- Reference >
- Monitoring Agent >
- Configure Monitoring Agent for Access Control >
- Configure the Monitoring Agent for Kerberos
Configure the Monitoring Agent for Kerberos¶
On this page
MongoDB Enterprise provides support for Kerberos. Kerberos is a network authentication protocol available in MongoDB Enterprise version 2.4 or later. The Monitoring Agent can authenticate to MongoDB instances using Kerberos.
Important
Starting with Ops Manager 1.8 if Automation manages agents, Ops Manager can manage agent authentication. With an automated MongoDB deployment, you only need to specify the name for each agent in the Ops Manager user interface. Ops Manager then creates the MongoDB user specified for each agent and configures the appropriate access for that agent user.
- To learn how to automate your MongoDB deployment, see Add Existing MongoDB Processes to Ops Manager.
- To learn how to enable authentication for MongoDB users using Kerberos, see Enable Kerberos Authentication for your Ops Manager Group.
Prerequisites¶
Configure KDC to Issue Tickets with Four-Hour Minimum Lifetime¶
Kerberos tickets are only valid, or used to authenticate users, for a limited time. You must configure the Kerberos Key Distribution Center (KDC) to issue tickets that are valid for at least four hours. The Monitoring Agent periodically renews the ticket. The KDC service provides session tickets and temporary session keys to users and computers.
Add Kerberos as Authentication Mechanism for Deployment¶
In addition to adding the agent as a MongoDB user, you must also specify the host’s authentication settings. You can specify the host’s authentication settings when adding the host, or you can edit the settings for an existing host.
Configure Monitoring Agent Host to Use Kerberos¶
Two Kerberos-related files must be installed on any host running the Monitoring or Backup Agent:
Create or configure the krb5.conf Kerberos configuration file.
Platform Default Path Notes Linux /etc/krb5.conf
Mac OS X /etc/krb5.conf
(10.7+)The configuration file has varied with previous versions of Mac OS X. Refer to the documentation for your Kerberos implemention for your version of Mac OS X to find out where the Kerberos configuration file is stored. Windows %WINDIR%\krb5.ini
This is the default path for non-Active Directory-based Kerberos implementations. Refer to the documentation for your Kerberos implemention for your version of Windows to find out where the Kerberos configuration file is stored. Make sure kinit binary is located at
/usr/bin/kinit
.kinit
obtains or renews a Kerberos ticket-granting ticket, which authenticates the agent using Kerberos.Note
This file and location may be different on Windows or Mac OS X clients. Refer to the documentation for your Kerberos implemention to find out where the Kerberos ticket management binary is stored.
Create Kerberos Service Principal for the Monitoring Agent¶
Create or choose a Kerberos principal.¶
Create or choose a Kerberos principal for the Monitoring and/or Backup agent.
Generate a keytab for the Kerberos principal.¶
Generate a keytab for the Kerberos principal and copy it to the system where the agent runs. Ensure the user that will run the agent is the same user that owns the keytab file.
Create a User and Assign Roles for the Monitoring Agent SPN¶
After creating the Kerberos SPN, create a
user with the same name as the Monitoring Agent’s SPN on the $external
database. Grant this Monitoring Agent
user the clusterMonitor
role on the admin
database.
From a mongo shell connected to your MongoDB deployment, issue the following command to create the user:
See also
For more information on the required roles for previous versions of MongoDB, see Required Access for Monitoring Agent.
Edit the Monitoring Agent Configuration File¶
Edit the Monitoring Agent configuration file. The following table lists the default installation paths for some common platforms. Depending on your deployment, you may need to substitute the default path for the custom installation path used for your Ops Manager agent installation.
Operating System | Path |
---|---|
RHEL, Ubuntu | /etc/mongodb-mms/monitoring-agent.config |
Linux Archive, Mac OS X | <userSelected>/monitoring-agent.config |
Windows | C:\MMSData\Monitoring\local.config |
Set the krb5Principal
¶
Set the krb5Principal
to the name of the Kerberos principal.
For example:
Set the krb5Keytab
¶
Set the krb5Keytab
value to the complete absolute path of the
keytab file. For example: