Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Configure the Backup Agent for Kerberos

MongoDB Enterprise provides support for Kerberos. Kerberos is a generic authentication protocol available starting from MongoDB Enterprise version 2.6. The Backup Agent can authenticate to hosts using Kerberos.

Warning

You must install the prerequisite packages on your servers before deploying MongoDB Enterprise on the servers.

You can use Ops Manager for Monitoring and Backup with Kerberos, but you cannot currently use Automation with Kerberos. Automation will support these features in the next major Ops Manager release.

Prerequisites

You must configure the Kerberos Key Distribution Center (KDC) to grant tickets that are valid for at least four hours. The Backup Agent takes care of periodically renewing the ticket. The KDC service provides session tickets and temporary session keys to users and computers.

There are additional authentication configuration requirements for Ops Manager Backup when using MongoDB 2.4 with authentication. See Required Access for Backup Agent for more information.

Create Kerberos Principal

If you are running both the Monitoring Agent and the Backup Agent on the same server, then both agents must connect as the same Kerberos Principal.

1

Create or choose a Kerberos principal.

Create or choose a Kerberos principal for the Monitoring and/or Backup agent.

2

Generate a keytab for the Kerberos principal.

Generate a keytab for the Kerberos principal and copy it to the system where the agent runs. Ensure the user that will run the agent is the same user that owns the keytab file.

Create MongoDB User for the Principal

If you are running both the Monitoring Agent and the Backup Agent on the same server, then both agents must connect as the same Kerberos Principal.

Kerberos Principal for the Backup Agent

Add a Kerberos principal, <username>@<KERBEROS REALM> or <username>/<instance>@<KERBEROS REALM>, to MongoDB in the $external database. Specify the Kerberos realm in all uppercase. The $external database allows mongod to consult an external source (e.g. Kerberos) to authenticate.

MongoDB 3.0 or Later

For MongoDB 3.0 or later, to add the principal for just the Backup Agent, use an operation that resembles the following:

use $external
db.createUser(
   {
     user: "<Kerberos Principal>",
     roles: [
        { role: "backup", db: "admin" }
     ]
   }
)

See MongoDB 3.0 and Later for more information on the required access for the Backup Agent.

MongoDB 2.6

For the MongoDB 2.6 release series, to add the principal for just the Backup Agent, use an operation that resembles the following:

use $external
db.createUser(
   {
     user: "<Kerberos Principal>",
     roles: [
        "clusterAdmin",
        "readAnyDatabase",
        "userAdminAnyDatabase",
        { role: "readWrite", db: "admin" },
        { role: "readWrite", db: "local" },
     ]
   }
)

See MongoDB 2.6 for more information on the required access for the Backup Agent.

Kerberos Principal for the Monitoring Agent and Backup Agent

Add a Kerberos principal, <username>@<KERBEROS REALM> or <username>/<instance>@<KERBEROS REALM>, to MongoDB in the $external database. Specify the Kerberos realm in all uppercase. The $external database allows mongod to consult an external source (e.g. Kerberos) to authenticate.

For example, to add the same principal for both the Monitoring Agent and the Backup Agent, specify required access for both agents. The following example specifies access required to connect to MongoDB 3.0 or greater.

use $external
db.createUser(
   {
     user: "<Kerberos Principal>",
     roles: [
        { role: "clusterMonitor", db: "admin" },
        { role: "backup", db: "admin" }
     ]
   }
)

See MongoDB 2.6 and MongoDB 3.0 and Later for more information on the required access for the Monitoring Agent and the Backup Agent.

Edit Agent Configuration File

Edit the /etc/mongodb-mms/backup-agent.config file.

1

Set the krb5Principal

Set the krb5Principal to the name of the Kerberos principal. For example:

krb5Principal=mmsagent/instance@EXAMPLE.COM
2

Set the krb5Keytab

Set the krb5Keytab value to the complete absolute path of the keytab file. For example:

krb5Keytab=/etc/mongodb-mms/mmsagent.keytab
3

Restart the agent.

Host Settings

In addition to adding the agent as a MongoDB user, you must also specify the host’s authentication settings. You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.

Configure Kerberos Environment

1

Create or configure the /etc/kerb5.conf file on the system to integrate this host into your Kerberos environment.

2

Ensure the kinit binary is available at the /user/bin/kinit path.