- Reference >
- Backup Agent >
- Configure Backup Agent for Access Control >
- Configure the Backup Agent for Kerberos
Configure the Backup Agent for Kerberos¶
On this page
MongoDB Enterprise provides support for Kerberos. Kerberos is a generic authentication protocol available starting from MongoDB Enterprise version 2.6. The Backup Agent can authenticate to hosts using Kerberos.
Warning
You must install the prerequisite packages on your servers before deploying MongoDB Enterprise on the servers.
You can use Ops Manager for Monitoring and Backup with Kerberos, but you cannot currently use Automation with Kerberos. Automation will support these features in the next major Ops Manager release.
Prerequisites¶
You must configure the Kerberos Key Distribution Center (KDC) to grant tickets that are valid for at least four hours. The Backup Agent takes care of periodically renewing the ticket. The KDC service provides session tickets and temporary session keys to users and computers.
There are additional authentication configuration requirements for Ops Manager Backup when using MongoDB 2.4 with authentication. See Required Access for Backup Agent for more information.
Create Kerberos Principal¶
If you are running both the Monitoring Agent and the Backup Agent on the same server, then both agents must connect as the same Kerberos Principal.
Create or choose a Kerberos principal.¶
Create or choose a Kerberos principal for the Monitoring and/or Backup agent.
Generate a keytab for the Kerberos principal.¶
Generate a keytab for the Kerberos principal and copy it to the system where the agent runs. Ensure the user that will run the agent is the same user that owns the keytab file.
Create MongoDB User for the Principal¶
If you are running both the Monitoring Agent and the Backup Agent on the same server, then both agents must connect as the same Kerberos Principal.
Kerberos Principal for the Backup Agent¶
Add a Kerberos principal, <username>@<KERBEROS REALM>
or
<username>/<instance>@<KERBEROS REALM>
, to MongoDB in the
$external
database. Specify the Kerberos realm in all uppercase.
The $external
database allows mongod to consult an
external source (e.g. Kerberos) to authenticate.
MongoDB 3.0 or Later¶
For MongoDB 3.0 or later, to add the principal for just the Backup Agent, use an operation that resembles the following:
See MongoDB 3.0 and Later for more information on the required access for the Backup Agent.
MongoDB 2.6¶
For the MongoDB 2.6 release series, to add the principal for just the Backup Agent, use an operation that resembles the following:
See MongoDB 2.6 for more information on the required access for the Backup Agent.
Kerberos Principal for the Monitoring Agent and Backup Agent¶
Add a Kerberos principal, <username>@<KERBEROS REALM>
or
<username>/<instance>@<KERBEROS REALM>
, to MongoDB in the
$external
database. Specify the Kerberos realm in all uppercase.
The $external
database allows mongod to consult an
external source (e.g. Kerberos) to authenticate.
For example, to add the same principal for both the Monitoring Agent and the Backup Agent, specify required access for both agents. The following example specifies access required to connect to MongoDB 3.0 or greater.
See MongoDB 2.6 and MongoDB 3.0 and Later for more information on the required access for the Monitoring Agent and the Backup Agent.
Edit Agent Configuration File¶
Edit the /etc/mongodb-mms/backup-agent.config
file.
Set the krb5Principal
¶
Set the krb5Principal
to the name of the Kerberos principal.
For example:
Set the krb5Keytab
¶
Set the krb5Keytab
value to the complete absolute path of the
keytab file. For example:
Restart the agent.¶
Host Settings¶
In addition to adding the agent as a MongoDB user, you must also specify the host’s authentication settings. You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.