Given an Azure CosmosDB DB instance that is created from the Azure portal, it is possible to create multiple databases from a shell connection with the following commands:
use someNewDbName;
db.someNewCollectionName.insert({});
With other DB providers that expose MongoDB APIs, it is possible to configure user roles on either a database or colletion level (for users that exist on the same DB instance).
For example, with self-hosted MongoDB, the db.createUser() allows the roles parameter which accepts the db option. MongoDB Atlas allows similar operations to be performed through their UI.
Is it possible to do the same with CosmosDB? Within the Azure Portal, selecting the CosmosDB, and then Access control (IAM) and then Roles leads to a list of built in roles as well as a text that says it is possible to define your own roles but no indication as to how to do that.
I am able to create custom role with following method using Powershell
This role was displayed in the list of available role under "Add Role assignment" Tab
These links might help you
https://learn.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
I also tried to create users and roles for an Azure CosmosDB using the MongoDB interface and followed this documentation: https://learn.microsoft.com/en-GB/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key.
It seems however that this is simply not supported by the MongoDB interface. I followed the above documentation using the role-based access control approach and eventually run into the following issue when executing the below command:
az cosmosdb sql role definition create --account-name <some-account> --resource-group <some-resource-group> --body #role-definition.json
(BadRequest) The Database Account [<some-database>] has API type
[MongoDB] which is invalid for processing SQL Role Definitions.
The above is also confirmed documentation on the (resource)token-based approach: https://learn.microsoft.com/en-us/rest/api/cosmos-db/permissions (see first line):
Azure Cosmos DB is a globally distributed multi-model database that supports the document, graph, and key-value data models. The content in this section is for managing permission resources using the SQL API via REST.
Hope that this helps.
Related
I'm trying to configure access to a Cosmos DB database that contains multiple containers. In our scenario we want different teams of users to have read and write permissions within specific containers only, if they were to attempt any access to another container then they should be denied.
I've been reading about role based access within Cosmos and it sounds exactly like what we need. So i'm trying to create custom roles for this but I'm getting confused by the different permissions available.
I can't embed images but the link below is the permissions i've found for containers within DocumentDB.
Link to permissions:
There's permissions such as Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write but it sounds like these are for the actual maintenance of containers themselves rather than the data within them. The set below that in the image mention the throughput of the container so that doesn't seem right either.
Previous material i'd seen mentioned that these roles were only available to create from something like PowerShell, however when I saw these within the portal I assumed that may have been outdated, but is that still the case?
Essentially, the setup I want is:
Role 1 given access to read and write items in container 1 only
Role 2 given access to read and write items in container 2 only
Also, as another quick side question. Are permissions additive? So can I create this role just for this purpose of accessing that container and then add it onto another more generic role, or would I need to include basic permissions that you would find in something like the Cosmos DB Account Reader Role?
The permissions you have are for management operations on Cosmos DB resources. The permissions you are looking for are these which are documented at Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account
First step is to create a role definition for each container. You can use the Built-in role definitions such as Cosmos DB Built-in Data Contributor, or if you want to limit to discreet actions, you can build a custom role definition using az cli, PowerShell or ARM/Bicep.
Once you have your role definitions, you can then Create role assignments for each container to any service principal within your AAD tenant.
Last step is to Initialize our SDK with Azure AD. This is available for our .NET, Java, Python and JS SDK's. You will need to ensure you are using the correct version of our SDK's so best to upgrade if using older versions. To authenticate via AAD you need to create a client secret credential. The token from which, is what is passed to the Cosmos client when creating a new instance.
Lastly, you will want to use a custom query string when you want to access your data via the Cosmos Data Explorer. You may also want to restrict access to your data to only via AAD. To do this you will need to deploy an ARM template to your account (be sure to do a GET first so you don't accidentally destroy your resources). Then add "disableLocalAuth": true to the properties of the databaseAccount resource.
I am trying to speed up my resource management in the azure portal, and to do so I need to assign a role to a UserIdentity which will allow it to create and manage database's and containers, in both the SQL databases and the Gremlin database.
I can get it to work by manually adding permissions in the portal, and I can get the reading and writing of data work using custom roles, but I can't find what role definitions to use, as they seem to not be accessible in custom roles.
I was trying "Microsoft.DocumentDb/databaseAccounts/" which gives the error, The provided data action string [Microsoft.DocumentDb/databaseAccounts/] does not correspond to any valid SQL data action,even though its listed in the roles.
Any help would be appreciated.
In Azure Portal to user - how to disable the Data Explorer in Azure Cosmos DB service.
I guess what you are looking for is to restrict users from executing query on Azure portal. You can have a look at different roles available and control the access level accordingly. In this case what you need is Cosmos DB Operator
Can provision Azure Cosmos accounts, databases, and containers. Cannot
access any data or use Data Explorer.
This article says that an Azure subscription owner has access to all the resources in the subscription. However to get access to an Azure database, one must either be a user in the database, or be part of the Azure Admin AD group.
Can a subscription owner access the database regardless of the SQL security? If so, how?
The article you refer to gives a very high-level overview on RBAC roles provided in Azure.
It is important to understand these built-in roles that give access to the resources (the management plane) vs those that give access to the resource data (the data plane).
For example, many built-in roles give users access to data, for example: Storage and KeyVault.
As for databases, it all depends on the type of database engine your refer to. Each have specific particularities in terms of roles and permissions.
SQL Database is managed right in the SQL server. This link provides additional details on how this is done. SQL Database
Other modern database engines, such as Cosmos DB, come with different Azure Built-in roles (just like Key Vault or Storage). See this link in order to give you a better idea on the roles and permissions assigned for each roles. Role-based access control in Azure Cosmos DB
When deploying a Cosmos Db database in GlobalDocumentDB mode using the Azure resource manager template there is no way to configure collections in the database during deployment that I can tell.
During a ARM template deployment is there any way to either (in order of preference)
Configure the collections in a Cosmos Db database directly in a way that I have overlooked.
Do a series of REST requests from within the template to configure the db.
Do a single REST request within the template to hit a Azure Function with a HttpTrigger that will configure the database.
You should be able to use these Templates.
Containers:
https://learn.microsoft.com/en-us/azure/templates/microsoft.documentdb/2015-04-08/databaseaccounts/apis/databases/containers
Collections:
https://learn.microsoft.com/en-us/azure/templates/microsoft.documentdb/2015-04-08/databaseaccounts/apis/databases/collections
All Microsoft.DocumentDB Resource Types:
https://learn.microsoft.com/en-us/azure/templates/microsoft.documentdb/allversions
These pages were published on 05/01/2019 & are for API version 2015-04-08.
ARM templates is used to create Azure resources, there is no way to configure collection during deploy ARM template. To configure collections, I suggest you use REST API. Before creating a collection, we need to create a database first. Following are documents which show us how to create DocumentDB databases and collections.
Create Database
Create Collection