Navigation
This version of the documentation is archived and no longer supported. It will be removed on EOL_DATE. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported. It will be removed on EOL_DATE.

Configure MongoDB Authentication and Authorization

Overview

Your MongoDB deployments can use the access control mechanisms described here. You specify the authentication settings when adding the deployment. You can also edit the security settings after adding a deployment, as described on this page.

If a deployment uses access control, the Monitoring and Backup Agents must authenticate to the deployment as MongoDB users with appropriate access. If you are using Automation to manage your MongoDB deployments, you will enable and configure authentication through the Ops Manager interface.

If you are not using Automation to manage your MongoDB deployments, you must configure the Monitoring and Backup agents manually.

Considerations

With access control enabled, you must create MongoDB users so that clients can access your databases.

If you are using Automation to manage your MongoDB deployments, Ops Manager automatically creates users for the agents when you enable access control. The user created for the Automation Agent has privileges to administrate and manage other users. As such, the first user you create can have any role.

When you select an Authentication Mechanism for your Ops Manager group, this enables access control for all the deployments in your Ops Manager group.

Recommendation

To avoid inconsistencies, use the Ops Manager interface to manage users and roles for MongoDB deployments.

For more information on MongoDB access control, see the Authentication and Authorization pages in the MongoDB manual.

Access Control Mechanisms

SCRAM-SHA-1/SCRAM-SHA-256

MongoDB 4.0 supports the SCRAM authentication mechanism with the SHA-256 and SHA-1 hash functions. SCRAM-SHA-1 (RFC 5802) and SCRAM-SHA-256 (RFC 7677) are IETF standards that define best practice methods for implementation of challenge-response mechanisms for authenticating users with passwords.

In MongoDB 3.0 to 3.6, MongoDB’s default authentication mechanism is SCRAM-SHA-1. Prior to MongoDB 3.0, MongoDB used MongoDB Challenge and Response (MONGODB-CR) as the default. MONGODB-CR is a challenge-response mechanism that authenticates users through passwords.

To enable SCRAM-SHA-1 or SCRAM-SHA-256 when using Automation, see:

To configure the agents to authenticate as users with the proper access without Automation, see:

LDAP

MongoDB Enterprise provides support for proxy authentication of users. This allows administrators to configure a MongoDB cluster to authenticate users by proxying authentication requests to a specified Lightweight Directory Access Protocol (LDAP) service.

To enable LDAP for your Ops Manager project when using Automation, see: Enable LDAP Authentication for your Ops Manager Project.

To configure the agents to authenticate as users with the proper access without Automation, see:

Kerberos

MongoDB Enterprise supports authentication using a Kerberos service. Kerberos is an industry standard authentication protocol for large client/server systems.

To use MongoDB with Kerberos, you must have a properly configured Kerberos deployment, configure Kerberos service principals for MongoDB, and add the Kerberos user principal.

If you are using Automation, see:

To create a Kerberos Principal and the associated MongoDB user, and to configure the Monitoring and Backup Agents to authenticate as users with the proper access without Automation, see:

Specify Kerberos as the MongoDB process’s authentication mechanism when adding the deployment or when editing the deployment.

x.509

MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.

To enable x.509 authentication for your Ops Manager project when using Automation, see: Enable x.509 Authentication for your Ops Manager Project.

Note

Ops Manager does not currently support using x.509 certificates for membership authentication.

Edit Host Credentials

If your deployment is managed by Ops Manager, you will configure the deployment to use the authentication mechanism from the Ops Manager interface. The Manage MongoDB Users and Roles tutorials describe how to configure an existing deployment to use each authentication mechanism.

If your deployment is not managed by Ops Manager, manually configure the Monitoring and Backup agents with the proper credentials before you edit the host’s authentication credentials.

See

Configure Monitoring Agent for Access Control and Configure Backup Agent for Access Control describe how to configure the Monitoring and Backup agents for access control.

Once the Monitoring and Backup agents are correctly configured, you can edit the deployment’s authentication credentials using the following procedures.

Edit Credentials for Monitoring a Host

Important

Before editing these credentials, configure the Monitoring Agent with the proper credentials. See Configure Monitoring Agent for Access Control.

To edit the credential for Monitoring:

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click the ellipsis icon and select Monitoring Settings.

3

Select the Credentials tab.

4

At the bottom of the dialog box, click the Change button.

5

Enter the credentials.

Edit the following information, as appropriate:

Auth Mechanism The authentication mechanism used by the host. Can specify MONGODB-CR, LDAP (PLAIN), or Kerberos(GSSAPI).
Current DB Username If the authentication mechanism is MONGODB-CR or LDAP, the username used to authenticate the Monitoring Agent to the MongoDB deployment. See Configure Monitoring Agent for Authentication, Configure Monitoring Agent for LDAP, or Configure the Monitoring Agent for Kerberos for setting up user credentials.
Current DB Password If the authentication mechanism is MONGODB-CR or LDAP, the password used to authenticate the Monitoring Agent to the MongoDB deployment. See Configure Monitoring Agent for Authentication, Configure Monitoring Agent for LDAP, or Configure the Monitoring Agent for Kerberos for setting up user credentials.
Update other hosts in replica set/sharded cluster as well Only for cluster or replica set. If checked, apply the credentials to all other hosts in the cluster or replica set.
6

Click the Submit button.

7

Close the dialog box.

Edit Credentials for Backing up a Host

Important

Before editing these credentials, configure the Backup Agent with the proper credentials. See Configure Backup Agent for Access Control.

To edit the credential for Backup:

1

Click Backup, then the Overview tab.

2

On the line listing the process, click the ellipsis icon and click Edit Credentials.

3

Enter the credentials.

Edit the following information, as appropriate:

Auth Mechanism

The authentication mechanism the host uses.

The options are:

DB Username

For Username/Password or LDAP authentication, the username used to authenticate the Backup Agent to the MongoDB deployment.

See Configure Backup Agent for Authentication or Configure Backup Agent for LDAP Authentication.

DB Password For Username/Password or LDAP authentication, the password used to authenticate the Backup Agent to the MongoDB deployment.
Allows SSL for connections

If checked, the Backup Agent uses SSL to connect to MongoDB.

See Configure Backup Agent for SSL.

4

Click Save.