Documentation](#documentation)
 - [Supported Features](#supported-features)
+  - [Planned Features](#planned-features)
 - [Contribute](#contribute)
 - [License](#license)
 
@@ -38,6 +39,7 @@ The MongoDB Community Kubernetes Operator supports the following features:
 - Connect to the replica set from inside the Kubernetes cluster (no external connectivity)
 - Secure client-to-server and server-to-server connections with TLS
 - Create users with [SCRAM](https://docs.mongodb.com/manual/core/security-scram/) authentication
+- Create custom roles
 
 ### Planned Features
 - Server internal authentication via keyfile
diff --git a/docs/deploy-configure.md b/docs/deploy-configure.md
@@ -6,8 +6,10 @@ The [`/deploy/crds`](../deploy/crds) directory contains example MongoDB resource
 
 - [Deploy a Replica Set](#deploy-a-replica-set)
 - [Scale a Replica Set](#scale-a-replica-set)
-- [Upgrade MongoDB Version & FCV](#upgrade-your-mongodb-resource-version-and-feature-compatibility-version)
-- [Deploying on Openshift](#deploying-on-openshift)
+- [Upgrade your MongoDB Resource Version and Feature Compatibility Version](#upgrade-your-mongodb-resource-version-and-feature-compatibility-version)
+  - [Example](#example)
+- [Deploy Replica Sets on OpenShift](#deploy-replica-sets-on-openshift)
+- [Define a Custom Database Role](#define-a-custom-database-role)
 
 ## Deploy a Replica Set
 
@@ -132,3 +134,75 @@ an example of how to provide the required configuration for a MongoDB
 replica set.
 
 See [here](../deploy/openshift/operator_openshift.yaml) for an example of how to configure the Operator deployment.
+
+## Define a Custom Database Role
+
+You can define [custom roles](https://docs.mongodb.com/manual/core/security-user-defined-roles/) to give you fine-grained access control over your MongoDB database resource.
+
+  **NOTE**: Custom roles are scoped to a single MongoDB database resource.
+
+To define a custom role:
+
+1. Add the following fields to the MongoDB resource definition:
+
+   | Key | Type | Description | Required? |
+   |----|----|----|----|
+   | `spec.security.roles` | array | Array that defines [custom roles](https://docs.mongodb.com/manual/core/security-user-defined-roles/) roles that give you fine-grained access control over your MongoDB deployment. | Yes |
+   | `spec.security.roles.role` | string | Name of the custom role. | Yes |
+   | `spec.security.roles.db` | string | Database in which you want to store the user-defined role. | Yes |
+   | `spec.security.roles.authenticationRestrictions` | array | Array that defines the IP address from which and to which users assigned this role can connect. | No |
+   | `spec.security.roles.authenticationRestrictions.clientSource` | array | Array of IP addresses or CIDR blocks from which users assigned this role can connect. <br><br> MongoDB servers reject connection requests from users with this role if the requests come from a client that is not present in this array. | No |
+   | `spec.security.roles.authenticationRestrictions.serverAddress` | array | Array of IP addresses or CIDR blocks to which users assigned this role can connect. <br><br> MongoDB servers reject connection requests from users with this role if the client requests to connect to a server that is not present in this array. | No |
+   | `spec.security.roles.privileges` | array | List of actions that users granted this role can perform. For a list of accepted values, see [Privilege Actions](https://docs.mongodb.com/manual/reference/privilege-actions/#database-management-actions) in the MongoDB Manual for the MongoDB versions you deploy with the Kubernetes Operator. | Yes |
+   | `spec.security.roles.privileges.actions` | array | Name of the role. Valid values are [built-in roles](https://docs.mongodb.com/manual/reference/built-in-roles/#built-in-roles). | Yes |
+   | `spec.security.roles.privileges.resource.database`| string | Database for which the privilege `spec.security.roles.privileges.actions` apply. An empty string (`""`) indicates that the privilege actions apply to all databases. <br><br> If you provide a value for this setting, you must also provide a value for `spec.security.roles.privileges.resource.collection`. | Conditional |
+   | `spec.security.roles.privileges.resource.collection`| string | Collection for which the privilege `spec.security.roles.privileges.actions` apply. An empty string (`""`) indicates that the privilege actions apply to all of the database's collections.<br><br> If you provide a value for this setting, you must also provide a value for `spec.security.roles.privileges.resource.database`. | Conditional |
+   | `spec.security.roles.privileges.resource.cluster`| string | Flag that indicates that the privilege `spec.security.roles.privileges.actions` apply to all databases and collections in the MongoDB deployment. If omitted, defaults to `false`.<br><br> If set to `true`, do not provide values for `spec.security.roles.privileges.resource.database` and `spec.security.roles.privileges.resource.collection`. | Conditional |
+   | `spec.security.roles.roles`| array | An array of roles from which this role inherits privileges. <br><br> You must include the roles field. Use an empty array (`[]`) to specify no roles to inherit from. | Yes |
+   | `spec.security.roles.roles.role` | string | Name of the role to inherit from. | Conditional |
+   | `spec.security.roles.roles.database` | string | Name of database that contains the role to inherit from. | Conditional |
+
+   ```yaml
+   ---
+   apiVersion: mongodb.com/v1
+   kind: MongoDB
+   metadata:
+     name: custom-role-mongodb
+   spec:
+     members: 3
+     type: ReplicaSet
+     version: "4.2.6"
+     security:
+       authentication:
+         modes: ["SCRAM"]
+       roles: # custom roles are defined here
+         - role: testRole
+           db: admin
+           privileges:
+             - resource:
+                 db: "test"
+                 collection: "" # an empty string indicates any collection
+               actions:
+                 - find
+           roles: []
+     users:
+       - name: my-user
+         db: admin
+         passwordSecretRef: # a reference to the secret that will be used to generate the user's password
+           name: my-user-password
+         roles:
+           - name: clusterAdmin
+             db: admin
+           - name: userAdminAnyDatabase
+             db: admin
+           - name: testRole # apply the custom role to the user
+             db: admin
+         scramCredentialsSecretName: my-scram
+   ```
+
+2. Save the file.
+3. Apply the updated MongoDB resource definition:
+
+   ```
+   kubectl apply -f <mongodb-crd>.yaml --namespace <my-namespace>
+   ```
diff --git a/docs/users.md b/docs/users.md
@@ -40,7 +40,7 @@ You cannot disable SCRAM authentication.
    | `spec.users.passwordSecretRef.key` | string| Key in the secret that corresponds to the value of the user's password. Defaults to `password`. | No |
    | `spec.users.scramCredentialsSecretName` | string| ScramCredentialsSecretName appended by string "scram-credentials" is the name of the secret object created by the operator for storing SCRAM credentials for the user. The name should comply with [DNS1123 subdomain](https://tools.ietf.org/html/rfc1123). Also, please make sure the name is unique among `users`.  | Yes |
    | `spec.users.roles` | array of objects | Configures roles assigned to the user. | Yes |
-   | `spec.users.roles.role.name` | string | Name of the role. Valid values are [built-in roles](https://docs.mongodb.com/manual/reference/built-in-roles/#built-in-roles). | Yes |
+   | `spec.users.roles.role.name` | string | Name of the role. Valid values are [built-in roles](https://docs.mongodb.com/manual/reference/built-in-roles/#built-in-roles) and [custom roles](deploy-configure.md#define-a-custom-database-role) that you have defined. | Yes |
    | `spec.users.roles.role.db` | string | Database that the role applies to. | Yes |
 
    ```
@@ -68,8 +68,8 @@ You cannot disable SCRAM authentication.
              db: <role-2-database>
    ...
    ```
-1. Save the file.
-1. Apply the updated MongoDB resource definition:
+2. Save the file.
+3. Apply the updated MongoDB resource definition:
 
    ```
    kubectl apply -f <mongodb-crd>.yaml --namespace <my-namespace>
