Fix This Page
Navigation
You were redirected from a different version of the documentation. Click here to go back.

Configure MongoDB Authentication and Authorization

Overview

Your MongoDB deployments can use the access control mechanisms described here. You specify the authentication settings when adding the deployment. You can also edit settings after adding a deployment, as described on this page.

If a deployment uses access control, the Monitoring and Backup Agents must authenticate to the deployment as MongoDB users with appropriate access. If you are using Automation to manage your MongoDB deployments, you will enable and configure authentication through the Ops Manager interface.

If you are not using Automation to manage your MongoDB deployments, you must configure the Monitoring and Backup agents manually.

Access Control Mechanisms

MONGODB-CR/SCRAM-SHA-1

In MongoDB 3.0 and later, MongoDB’s default authentication mechanism is a challenge and response mechanism (SCRAM-SHA-1). Previously, MongoDB used MongoDB Challenge and Response (MONGODB-CR) as the default.

SCRAM-SHA-1 is an IETF standard, RFC 5802, that defines best practice methods for implementation of challenge-response mechanisms for authenticating users with passwords.

MONGODB-CR is a challenge-response mechanism that authenticates users through passwords.

To enable MONGODB-CR when using Automation, see Enable Username and Password Authentication for your Ops Manager Group.

To configure the agents to authenticate as users with the proper access without Automation, see:

LDAP

MongoDB Enterprise provides support for proxy authentication of users. This allows administrators to configure a MongoDB cluster to authenticate users by proxying authentication requests to a specified Lightweight Directory Access Protocol (LDAP) service.

To enable LDAP for your Ops Manager group when using Automation, see: Enable LDAP Authentication for your Ops Manager Group.

To configure the agents to authenticate as users with the proper access without Automation, see:

Kerberos

MongoDB Enterprise supports authentication using a Kerberos service. Kerberos is an industry standard authentication protocol for large client/server systems.

To use MongoDB with Kerberos, you must have a properly configured Kerberos deployment, configure Kerberos service principals for MongoDB, and add the Kerberos user principal. If you are using Automation, you can Enable Kerberos Authentication for your Ops Manager Group from within the Ops Manager interface.

To create a Kerberos Principal and the associated MongoDB user, and to configure the Monitoring and Backup Agents to authenticate as users with the proper access without Automation, see:

Specify Kerberos as the MongoDB process’s authentication mechanism when adding the deployment or when editing the deployment.

x.509

MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.

In Ops Manager, x.509 Client Certificate (MONGODB-X509) is only available on MongoDB Enterprise builds. If you have existing deployments running on a MongoDB Community build, you must upgrade them to MongoDB Enterprise before you can enable x.509 Client Certificate (MONGODB-X509) for your Ops Manager group.

To enable x.509 authentication for your Ops Manager group when using Automation, see: Enable x.509 Authentication for your Ops Manager Group.

Note

Ops Manager does not currently support using x.509 certificates for membership authentication.

Edit Host Credentials

If your deployment is managed by Ops Manager, you will configure the deployment to use the authentication mechanism from the Ops Manager interface. The Manage MongoDB Users and Roles tutorials describe how to configure an existing deployment to use each authentication mechanism.

If your deployment is not managed by Ops Manager, manually configure the Monitoring and Backup agents with the proper credentials before you edit the host’s authentication credentials.

See

Configure Monitoring Agent for Access Control and Configure Backup Agent for Access Control describe how to configure the Monitoring and Backup agents for access control.

Once the Monitoring and Backup agents are correctly configured, you can edit the deployment’s authentication credentials using the following procedures.

Edit Credentials for Monitoring a Host

Important

Before editing these credentials, configure the Monitoring Agent with the proper credentials. See Configure Monitoring Agent for Access Control.

To edit the credential for Monitoring:

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

Select the process’s gear icon and select Edit Host.

3

Select the Credentials tab.

4

At the bottom of the dialog box, click the Change button.

5

Enter the credentials.

Edit the following information, as appropriate:

Auth Mechanism The authentication mechanism used by the host. Can specify MONGODB-CR, LDAP (PLAIN), or Kerberos(GSSAPI).
Current DB Username If the authentication mechanism is MONGODB-CR or LDAP, the username used to authenticate the Monitoring Agent to the MongoDB deployment. See Configure Monitoring Agent for MONGODB-CR, Configure Monitoring Agent for LDAP, or Configure the Monitoring Agent for Kerberos for setting up user credentials.
Current DB Password If the authentication mechanism is MONGODB-CR or LDAP, the password used to authenticate the Monitoring Agent to the MongoDB deployment. See Configure Monitoring Agent for MONGODB-CR, Configure Monitoring Agent for LDAP, or Configure the Monitoring Agent for Kerberos for setting up user credentials.
Update other hosts in replica set/sharded cluster as well Only for cluster or replica set. If checked, apply the credentials to all other hosts in the cluster or replica set.
6

Click the Submit button.

7

Close the dialog box.

Edit Credentials for Backing up a Host

Important

Before editing these credentials, configure the Backup Agent with the proper credentials. See Configure Backup Agent for Access Control.

To edit the credential for Backup:

1

Click Backup, then the Overview tab.

2

On the line listing the process, click the ellipsis icon and click Edit Credentials.

3

Enter the credentials.

Edit the following information, as appropriate:

Auth Mechanism

The authentication mechanism the host uses.

The options are:

DB Username

For Username/Password or LDAP authentication, the username used to authenticate the Backup Agent to the MongoDB deployment.

See Configure Backup Agent for MONGODB-CR or Configure Backup Agent for LDAP Authentication.

DB Password For Username/Password or LDAP authentication, the password used to authenticate the Backup Agent to the MongoDB deployment.
Allows SSL for connections

If checked, the Backup Agent uses SSL to connect to MongoDB.

See Configure Backup Agent for SSL.

4

Click Save.