- Reference >
- Backup Agent >
- Required Access for Backup Agent
Required Access for Backup Agent¶
On this page
If your MongoDB deployment enforces access control, the Ops Manager Backup Agent must authenticate to MongoDB as a user with the proper access. To authenticate, create a user with the appropriate roles in MongoDB. The following tutorials include instructions and examples for creating the MongoDB user:
- Configure Backup Agent for MONGODB-CR.
- Configure Backup Agent for LDAP Authentication.
- Configure the Backup Agent for Kerberos.
MongoDB user roles are separate from Ops Manager user roles.
Considerations¶
To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:
- Create cluster users while connected to the mongos: these credentials persist to the config servers.
- Create shard-local users by connecting directly to the replica set for each shard.
Important
The Backup Agent user must be defined consistently for all processes in your Ops Manager deployment.
MongoDB 2.6¶
To backup MongoDB 2.6 release series instances, the Backup Agent must be able to authenticate to with the following roles:
Required Role | |
---|---|
clusterAdmin role on the admin database |
|
readAnyDatabase role on the admin database |
|
userAdminAnyDatabase role on the admin database |
|
readWrite role on the admin database |
|
readWrite role on the local database |
MongoDB 2.4¶
To backup MongoDB 2.4 release series instances, the Backup Agent must
be able to authenticate to the database with a user that has specified
roles
and otherDBRoles
. Specifically, the user must have the
following roles:
Required Role | |
---|---|
clusterAdmin role on the admin database |
|
readAnyDatabase role on the admin database |
|
userAdminAnyDatabase role on the admin database |
And the following otherDBRoles
:
Required Role | |
---|---|
readWrite role on the local database |
|
readWrite role on the admin database |
|
readWrite role on the config database |
Authentication Mechanisms¶
To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines how to create the user as well as determine any additional agent configuration:
- For MONGODB-CR (MongoDB Challenge-Response) authentication, see Configure Backup Agent for MONGODB-CR.
- For LDAP authentication, see Configure Backup Agent for LDAP Authentication.
- For Kerberos authentication, see Configure the Backup Agent for Kerberos.