- Security >
- Configure MongoDB Authentication and Authorization
Configure MongoDB Authentication and Authorization¶
On this page
Overview¶
Your MongoDB deployments can use the access control mechanisms described here. You specify the authentication settings when adding the deployment. You can also edit settings after adding a deployment, as described on this page.
If a deployment uses access control, the Monitoring and Backup Agents must authenticate to the deployment as MongoDB users with appropriate access. See the following:
Access Control Mechanisms¶
MONGODB-CR¶
MongoDB Challenge-Response (MONGODB-CR
) is the MongoDB default for
authentication and authorization. To enable, see MongoDB access
control.
To create MongoDB users for the Ops Manager agents, see Add Monitoring Agent User for MONGODB-CR and Configure Backup Agent for MONGODB-CR.
To configure the Ops Manager Application to authenticate to the backing
instances using
MONGODB-CR
, see mongo.mongoUri
.
Kerberos¶
If your MongoDB deployment uses Kerberos for authentication, you must create the Kerberos Principal for the Ops Manager agents, create a MongoDB user for that Kerberos Principal, edit the agent’s configuration file. If you are running both the Monitoring Agent and the Backup Agent on the same server, then both agents must connect as the same Kerberos Principal.
To create a Kerberos Principal and the associated MongoDB user as well as edit the configuration file, see Configure the Monitoring Agent for Kerberos and Configure the Backup Agent for Kerberos.
Specify Kerberos as the MongoDB process’s authentication mechanism when adding the deployment or in the procedure on this page for editing a deployment.
To enable Kerberos authentication between the Ops Manager Application and the
Ops Manager Application Database, configure the
Kerberos Settings and the
mongo.mongoUri
setting. You must configure all required
Kerberos settings to enable Kerberos authentication.
Edit Host Credentials¶
If you configure authentication credentials, the Ops Manager agents must authenticate to the deployment as a MongoDB user with the proper access. Configure the agents with the proper credentials before configuring the credentials on the deployment. See:
Edit Host Credential Information for Monitoring¶
Before editing these credentials, set up the agent as a user in MongoDB with appropriate access. See Configure Monitoring Agent for Access Control.
To edit authentication credentials:
Select the Deployment tab and then the Deployment page.¶
Select the process’s gear icon and select Edit Host.¶
Select the Credentials tab.¶
At the bottom of the dialog box, click the Change button.¶
Enter the credentials.¶
Edit the following information, as appropriate:
Auth Mechanism | The authentication mechanism used by the host. Can specify MONGODB-CR, LDAP (PLAIN), or Kerberos(GSSAPI). |
Current DB Username | If the authentication mechanism is MONGODB-CR or LDAP, the username used to authenticate the Monitoring Agent to the MongoDB deployment. See Add Monitoring Agent User for MONGODB-CR, Configure Monitoring Agent for LDAP, or Configure the Monitoring Agent for Kerberos for setting up user credentials. |
Current DB Password | If the authentication mechanism is MONGODB-CR or LDAP, the password used to authenticate the Monitoring Agent to the MongoDB deployment. See Add Monitoring Agent User for MONGODB-CR, Configure Monitoring Agent for LDAP, or Configure the Monitoring Agent for Kerberos for setting up user credentials. |
Update other hosts in replica set/sharded cluster as well | Only for cluster or replica set. If checked, apply the credentials to all other hosts in the cluster or replica set. |
Click the Submit button.¶
Close the dialog box.¶
Edit Host Credential Information for Backup¶
Before editing these credentials, set up the agent as a user in MongoDB with appropriate access. See Configure Backup Agent for Access Control.
To edit authentication credential information:
Select the Backup tab and then select Replica Set Status or Sharded Cluster Status.¶
On the line listing the cluster or replica set, click the gear icon.¶
Select Edit Credentials.¶
Enter the credentials.¶
Edit the following information, as appropriate:
Auth Mechanism | The authentication mechanism used by the host. Can specify MONGODB-CR, LDAP (PLAIN), or Kerberos(GSSAPI). |
Current DB Username | If the authentication mechanism is MONGODB-CR or LDAP, the username used to authenticate the Monitoring Agent to the MongoDB deployment. See Configure Backup Agent for MONGODB-CR, Configure Backup Agent for LDAP Authentication, or Configure the Backup Agent for Kerberos for setting up user credentials. |
Current DB Password | If the authentication mechanism is MONGODB-CR or LDAP, the password used to authenticate the Monitoring Agent to the MongoDB deployment. See Configure Backup Agent for MONGODB-CR, Configure Backup Agent for LDAP Authentication, or Configure the Backup Agent for Kerberos for setting up user credentials. |
My deployment supports SSL for MongoDB connections | If checked, the Monitoring Agent must have a trusted CA certificate in order to connect to the MongoDB instances. See Configure Monitoring Agent for SSL. |