Required Access for MongoDB Agent
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
If your MongoDB deployment enforces access control, the Cloud Manager MongoDB Agent must authenticate to MongoDB as a user with the proper access.
Note
The instructions on this page are for deployments that do not use Automation. If you use Automation, Cloud Manager manages authentication for you and the following instructions do not apply.
To authenticate, create a user with the appropriate roles in MongoDB. The following tutorials include instructions and examples for creating the MongoDB Agent user in your MongoDB deployment:
MongoDB user roles are separate from Cloud Manager user roles. These roles and their privileges are described in the MongoDB manual beginning with the Authorization page.
Considerations
To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:
Create shard-local users by connecting directly to the replica set for each shard.
Create cluster-wide users while connected to the
mongos
: these credentials persist to the config servers.
Important
Every mongod
and mongos
process in your Cloud Manager deployment
must use the same username and roles for the MongoDB Agent user.
Automation
Connect to the mongod
or mongos
instance as a user with access to
create database users.
See db.createUser() method
page in the MongoDB Manual.
To automate MongoDB instances, the MongoDB Agent must authenticate
on the admin
database as a MongoDB user with the following roles:
Backup
To backup MongoDB instances, the MongoDB Agent must authenticate on the listed database as a MongoDB user with the required roles.
MongoDB Database Version | MongoDB FCV | Required Role | Database |
---|---|---|---|
4.2.x or later | 4.2 or later | admin | |
3.0.0 through 4.2.x | 4.0 or earlier | admin | |
2.6.x | admin | ||
2.6.x | local |
Monitoring
To monitor MongoDB instances, the MongoDB Agent must authenticate on the
admin
database as a MongoDB user with the
clusterMonitor
role.
Monitoring includes gathering dbStats
and
database profiling information.
Authentication Mechanisms
To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines which options to set when creating the user as well as determining any additional MongoDB Agent configuration:
For SCRAM authentication, see Configure MongoDB Agent for Authentication.
For LDAP authentication, see Configure MongoDB Agent for LDAP.
For Kerberos authentication, see Configure the MongoDB Agent for Kerberos.
For X.509 authentication, see Configure the MongoDB Agent for X.509 Authentication.