Configure MongoDB Agent for Authentication¶

On this page

Prerequisites
Configure the MongoDB Agent for Authentication

MongoDB supports the following authentication mechanisms depending on your MongoDB version:

MongoDB Version	Default Authentication Mechanism
4.0 or later	SCRAM authentication mechanisms with the `SHA-256` and `SHA-1` hash functions. `SCRAM-SHA-1` (RFC 5802) and `SCRAM-SHA-256` (RFC 7677) are IETF standards that define best practice methods for implementation of challenge-response mechanisms for authenticating users with passwords.
3.0 to 3.6	SCRAM authentication mechanism with``SHA-1`` hash function.
2.6 or earlier	MongoDB Challenge and Response (`MONGODB-CR`). `MONGODB-CR` is a challenge-response mechanism that authenticates users through passwords.

Prerequisites¶

Configure Deployments to Use Authentication¶

The MongoDB Agent interacts with the MongoDB databases in your deployment as a MongoDB user would. As a result, you must configure your MongoDB deployment and the MongoDB Agent to support authentication.

You can specify the deployment’s authentication mechanisms when adding the deployment, or you can edit the settings for an existing deployment. At minimum, the deployment must enable the authentication mechanism you want the MongoDB Agent to use. The MongoDB Agent can use any supported authentication mechanism.

Configure the MongoDB Agent for Authentication¶

The MongoDB Agent can use SCRAM-SHA-1 or SCRAM-SHA-256 to authenticate to hosts that enforce access control.

Note

With Automation, Ops Manager manages MongoDB Agent authentication for you. To learn more about authentication, see Enable Username and Password Authentication for your Ops Manager Project.

Deployments Managed by Automation
Deployments Not Managed by Automation

When you install the MongoDB Agent with Automation, Ops Manager automatically creates a user for authentication. This user (mms-automation) is created in the admin database with the correct privileges for each MongoDB Agent function.

Configure these credentials in Ops Manager.

Navigate to Deployment arrow right icon Security arrow right icon Edit Settings arrow right icon Edit Credentials.

Continue through the modal until you see the Configure Ops Manager Agents page

Add the appropriate credentials:

Setting Value

MongoDB Agent Username Enter the MongoDB Agent username.

MongoDB Agent Password Enter the password for the MongoDB Agent username.

Each MongoDB Agent function uses a different set of mongo shell commands to configure a user with the appropriate roles and privileges.

Backup
Monitoring

User creation commands very depending on the version of MongoDB that you use:

MongoDB 3.0 or later
MongoDB 2.6

To back up MongoDB instances running 3.0 and later, create a user in the admin database with an operation that resembles the following:

copy

db.getSiblingDB("admin").createUser(
   {
      user: "<username>",
      pwd: "<password>",
      roles: [ { role: "backup", db: "admin" } ]
   }
)

To learn how to configure access control, see Access Control for MongoDB 3.0.

To back up MongoDB 2.6 release series instances, create a user in the admin database with an operation that resembles the following:

copy

db.getSiblingDB("admin").createUser(
  {
    user: "<username>",
    pwd: "<password>",
    roles: [
       "clusterAdmin",
       "readAnyDatabase",
       "userAdminAnyDatabase",
       { role: "readWrite", db: "admin" },
       { role: "readWrite", db: "local" },
    ]
  }
)

See Access Control for MongoDB 2.6 for more information on the required access.

Configure Backup Credentials

After you create the user for the Backup function, add the credentials to the Backup Settings.

Navigate to Backup arrow right icon <backup-deployment> arrow right icon ellipsis icon arrow right icon Edit Credentials.
Click Credentials.
Add the appropriate credentials:

Setting Value

Backup Username Enter the Backup username.

Backup Password Enter the password for the Backup username.

User creation commands vary depending on the version of MongoDB that you use:

MongoDB 2.6 or later
MongoDB 2.4

To monitor MongoDB 2.6 instances, create a MongoDB user in the admin database with an operation that resembles the following:

copy

db.getSiblingDB("admin").createUser(
   {
      user: "<username>",
      pwd: "<password>",
      roles: [ { role: "clusterMonitor", db: "admin"
      } ]
   }
)

To learn more about the required roles, see Access Control for MongoDB 2.6.

To monitor MongoDB 2.4 instances, create a MongoDB user in the admin database with an operation that resembles the following:

copy

db.getSiblingDB("admin").addUser(
   {
      user: "<username>",
      pwd: "<password>",
      roles: [
         "clusterAdmin",
         "readAnyDatabase"
      ]
   }
)

To choose which MongoDB roles to provide for Monitoring, see Access Control for MongoDB 2.4.

Configure Monitoring Credentials

After you create the user for the Monitoring function, add the credentials to the Monitoring Settings.

Navigate to Deployment arrow right icon <deployment> arrow right icon ellipsis icon arrow right icon Monitoring Settings.
Click Credentials.
Add the appropriate credentials:

Setting Value

Monitoring Username Enter the Monitoring username.

Monitoring Password Enter the password for the Monitoring username.

← Configure the MongoDB Agent for Access Control Configure MongoDB Agent for LDAP →

Setting	Value
MongoDB Agent Username	Enter the MongoDB Agent username.
MongoDB Agent Password	Enter the password for the MongoDB Agent username.

Setting	Value
Backup Username	Enter the Backup username.
Backup Password	Enter the password for the Backup username.

Setting	Value
Monitoring Username	Enter the Monitoring username.
Monitoring Password	Enter the password for the Monitoring username.