User Management

Introduction

This section provides instructions on how to create, update and delete users with mongoRealAuthenticator.

It also shows how to manage permissions with mongoAclAuthorizer.

mongoRealAuthenticator uses the collection /users by default.

Before running the example requests

The following examples assume RESTHeart running on the localhost with the default configuration: the database restheart is bound to / and the user admin exists with default password secret.

User document

With the default configuration, a user is represented as follows:

{
    "_id": "username",
    "roles": [ "list", "of", "roles" ],
    "password": "secret"
}

mongoRealAuthenticator can be configured to use different properties for the username, roles an password. Check mongoRealAuthenticator for more information.

Get existing users

GET /users HTTP/1.1

[
  {
    "_id": "admin",
    "roles": [
      "admin"
    ],
    "_etag": {
      "$oid": "5d2edb155883c050065d6a8a"
    }
  }
]

The password is always hidden on GET requests.

For security reasons, it not possbile to use the filter query parameter on the password field; the following request is forbidden and will cause an error: GET /users?filter={"password":{"$regex":"^a.*"}}

Create a user

POST /users HTTP/1.1

{
    "_id": "foo",
    "roles": [ "user" ],
    "password": "secret"
}

The password is automatically encrypted by RESTHeart.

Update a user

PATCH /users/foo HTTP/1.1

{
    "password": "betterSecret"
}

Delete a user

DELETE /users/foo HTTP/1.1

Create an ACL document

POST /acl HTTP/1.1

{
  "predicate": "path-prefix[/inventory] and method[GET]",
  "roles": [ "user" ],
  "priority": 1
}

Check Format of permission for more information on ACL permissions.

Watch Managing users with practical examples