Navigation
You were redirected from a different version of the documentation. Click here to go back.
  • MongoDB Agent >
  • Configure How the MongoDB Agent Manages Config Files and Passwords

Configure How the MongoDB Agent Manages Config Files and Passwords

New in version 4.2.

To meet advanced auditing or compliance needs, you may need to do one or both of the following actions:

  • Store the mongod or mongos (collectively, the MongoDB process) configuration in memory to avoid writing passwords to disk.
  • Remove MongoDB Agent passwords from the MongoDB Agent configuration file and read the passwords passed in the shell command.

Store MongoDB Process Configuration Files in Memory

By default, the MongoDB Agent writes MongoDB process configuration files to disk on its host. These configuration files might contain the following credentials:

You might not want to write these credentials to disk. To avoid writing credentials to disk, you can choose to retain them in memory.

In your MongoDB Agent configuration file, set enableLocalConfigurationServer to true. Changing this setting results in the following actions:

  • The MongoDB Agent caches your MongoDB process configuration in memory.
  • The MongoDB configuration file on disk contains only a directive that points to the full configuration file.

When the MongoDB Agent uses an in-memory MongoDB configuration, the MongoDB process requests the full configuration file from its local MongoDB Agent. The Agent requests the configuration file using the URL in the __rest expansion directive.

Considerations

Impacts Availability of MongoDB Deployments

When this feature is enabled, the MongoDB Agent doesn’t store the MongoDB process configuration on disk. If the Ops Manager app server is unavailable and the MongoDB Agent attempts to restart, then the MongoDB Agent stops running because it doesn’t have the necessary configuration information. If a MongoDB process crashes while the MongoDB Agent isn’t running, then the MongoDB Agent can’t restart the process.

Limits Importing Existing MongoDB Deployments

You can’t import MongoDB processes that store configuration files in memory. When the MongoDB Agent stores its configuration in memory, MongoDB redacts any credentials after it starts. Therefore, MongoDB can’t retrieve the credentials needed to import the process.

Remove Passwords from the MongoDB Agent Configuration File

You can set the MongoDB Agent to read its passwords as shell command flags rather than read from its configuration file. To use this feature, add the following settings to the MongoDB Agent’s configuration file: