- Groups and Users >
- Manage MongoDB Users and Roles >
- Manage MongoDB Users and Roles
Manage MongoDB Users and Roles¶
On this page
Overview¶
When MongoDB access control is enabled, you provide client access to MongoDB by creating users and assigning user roles. The users you create apply to all MongoDB instances in your Ops Manager group, but each user has a specified authentication database. Together, the user’s name and database serve as a unique identifier for that user.
You can specify access using MongoDB’s built-in roles and also by creating custom roles. Ops Manager provides the interface for doing so.
You can create users before enabling accessing control or after, but the users are not created until you enable access control. Your MongoDB instances will not require user credentials if access control is not enabled.
To authenticate, a client must specify the username, password, database,
and authentication mechanism. For example, from the mongo
shell, a client would specify the
--username
, --password
,
--authenticationDatabase
,
and --authenticationMechanism
options.
MongoDB users are separate from Ops Manager users. MongoDB users have access to MongoDB databases, while Ops Manager users access Ops Manager groups.
Considerations¶
If you want Ops Manager to ensure that all deployments in a group have the same database users, use only the Ops Manager interface to manage MongoDB users.
Do not create or manage MongoDB roles manually through a direct connection to a MongoDB instance. Unlike manually-created users, if you create custom roles through a direct connection to the MongoDB instances, Ops Manager deletes these roles.
Procedures¶
Add a MongoDB User¶
From the Deployment tab, select the MongoDB Users page.¶
Click the Add User button.¶
In the Identifier fields, enter the database on which the user authenticates and enter a username.¶
Together, the database and username uniquely identify the user. Though the user has just one authentication database, the user can have privileges on other database. You grant privileges when assigning the user roles.
You can add users to the $external
database, much as you would to
any other database. The $external
database allows MongoDB
instances to consult an external source, such as Kerberos or an LDAP
server, to authenticate. As such, you do not need to specify a
password for the users that you add to $external
.
In the Roles drop-down list, select the user’s roles.¶
You can assign both user-defined roles and built-in roles.
Enter the user’s password and click Add User.¶
Click Review & Deploy to review your changes.¶
Review and approve your changes.¶
Ops Manager displays your proposed changes.
- If they are acceptable, click Confirm & Deploy.
- If they are unacceptable, click Cancel and you can make additional changes.
Edit a User’s Roles¶
From the Deployment tab, select the MongoDB Users page.¶
Click the user’s gear icon and select Edit.¶
Edit the user’s information.¶
In the Roles list, you can both add and delete roles. The Roles list provides a drop-down as you start typing the name of the role. You can add both user-defined roles and built-in roles.
Click Save Changes.¶
Click Review & Deploy to review your changes.¶
Review and approve your changes.¶
Ops Manager displays your proposed changes.
- If they are acceptable, click Confirm & Deploy.
- If they are unacceptable, click Cancel and you can make additional changes.
Remove a MongoDB User¶
From the Deployment tab, select the MongoDB Users page.¶
Click the user’s gear icon and select Remove.¶
To confirm, click Delete User.¶
Click Review & Deploy to review your changes.¶
Review and approve your changes.¶
Ops Manager displays your proposed changes.
- If they are acceptable, click Confirm & Deploy.
- If they are unacceptable, click Cancel and you can make additional changes.