- Agents >
- Legacy Agents >
- Backup Agent >
- Required Access for Backup Agent
Required Access for Backup Agent¶
On this page
If your MongoDB deployment enforces access control, the Ops Manager Backup Agent must authenticate to MongoDB as a user with the proper access.
If you use Automation, Ops Manager takes care of this for you. If you do not use Automation, follow the instructions on this page.
To authenticate, create a user with the appropriate roles in MongoDB. The following tutorials include instructions and examples for creating the MongoDB user:
- Configure Backup Agent for Authentication.
- Configure Backup Agent for LDAP Authentication.
- Configure the Backup Agent for Kerberos.
MongoDB user roles are separate from Ops Manager user roles.
Considerations¶
To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:
- Create cluster users while connected to the
mongos
: these credentials persist to the config servers. - Create shard-local users by connecting directly to the replica set for each shard.
Important
The Backup Agent user must be defined consistently for all processes in your Ops Manager deployment.
MongoDB 2.6¶
To backup MongoDB 2.6 release series instances, the Backup Agent must be able to authenticate to with the following roles:
Required Role | |
---|---|
clusterAdmin role on the admin database |
|
readAnyDatabase role on the admin database |
|
userAdminAnyDatabase role on the admin database |
|
readWrite role on the admin database |
|
readWrite role on the local database |
Authentication Mechanisms¶
To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines how to create the user as well as determine any additional agent configuration:
- For MONGODB-CR (MongoDB Challenge-Response) authentication, see Configure Backup Agent for Authentication.
- For LDAP authentication, see Configure Backup Agent for LDAP Authentication.
- For Kerberos authentication, see Configure the Backup Agent for Kerberos.