Closed p-mongo closed 4 years ago
Hi @p-mongo mongocli iam projects
is probably what you're asking for, if you feel we can imporve the IAM description to make it more clear let us know, we also welcome a PR, in particular this is the line for IAM command description
https://github.com/mongodb/mongocli/blob/fa19b9f41e6560a64551abcd5c8420bc80fe3166/internal/description/description.go#L79
If by iam you mean this iam, then I expect "iam" to involve users and not projects.
Thinking about it some more, why wouldn't you just use "users" or "auth" for the respective commands? IAM is an Amazon service.
In any event, I wouldn't expect to find projects or organizations under either iam or users or auth. So my first reaction would be to suggest moving projects and organizations commands to the top level.
IAM is an Amazon service.
IAM means Identity Access and Authentication and is not only an Amazon service, it's a standard to refer to these kind of operations, see GCP, IBM and also to a certain extend in Atlas
moving projects and organizations commands to the top level.
While designing the commands for mongocli this was discussed but given the support of the tool to any, Atlas, Ops Manager, and Cloud Manager it was decided back then that it was best to have the iam
namespace
We take your comment into account and we are currently doing some research with early users to shape the future of the tool both we are no planning to do any change here at the moment
Okay. The IBM link does not load for me but GCP link talks about roles. I still don't understand how projects and organizations fall "under iam". This isn't how AWS works either - IAM in AWS covers users, roles and permissions, all other objects are created in respective services.
What is a project exactly in mongocli parlance then?
I think I see what you mean by the command structure after reviewing https://docs.mongodb.com/mongocli/stable/reference/.
With respect to iam/projects, I find this text to be rather awkward:
The mongocli iam command allows you to list, create, and delete projects in a specified organization.
It feels like the command (group) name has nothing in common with what it does. It works but creates friction.
For the other groups (OM/CM), I haven't used either so I don't know if it makes sense to organize commands under om/cm rather than just having all of the resources at the top level which would make sense if "MongoDB cloud" is meant to be a single unified service.
AWS does not have a concept of project, so is hard to make the relation, in Atlas (and Ops Manager, Cloud Manager to an extend) this has to do with the concept of multi-tenancy, and to the Access Part of IAM, is how in Atlas an Organization Owner (Tenant) can control to what clusters their users have access to, as users in a project usually have read all and we don't support more granular control. Atlas also has a particular feature where database users created via Atlas, are per project and not per cluster, so again all cluster share the same level of access in a project Additional to access control bigger corporations tend to manage projects as cost centres as well, again related to the multi-tenancy that's expected from Atlas
So for Atlas, Organizations, Projects, Users, Teams, and API keys are all part of the IAM set of features and as such mongocli is juts trying to expose them here tho we only support Organizations and Projects as of this moment
As a new user of mongocli I would like to get an idea of what I can do with it.
I run mongocli and get the following output:
I am interested in atlas operations. Let's try
mongocli atlas
:The help text refers to "your project" but it does not appear to list any commands to find out what my projects are, or how to create them.
Let's try something with clusters:
Okay, let's list the clusters:
This command now requires a project but I don't know where to get this project from.
As a user of mongocli, if mongocli requires me to provide project information, I would like mongocli to provide me with a way to list and manage my projects.