- Reference >
- Required Access for Backup Agent
Required Access for Backup Agent¶
On this page
If your MongoDB deployment enforces access control, the MMS Backup Agent must authenticate to MongoDB as a user with the proper access. To authenticate, create a user with the appropriate roles in MongoDB.
MongoDB user roles are separate from On-Prem MongoDB Management Service user roles.
Considerations¶
To authenticate to sharded clusters, create both shard-local users on each shard, as well cluster-wide users:
- Create cluster users while connected to the mongos; these credentials persist to the config servers.
- Create shard-local users by connecting directly to the replica set for each shard.
MongoDB 2.6¶
To backup MongoDB 2.6 release series instances, the Backup Agent must be able to authenticate to with the following roles:
Required Role | |
---|---|
clusterAdmin role on the admin database |
|
readAnyDatabase role on the admin database |
|
userAdminAnyDatabase role on the admin database |
|
readWrite role on the admin database |
|
readWrite role on the local database |
MongoDB 2.4¶
To backup MongoDB 2.4 release series instances, the Backup Agent must
be able to authenticate to the database with a user that has specified
roles
and otherDBRoles
. Specifically, the user must have the
following roles:
Required Role | |
---|---|
clusterAdmin role on the admin database |
|
readAnyDatabase role on the admin database |
|
userAdminAnyDatabase role on the admin database |
And the following otherDBRoles
:
Required Role | |
---|---|
readWrite role on the local database |
|
readWrite role on the admin database |
Authentication Mechanisms¶
To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines how to create the user as well as determine any additional agent configuration:
- For MONGODB-CR (MongoDB Challenge-Response) authentication, see Configure Backup Agent for MONGODB-CR.
- For LDAP authentication, see Configure Backup Agent for LDAP Authentication.
- For Kerberos authentication, see Configure the Backup Agent for Kerberos.