Navigation

Required Access for Backup Agent

If your MongoDB deployment enforces access control, the Ops Manager Backup Agent must authenticate to MongoDB as a user with the proper access.

If you use Automation, Ops Manager takes care of this for you. If you do not use Automation, follow the instructions on this page.

To authenticate, create a user with the appropriate roles in MongoDB. The following tutorials include instructions and examples for creating the MongoDB user:

MongoDB user roles are separate from Ops Manager user roles.

Considerations

To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:

  • Create cluster users while connected to the mongos: these credentials persist to the config servers.
  • Create shard-local users by connecting directly to the replica set for each shard.

Important

The Backup Agent user must be defined consistently for all processes in your Ops Manager deployment.

MongoDB 3.0 and Later

To backup MongoDB instances running 3.0 and later, the Backup Agent must authenticate as a user with the following role:

Required Role  
backup role on the admin database  

MongoDB 2.6

To backup MongoDB 2.6 release series instances, the Backup Agent must be able to authenticate to with the following roles:

Required Role  
clusterAdmin role on the admin database  
readAnyDatabase role on the admin database  
userAdminAnyDatabase role on the admin database  
readWrite role on the admin database  
readWrite role on the local database  

MongoDB 2.4

To backup MongoDB 2.4 release series instances, the Backup Agent must be able to authenticate to the database with a user that has specified roles and otherDBRoles. Specifically, the user must have the following roles:

Required Role  
clusterAdmin role on the admin database  
readAnyDatabase role on the admin database  
userAdminAnyDatabase role on the admin database  

And the following otherDBRoles:

Required Role  
readWrite role on the local database  
readWrite role on the admin database  
readWrite role on the config database  

Authentication Mechanisms

To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines how to create the user as well as determine any additional agent configuration: