fix: atlas connectCluster defaults to readOnly DB roles

blva · blva · commit 632fc540156a · 2025-08-22T15:18:28.000+01:00
diff --git a/src/tools/atlas/connect/connectCluster.ts b/src/tools/atlas/connect/connectCluster.ts
@@ -7,6 +7,7 @@ import { LogId } from "../../../common/logger.js";
 import { inspectCluster } from "../../../common/atlas/cluster.js";
 import { ensureCurrentIpInAccessList } from "../../../common/atlas/accessListUtils.js";
 import { AtlasClusterConnectionInfo } from "../../../common/connectionManager.js";
+import { DatabaseUserRole } from "../../../common/atlas/openapi.js";
 
 const EXPIRY_MS = 1000 * 60 * 60 * 12; // 12 hours
 
@@ -72,16 +73,7 @@ export class ConnectClusterTool extends AtlasToolBase {
         const password = await generateSecurePassword();
 
         const expiryDate = new Date(Date.now() + EXPIRY_MS);
-
-        const readOnly =
-            this.config.readOnly ||
-            (this.config.disabledTools?.includes("create") &&
-                this.config.disabledTools?.includes("update") &&
-                this.config.disabledTools?.includes("delete") &&
-                !this.config.disabledTools?.includes("read") &&
-                !this.config.disabledTools?.includes("metadata"));
-
-        const roleName = readOnly ? "readAnyDatabase" : "readWriteAnyDatabase";
+        const role = this.getRoleFromConfig();
 
         await this.session.apiClient.createDatabaseUser({
             params: {
@@ -92,12 +84,7 @@ export class ConnectClusterTool extends AtlasToolBase {
             body: {
                 databaseName: "admin",
                 groupId: projectId,
-                roles: [
-                    {
-                        roleName,
-                        databaseName: "admin",
-                    },
-                ],
+                roles: [role],
                 scopes: [{ type: "CLUSTER", name: clusterName }],
                 username,
                 password,
@@ -258,4 +245,35 @@ export class ConnectClusterTool extends AtlasToolBase {
             ],
         };
     }
+
+    /**
+     * @description Get the role name for the database user based on the Atlas Admin API https://www.mongodb.com/docs/atlas/mongodb-users-roles-and-privileges/
+     * @returns The role name for the database user
+     */
+    private getRoleFromConfig(): DatabaseUserRole {
+        if (this.config.readOnly) {
+            return {
+                roleName: "readAnyDatabase",
+                databaseName: "admin",
+            };
+        }
+
+        // If all write tools are enabled, use readWriteAnyDatabase
+        if (
+            !this.config.disabledTools?.includes("create") &&
+            !this.config.disabledTools?.includes("update") &&
+            !this.config.disabledTools?.includes("delete") &&
+            !this.config.disabledTools?.includes("metadata")
+        ) {
+            return {
+                roleName: "readWriteAnyDatabase",
+                databaseName: "admin",
+            };
+        }
+
+        return {
+            roleName: "readAnyDatabase",
+            databaseName: "admin",
+        };
+    }
 }
