- Agents >
- Legacy Agents >
- Monitoring Agent >
- Configure Monitoring Agent for Access Control >
- Configure Monitoring Agent for Authentication
Configure Monitoring Agent for Authentication¶
On this page
MongoDB 4.0 supports the SCRAM
authentication mechanism with the SHA-256 and SHA-1 hash functions.
SCRAM-SHA-1
(RFC 5802) and
SCRAM-SHA-256
(RFC 7677)
are IETF standards that define best practice methods for implementation of
challenge-response mechanisms for authenticating users with passwords.
In MongoDB 3.0 to 3.6, MongoDB’s default authentication mechanism is
SCRAM-SHA-1
. Prior to MongoDB 3.0, MongoDB used MongoDB Challenge
and Response (MONGODB-CR
) as the default. MONGODB-CR
is a
challenge-response mechanism that authenticates users through passwords.
The Monitoring Agent can use SCRAM-SHA-1
or SCRAM-SHA-256
to authenticate to hosts that enforce access control. To authenticate
using SCRAM-SHA-1
or SCRAM-SHA-256
, create a user in the
admin
database with the appropriate roles in MongoDB.
Note
Ops Manager can manage Agent authentication for you if you enable Automation. With Automation, Ops Manager creates the users for each Agent and configures the Agent appropriately. To learn more about authentication, see Enable Username and Password Authentication for your Ops Manager Project.
Procedures¶
Create MongoDB User for the Agent¶
Connect to the mongod
or mongos
instance as a user with access to
create database users.
See db.createUser() method
page in the MongoDB Manual.
To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:
- Create cluster users while connected to the
mongos
: these credentials persist to the config servers. - Create shard-local users by connecting directly to the replica set for each shard.
MongoDB 2.6 and Later¶
To monitor MongoDB 2.6 instances, create a user in the admin
database with an operation that resembles the following:
See Access Control for MongoDB 2.6 for more information on the required access.
MongoDB 2.4¶
To monitor MongoDB 2.4 instances, create a user in the admin
database with an operation that resembles the following:
Refer to the Access Control for MongoDB 2.4 reference
to choose which MongoDB roles to provide for the Monitoring Agent.
For example, if you wish to monitoring with database profiling,
you will need to include the dbAdminAnyDatabase
role.
Host Settings¶
MongoDB agents interact with the MongoDB databases in your deployment as a MongoDB user would. Each agent must be authenticated and then granted privileges according to what their roles are on your deployment. As a result, you must configure your MongoDB deployment and your agents to support authentication.
You can specify the deployment’s authentication mechanisms when adding the deployment, or you can edit the settings for an existing deployment. At minimum, the deployment must enable the authentication mechanism you want the agents to use.
Adding an agent as a MongoDB user requires configuring an authentication mechanism. Agents can use any supported authentication mechanism, but all agents must use the same mechanism.