- Reference >
- Required Access for Monitoring Agent
Required Access for Monitoring Agent¶
On this page
If your MongoDB deployment enforces access control, the MMS Monitoring Agent must authenticate to MongoDB as a user with the proper access.
MongoDB user roles are separate from On-Prem MongoDB Management Service user roles.
MongoDB 2.6¶
To monitor MongoDB 2.6 instances, including dbStats
[1] and database profiling
information [2], the monitoring agent must authenticate to
the database as a user with the following access:
Required Role | |
---|---|
clusterMonitor role on the admin database |
For mixed MongoDB versions, the specified access is inadequate to
monitor deployments of since the user cannot access the local
database needed for mixed deployments. Monitoring a mixed deployment as
a user with the specified access will produce an authorization error
that will appear in the mongod logs.
The monitoring agent can recover from this error, and you may safely ignore these messages in the mongod log.
MongoDB 2.4¶
Monitor without Database Profiling¶
To monitor MongoDB 2.4 instances, including dbStats
operations, the agent must authenticate as a user with the following
access:
Required Roles | |
---|---|
clusterAdmin role on the admin database |
|
readAnyDatabase role on the admin database |
However, a user with the specified access cannot monitor with profiling. If this user tries to monitor with profiling, the mongod log file may report the following message at the default logging level:
You can ignore this message if you do not want MMS to collect profile data. If you want to collect profile data, configure MMS monitoring as specified in Monitor with Database Profiling.
Monitor with Database Profiling¶
To monitor MongoDB 2.4 databases with database profiling [2], the agent must authenticate as a user with the following access:
Required Roles | |
---|---|
clusterAdmin role on the admin database |
|
readAnyDatabase role on the admin database |
|
dbAdminAnyDatabase roles in the admin database |
Monitor without dbStats
¶
To monitor MongoDB 2.4 databases without dbStats
[1], the agent must authenticate as a user with the following
access:
Required Role | |
---|---|
clusterAdmin role on the admin database |
Authentication Mechanisms¶
To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines how to create the user as well as determine any additional agent configuration:
- For MONGODB-CR (MongoDB Challenge-Response) authentication, see Add Monitoring Agent User for MONGODB-CR.
- For LDAP authentication, see Configure Monitoring Agent for LDAP.
- For Kerberos authentication, see Configure the Monitoring Agent for Kerberos.
[1] | (1, 2) Monitoring without dbStats excludes database
storage, records, indexes, and other statistics. |
[2] | (1, 2) Profiling captures in-progress read and write operations, cursor operations, and database command information about the database. |