Help Center> GeminiDB> GeminiDB Mongo API> FAQs> Permissions> How Do I Create a Read-only User for My GeminiDB Mongo Instance?
Updated on 2024-02-07 GMT+08:00

How Do I Create a Read-only User for My GeminiDB Mongo Instance?

This section describes how to create a read-only user for a GeminiDB Mongo instance.

Step 1: Create a User Group and Grant Permissions

A user group is a collection of users. With IAM, you can create users, add them to a specific user group, and grant permissions to the user group. Then all users in the group inherit the permissions from the group. To create a user group and assign the permission to it, perform the following steps:

  1. Log in to Huawei Cloud using your HUAWEI ID.
  2. On the management console, click the username in the upper right corner and then choose Identity and Access Management.

    Figure 1 Choosing IAM

  3. On the IAM console, choose User Groups in the navigation pane. Then click Create User Group.

    Figure 2 Creating a user group

  4. In the Create User Group dialog box, enter a user group name, for example, test_01, and click OK.

    After the user group is created, you are redirected to the user group list page. The created user group is displayed in the list.

    Figure 3 User group you created

  5. On the User Groups page, select the target group, and click Authorize in the Operation column.

    Figure 4 Authorization

  6. Authorize the user group.

    1. Select Distributed Multi-model NoSQL Database Service, enter NoSQL in the text box, and click the search icon.
      Figure 5 Selecting a service

    2. In the permission list, select GeminiDB ReadOnlyAccess and click OK.
      Figure 6 Authorization

    3. Select Region-specific projects for Scope.

      The authorization setting takes effect in only selected regions. If you hope that the setting takes effect in all regions, select All projects.

      Figure 7 Setting the minimum authorization scope
    4. After the authorization is successful, choose Permissions > Authorization to view authorization records of the user group.
      Figure 8 Viewing permissions

Step 2: Create an IAM User

IAM users can be created for employees or applications of an enterprise. Each IAM user has their own security credentials, and inherits permissions from the groups it is a member of. To create an IAM user, perform the following steps:

  1. On the IAM console, choose Users in the navigation pane. Then click Create User.
  2. Specify user information on the Create User page. To create more users, click Add User. You can add a maximum of 10 users at a time.

    Figure 9 Creating a user
    Table 1 Configuration items



    User Details

    • Username: Used for logging in to Huawei Cloud. For example, enter James.
    • Email Address: Email address bound to the IAM user. This parameter is mandatory if you choose Credential Type > Password > Require password reset at first login.
    • (Optional) Mobile Number: Mobile number bound to the IAM user.
    • (Optional) Description: Description of the user.
    • (Optional) External Identity ID: Identifies an enterprise user in federated login using SSO.

    Access Type

    • Programmatic access: After creation, you can download access keys of all the users you just created.
    • Management console access: The users you created can use accounts and passwords to log in to the Huawei Cloud console.

    Credential Type

    • Access Key: You can download the access key after you create the user.
    • Password: If you create multiple users at a time, set a password for each user and determine whether to require the users to reset passwords at first login. The Automatically generated option is not supported. If you create only one user, you can select any option of the above.

    Login Protection

    To ensure account security, you are advised to select Enable. To disable this function, see Login Protection.

  3. (Optional) Click Next and then OK.

    Figure 10 Adding the user to a user group
    • Select user group test_01. You can add a user to one or more user groups. Then the user will inherit the permissions granted to these user groups. The default user group is admin, which has the administrator permissions and all of the permissions required to use all cloud resources.
    • You can also create new groups as required.
    • If you do not want to grant permissions to the user in this step, you can grant permissions by referring to 5 later.

  4. Check the created user in the user list. If Programmatic access is selected, you can download the access key. You can also manage access keys on the My Credentials page.

    Figure 11 Viewing the creation results

  5. If the new user is not authorized in 3, perform the following operations to authorize it.

    In the user list, locate the created user, click Authorize in the Operation column, select the user group created in Step 1: Create a User Group and Grant Permissions, and click OK.

    The user will inherit the permissions of the user group. This process is called authorization.
    Figure 12 Authorization

Step 3: Log In and Verify Permissions

After a user is created, use the user's username and credential to log in to Huawei Cloud, and verify that the user has the permissions defined by the GeminiDB ReadOnlyAccess policy. For more login methods, see Signing In to Huawei Cloud.

  1. On the Huawei Cloud login page, click IAM User.
  2. Enter the account name, username, and password, and click Log In.

    • The account name is the name of the HUAWEI CLOUD account that created the IAM user.
    • The username and password used here are the ones you enter when you created the IAM user.

    If the login fails, contact the entity owning the account to verify the username and password. Alternatively, you can reset the password by referring to How Do I Reset My Password?.

  3. On the Huawei Cloud console, switch to the region where the user has been granted permissions.

    Figure 13 Selecting the target region

  4. Choose Service List > GeminiDB Mongo API. Then click Buy DB Instance in the upper right corner. If a message appears indicating insufficient permissions, the GeminiDB ReadOnlyAccess policy has already taken effect.
  5. Choose any other service in the Service List. If a message appears indicating insufficient permissions, the GeminiDB ReadOnlyAccess policy has already taken effect.