Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
  • Security >
  • Configure MongoDB Authentication and Authorization

Configure MongoDB Authentication and Authorization

On this page

Overview

Your MongoDB deployments can use the access control mechanisms described here. You specify the authentication settings when adding the deployment. You can also edit settings after adding a deployment, as described on this page.

If a deployment uses access control, the Monitoring and Backup Agents must authenticate to the deployment as MongoDB users with appropriate access. See the following:

Access Control Mechanisms

MONGODB-CR

MongoDB Challenge-Response (MONGODB-CR) is the MongoDB default for authentication and authorization. To enable, see MongoDB access control.

To create MongoDB users for the Ops Manager agents, see Add Monitoring Agent User for MONGODB-CR and Configure Backup Agent for MONGODB-CR.

To configure the Ops Manager Application to authenticate to the backing instances using MONGODB-CR, see mongo.mongoUri.

LDAP

To use LDAP for access control, see LDAP.

Kerberos

If your MongoDB deployment uses Kerberos for authentication, you must create the Kerberos Principal for the Ops Manager agents, create a MongoDB user for that Kerberos Principal, edit the agent’s configuration file. If you are running both the Monitoring Agent and the Backup Agent on the same server, then both agents must connect as the same Kerberos Principal.

To create a Kerberos Principal and the associated MongoDB user as well as edit the configuration file, see Configure the Monitoring Agent for Kerberos and Configure the Backup Agent for Kerberos.

Specify Kerberos as the MongoDB process’s authentication mechanism when adding the deployment or in the procedure on this page for editing a deployment.

To enable Kerberos authentication between the Ops Manager Application and the Ops Manager Application Database, configure the Kerberos Settings and the mongo.mongoUri setting. You must configure all required Kerberos settings to enable Kerberos authentication.

Edit Host Credentials

If you configure authentication credentials, the Ops Manager agents must authenticate to the deployment as a MongoDB user with the proper access. Configure the agents with the proper credentials before configuring the credentials on the deployment. See:

Edit Host Credential Information for Monitoring

Before editing these credentials, set up the agent as a user in MongoDB with appropriate access. See Configure Monitoring Agent for Access Control.

To edit authentication credentials:

1

Select the Deployment tab and then the Deployment page.

2

Select the process’s gear icon and select Edit Host.

3

Select the Credentials tab.

4

At the bottom of the dialog box, click the Change button.

5

Enter the credentials.

Edit the following information, as appropriate:

Auth Mechanism The authentication mechanism used by the host. Can specify MONGODB-CR, LDAP (PLAIN), or Kerberos(GSSAPI).
Current DB Username If the authentication mechanism is MONGODB-CR or LDAP, the username used to authenticate the Monitoring Agent to the MongoDB deployment. See Add Monitoring Agent User for MONGODB-CR, Configure Monitoring Agent for LDAP, or Configure the Monitoring Agent for Kerberos for setting up user credentials.
Current DB Password If the authentication mechanism is MONGODB-CR or LDAP, the password used to authenticate the Monitoring Agent to the MongoDB deployment. See Add Monitoring Agent User for MONGODB-CR, Configure Monitoring Agent for LDAP, or Configure the Monitoring Agent for Kerberos for setting up user credentials.
Update other hosts in replica set/sharded cluster as well Only for cluster or replica set. If checked, apply the credentials to all other hosts in the cluster or replica set.
6

Click the Submit button.

7

Close the dialog box.

Edit Host Credential Information for Backup

Before editing these credentials, set up the agent as a user in MongoDB with appropriate access. See Configure Backup Agent for Access Control.

To edit authentication credential information:

1

Select the Backup tab and then select Replica Set Status or Sharded Cluster Status.

2

On the line listing the cluster or replica set, click the gear icon.

3

Select Edit Credentials.

4

Enter the credentials.

Edit the following information, as appropriate:

Auth Mechanism The authentication mechanism used by the host. Can specify MONGODB-CR, LDAP (PLAIN), or Kerberos(GSSAPI).
Current DB Username If the authentication mechanism is MONGODB-CR or LDAP, the username used to authenticate the Monitoring Agent to the MongoDB deployment. See Configure Backup Agent for MONGODB-CR, Configure Backup Agent for LDAP Authentication, or Configure the Backup Agent for Kerberos for setting up user credentials.
Current DB Password If the authentication mechanism is MONGODB-CR or LDAP, the password used to authenticate the Monitoring Agent to the MongoDB deployment. See Configure Backup Agent for MONGODB-CR, Configure Backup Agent for LDAP Authentication, or Configure the Backup Agent for Kerberos for setting up user credentials.
My deployment supports SSL for MongoDB connections If checked, the Monitoring Agent must have a trusted CA certificate in order to connect to the MongoDB instances. See Configure Monitoring Agent for SSL.
5

Click Save.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.