Configure the Monitoring Agent for Kerberos¶
On this page
MongoDB Enterprise provides support for Kerberos. Kerberos is a network authentication protocol available in MongoDB Enterprise version 2.4 or later. The Monitoring Agent can authenticate to MongoDB instances using Kerberos.
In Ops Manager 1.8 and later, Ops Manager can manage agent authentication if Automation manages agents. Using Automation, you first need to specify the agent’s name, and, if using LDAP authorization, the LDAP group corresponding to the MongoDB role. Ops Manager creates the specified MongoDB user for each agent and configures the appropriate access for that agent user.
See Enable Kerberos Authentication for your Ops Manager Group for more information.
Configure KDC to Issue Tickets with Four-Hour Minimum Lifetime¶
Kerberos tickets are only valid, or used to authenticate users, for a limited time. You must configure the Kerberos Key Distribution Center (KDC) to issue tickets that are valid for at least four hours. The Monitoring Agent periodically renews the ticket. The KDC service provides session tickets and temporary session keys to users and computers.
Add Kerberos as Authentication Mechanism for Deployment¶
MongoDB agents interact with the MongoDB databases in your deployment as a MongoDB user would. Each agent must be authenticated and then granted privileges according to what their roles are on your deployment. As a result, you must configure your MongoDB deployment and your agents to support authentication.
You can specify the deployment’s authentication mechanisms when adding the deployment, or you can edit the settings for an existing deployment. At minimum, the deployment must enable the Kerberos authentication mechanism you want the agents to use.
For the purposes of this tutorial, you must ensure your:
- Deployment supports Kerberos authentication and
- Agents use Kerberos authentication.
See Enable Kerberos Authentication for your Ops Manager Group for how to enable Kerberos authentication.
Configure Monitoring Agent Host to Use Kerberos¶
Two Kerberos-related files must be installed on any host running the Monitoring or Backup Agent:
Create or configure the krb5.conf Kerberos configuration file.
Platform Default Path Notes Linux
Mac OS X
The configuration file has varied with previous versions of Mac OS X. Refer to the documentation for your Kerberos implemention for your version of Mac OS X to find out where the Kerberos configuration file is stored. Windows
This is the default path for non-Active Directory-based Kerberos implementations. Refer to the documentation for your Kerberos implemention for your version of Windows to find out where the Kerberos configuration file is stored.
On Linux systems: ensure kinit binary is located at
kinitobtains or renews a Kerberos ticket-granting ticket, which authenticates the agent using Kerberos.
Create Kerberos Service Principal for the Monitoring Agent¶
Create or choose a Kerberos Service Principal Name for each Agent.¶
Create or choose a Kerberos Service Principal Name (SPN) for the agents you are running. The Monitoring and Backup agent should have their own SPNs.
An SPN is formatted in three parts so the service can be uniquely identified across the Kerberos realm:
|Service name||The name of one service a host is providing to the Kerberos realm, such as mail, snmp, ftp.|
|Hostname||The host running the service as a fully qualified domain name (FQDN).|
A set of managed hosts and services that share the same Kerberos database.
By Kerberos naming convention, the
In a Kerberos realm set as
EXAMPLE.COM, a backup agent running on the
db1.example.com would set its SPN to:
Create a User and Assign Roles for the Monitoring Agent SPN¶
After creating the Kerberos SPN, create a user mapped to the agent’s SPN and grant it privileges on your MongoDB deployment.
Where you create the user depends upon if you are using LDAP authorization:
- If you are using LDAP authorization, you must create a user and group for
the agent on the LDAP server and map the LDAP group to a MongoDB role in
- If you are not using LDAP authorization, you must create the agent’s
user on the
$externaldatabase in your MongoDB deployment.
Edit the Monitoring Agent Configuration File¶
Edit the Monitoring Agent configuration file. The following table lists the default installation paths for some common platforms. Depending on your deployment, you may need to substitute the default path for the custom installation path used for your Ops Manager agent installation.
|Linux Archive, Mac OS X||
krb5Principal to the Kerberos SPN for the agent.
krb5Keytab to the complete absolute path of the
keytab file for the agent.