@@ -26,15 +26,17 @@ Syntax
2626.. code-block:: text
2727
2828 mongocli atlas dbuser create
29- --username|-u <name-of-user>
29+ [ --awsIAMType <NONE|USER|ROLE> ]
30+ [ --deleteAfter <date-of-deletion> ]
31+ [ --ldapType <NONE|USER|GROUP>]
3032 [ --output|-o <output-format> ]
3133 [ --password|-p <password-of-user> ]
3234 [ --profile|-P <profile-name> ]
3335 [ --projectId <project-ID> ]
3436 --role <name-of-role>
35- [ --deleteAfter <date -of-deletion> ]
37+ --username|-u <name -of-user>
3638 [ --x509Type <NONE|MANAGED|CUSTOMER> ]
37- [ --awsIAMType <NONE|USER|ROLE> ]
39+
3840
3941.. include:: /includes/fact-command-line-help.rst
4042
@@ -52,34 +54,116 @@ Options
5254 - Description
5355 - Required?
5456
55- * - ``--output``, ``-o``
56- - string
57- - .. include:: /includes/extracts/fact-basic-options-output.rst
57+ * - ``--awsIAMType``
58+ - string
59+ - Authenticates the new database user with
60+ |aws| IAM credentials. If omitted, |service| uses the default
61+ value of ``NONE``.
62+
63+ Accepted values are:
64+
65+ .. list-table::
66+ :stub-columns: 1
67+ :widths: 20 80
68+
69+ * - ``NONE``
70+ - User doesn't authenticate with AWS IAM credentials.
71+
72+ If ``--ldapType`` and ``--x509Type`` are ``NONE`` or
73+ omitted, |service| authenticates this user through
74+ :manual:`SCRAM-SHA </core/security-scram>`.
75+ * - ``USER``
76+ - User authenticates with :atlas:`AWS IAM user credentials
77+ </security-add-mongodb-users/#database-user-authentication>`.
78+
79+ You do not need to provide a ``--password`` for the
80+ user.
81+ * - ``ROLE``
82+ - User authenticates with :atlas:`AWS IAM role credentials
83+ </security-add-mongodb-users/#database-user-authentication>`.
84+
85+ You do not need to provide a ``--password`` for the user.
86+
87+ If you set ``--awsIAMType`` to ``USER`` or ``ROLE``, you can't
88+ set ``--x509Type`` or ``--ldapType`` to any value other than
89+ ``NONE``.
90+
5891 - no
5992
60- * - ``--username``, ``-u ``
93+ * - ``--ldapType ``
6194 - string
62- - Username for authenticating the user to MongoDB.
95+ - Authenticates the new database user with |ldap|. If
96+ omitted, |service| uses the default value of ``NONE``.
97+
98+ Accepted values include:
99+
100+ .. list-table::
101+ :stub-columns: 1
102+ :widths: 20 80
103+
104+ * - ``NONE``
105+ - User doesn't authenticate with |ldap|.
106+
107+ If ``--awsIAMType`` and ``--x509Type`` are ``NONE`` or
108+ omitted, |service| authenticates this user through
109+ :manual:`SCRAM-SHA </core/security-scram>`.
110+ * - ``USER``
111+ - |ldap| server authenticates this user through the user's
112+ |ldap| user.
113+
114+ The name you specify with ``--username`` must also be a
115+ fully qualified distinguished name, as defined in
116+ :rfc:`2253`.
117+
118+ * - ``GROUP``
119+ - |ldap| server authenticates this user using their
120+ |ldap| user and authorizes this user using their |ldap|
121+ group. To learn more about |ldap| security, see
122+ :atlas:`Set up User Authentication and Authorization with
123+ LDAP </security-ldaps>`.
124+
125+ The name you specify with ``--username`` must also be a
126+ fully qualified distinguished name, as defined in
127+ :rfc:`2253`.
128+
129+ If you set ``--ldapType`` to ``USER`` or ``GROUP``, you can't
130+ set ``--awsIAMType`` or ``--x509Type`` to any value other than
131+ ``NONE``.
132+ - no
133+
134+ * - ``--deleteAfter``
135+ - date
136+ - |iso8601-time| after which |service| deletes the user. The
137+ specified date must be in the future and within one week of the
138+ time you make the API request.
63139
64- Must be a fully qualified distinguished name, as defined in `RFC
65- 2253 <https://tools.ietf.org/html/rfc2253.html>`__, if:
140+ .. note::
141+ You may include an |iso8601| time zone designator to ensure
142+ that the expiration date occurs with respect to the local
143+ time in the specified time zone. Time zones are represented
144+ as an offset from |utc|.
66145
67- - ``--x509Type`` is ``CUSTOMER``.
146+ .. example::
147+ To delete a database user on August 1st, 2020, at 12:30pm in
148+ New York (Eastern Daylight Time), use the option:
68149
69- Must be an `Amazon Resource Name (ARN)
70- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html>`__ if:
71-
72- - ``--awsIAMType`` is ``USER`` or ``ROLE``.
150+ .. code-block:: sh
151+ :copyable: true
73152
74- - yes
153+ --deleteAfter 2020-08-01T12:30-04:00
154+ - no
155+
156+ * - ``--output``, ``-o``
157+ - string
158+ - .. include:: /includes/extracts/fact-basic-options-output.rst
159+ - no
75160
76161 * - ``--password``, ``-p``
77162 - string
78- - Password for authenticating the user to MongoDB. Required if:
79-
80- - ``--x509Type`` and ``--awsIAMType`` are omitted or ``NONE``,
81- meaning that the database user authenticates with
82- ``SCRAM-SHA``.
163+ - Password for authenticating the user to MongoDB.
164+ Required if ``--awsIAMType``, ``--ldapType``, and ``--x509Type``
165+ are omitted or ``NONE``, which means that the database user
166+ authenticates with ``SCRAM-SHA``.
83167
84168 - no
85169
@@ -108,71 +192,57 @@ Options
108192 </security-add-mongodb-users/index.html#mongodb-database-user-privileges>`.
109193 - yes
110194
111- * - ``--deleteAfter``
112- - date
113- - |iso8601-time| after which |service| deletes the user. The
114- specified date must be in the future and within one week of the
115- time you make the API request.
195+ * - ``--username``, ``-u``
196+ - string
197+ - Username for authenticating the user to MongoDB.
116198
117- .. note::
118- You may include an |iso8601| time zone designator to ensure
119- that the expiration date occurs with respect to the local
120- time in the specified time zone. Time zones are represented
121- as an offset from |utc|.
199+ - Must be a fully qualified distinguished name, as defined in
200+ `RFC 2253 <https://tools.ietf.org/html/rfc2253.html>`__, if:
122201
123- .. example::
124- To delete a database user on August 1st, 2020, at 12:30pm in
125- New York (Eastern Daylight Time), use the option:
126-
127- .. code-block:: sh
128- :copyable: true
202+ - ``--ldapType`` is ``USER`` or ``GROUP``.
203+ - ``--x509Type`` is ``CUSTOMER``.
129204
130- --deleteAfter 2020-08-01T12:30-04:00
131- - no
205+ - Must be an `Amazon Resource Name (ARN)
206+ <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html>`__
207+ if ``--awsIAMType`` is ``USER`` or ``ROLE``.
208+
209+ - yes
132210
133211 * - ``--x509Type``
134212 - string
135- - X.509 method by which the provided username is authenticated.
213+ - Authenticates the new database user with X.509. If omitted,
214+ |service| uses the default value of ``NONE``.
136215
137216 Accepted values are:
138217
139- - ``NONE``: User doesn't authenticate with X.509.
140- - ``MANAGED``: User authenticates with |service|-managed X.509.
141- You do not need to provide a ``--password`` for the user.
142- - ``CUSTOMER``: User authenticates with :atlas:`self-managed
143- X.509 </security-self-managed-x509/#self-managed-x509>`.
144- You do not need to provide a ``--password`` for the user. You
145- must include a fully qualified Distinguished Name (DN) as the
146- ``--username`` for users who authenticate with self-managed
147- X.509.
148-
149- If no value is given, |service| uses the default value of
150- ``NONE``. You receive an error if the value is ``MANAGED`` or
151- ``CUSTOMER`` and ``--awsIAMType`` is ``USER`` or ``ROLE``.
218+ .. list-table::
219+ :stub-columns: 1
220+ :widths: 20 80
152221
222+ * - ``NONE``
223+ - User doesn't authenticate with X.509.
224+
225+ If ``--awsIAMType`` and ``--ldapType`` are ``NONE`` or
226+ omitted, |service| authenticates this user through
227+ :manual:`SCRAM-SHA </core/security-scram>`.
228+ * - ``MANAGED``
229+ - User authenticates with |service|-managed X.509.
230+ You do not need to provide a ``--password`` for the user.
231+ * - ``CUSTOMER``
232+ - User authenticates with :atlas:`self-managed
233+ X.509 </security-self-managed-x509/#self-managed-x509>`.
234+ You do not need to provide a ``--password`` for the user.
235+ You must include a fully qualified Distinguished Name (DN)
236+ as the ``--username`` for users who authenticate with
237+ self-managed X.509.
238+
239+ If you set ``--x509Type`` to ``MANAGED`` or ``CUSTOMER``, you
240+ can't set ``--awsIAMType`` or ``--ldapType`` to any value other
241+ than ``NONE``.
242+
153243 - no
154244
155- * - ``--awsIAMType``
156- - string
157- - If this value is set, the new database user authenticates with
158- |aws| IAM credentials.
159-
160- Accepted values are:
161245
162- - ``NONE``: User doesn't authenticate with AWS IAM credentials.
163- - ``USER``: User authenticates with :atlas:`AWS IAM user
164- credentials
165- </security-add-mongodb-users/#database-user-authentication>`.
166- You do not need to provide a ``--password`` for the user.
167- - ``ROLE``: User authenticates with :atlas:`AWS IAM role
168- credentials
169- </security-add-mongodb-users/#database-user-authentication>`.
170- You do not need to provide a ``--password`` for the user.
171-
172- If no value is given, |service| uses the default value of
173- ``NONE``. You receive an error if the value is ``USER`` or
174- ``ROLE`` and ``--x509Type`` is ``MANAGED`` or ``CUSTOMER``.
175- - no
176246
177247.. _dbuser-create-command-output:
178248
0 commit comments