mongodb functions: Interacting with a MongoDB database | Enterprise OPA
The mongodb built-in functions allow you to interact with a MongoDB database.
Check out our tutorial on querying MongoDB.
You can also use the MongoDB data plugin to periodically push data from MongoDB directly into data..
Shared Parameters
All mongodb functions share several function parameters.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
uri | String | Yes | The URI of the database. | |
auth | Object | No | See Auth | |
cache | Bool | No | false | Cache the results of queries. |
cache_duration | Integer | No | 60 | Duration (in seconds) to keep cached query results. |
canonical | Bool | No | false | Whether to use Canonical mode or not for BSON encoding. More Details |
raise_error | Bool | No | true | See Errors |
Auth
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
auth.auth_mechanism | String | No | The mechanism to use for authentication. Supported values include SCRAM-SHA-256, SCRAM-SHA-1, MONGODB-CR, PLAIN, GSSAPI, MONGODB-X509, and MONGODB-AWS. More details. | |
auth.auth_mechanism_properties | Object | No | Additional configuration options for certain mechanisms. More Details | |
auth.auth_source | String | No | The name of the database to use for authentication. More Details. | |
auth.username | String | No | The username for authentication. | |
auth.password | String | No | The password for authentication. | |
auth.password_set | Bool | No | For GSSAPI, this must be true if a password is specified, even if the password is the empty string, and false if no password is specified, indicating that the password should be taken from the context of the running process. For other mechanisms, this field is ignored. |
See links below to the MongoDB docs for more information on some of the options:
Errors
By default—and if raise_error is true—then an error returned will halt policy evaluation.
If raise_error is false, then the response object contains the error in an error key instead of its usual response.
{
"error": ...
}
mongodb.find
The mongodb.find function allows you to make a query against a MongoDB database, returning multiple objects.
Example usage
allowed_resources_query_response := mongodb.find({
"uri": "mongodb://localhost:27017",
"database": "permissions",
"collection": "resources",
"filter": {
operation_to_field[input.operation]: {
"$in": input.user.roles
},
},
"options": {"projection": {"_id": false}}
}) # => { "results": ... }
Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
database | String | Yes | The name of the database. | |
collection | String | Yes | The name of the collection in the database to fetch from. | |
filter | Object | Yes | The document describing query conditions for the operation. More Details | |
options | Object | No | The document describing extra query options. More Details |
mongodb.find_one
The mongodb.find_one function allows you to make a query against a MongoDB database, returning a single object.
Example usage
resource_query_response := mongodb.find({
"uri": "mongodb://localhost:27017",
"database": "permissions",
"collection": "resources",
"filter": {
"endpoint": sprintf("/%s", [concat("/", input.request.path)]),
},
"options": {"projection": {"_id": false}},
}) # => { "results": ... }
Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
database | String | Yes | The name of the database. | |
collection | String | Yes | The name of the collection in the database to fetch from. | |
filter | Object | Yes | The document describing query conditions for the operation. More Details | |
options | Object | No | The document describing extra query options. More Details |
Utility helpers
Enterprise OPA comes with helper methods for using this builtin together with
vault.send: mongodb.find and mongodb.find_one.
Both of these methods are available in Enterprise OPA at data.system.eopa.utils.mongodb.v1.vault.
package example
import data.system.eopa.utils.mongodb.v1.vault as mongodb
example_1 := mongodb.find({"database": "database", "collection": "collection", "filter": {}})
) # => {"results": [ ... ]}
example_2 := mongodb.find_one({"database": "database", "collection": "collection", "filter": {}})
) # => {"result": [ ... ]}
The utility methods will lookup connection data from a map it expects to find in Vault,
under the path secret/mongodb:
{
"host": "...",
"port": "...",
"user": "...",
"password": "...",
}
If host or port are not defined, they default to localhost and 27017 respectively.
To override the secret path within Vault, use:
package example
import data.system.eopa.utils.mongodb.v1.vault as mongodb
mongodb_find(req) := result {
result := mongodb.find(req)
with mongodb.override.secret_path as "secret/prod/eopa-mongodb"
example_3 := mongodb_find({"database": "database", "collection": "collection", "filter": {}})
) # => {"results": [ ... ]}
If you need to override the Vault address or token, you can use this:
package example
import data.system.eopa.utils.vault.v1.env as vault
import data.system.eopa.utils.mongodb.v1.vault as mongodb
mongodb_find(req) := result {
result := mongodb.find(req)
with mongodb.override.secret_path as "secret/prod/eopa-mongodb"
with vault.override.address as "localhost"
with vault.override.token as "dev-token-2"
example_4 := mongodb_find({"database": "database", "collection": "collection", "filter": {}})
The same mechanism applies to mongodb.find_one.
To control the caching and error raising behavior, cache, cache_duration, and
raise_error can also be passed to find and find_one as keys of their request
objects.