Configure MongoDB Agent for Authentication
On this page
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
MongoDB supports the following authentication mechanisms depending on your MongoDB version:
MongoDB Version | Default Authentication Mechanism |
---|---|
4.0 or later | |
3.0 to 3.6 | SCRAM authentication mechanism with``SHA-1`` hash function. |
2.6 or earlier | MongoDB Challenge and Response ( |
The MongoDB Agent can use SCRAM-SHA-1
or SCRAM-SHA-256
to authenticate to hosts that enforce access control.
Note
With Automation, Cloud Manager manages MongoDB Agent authentication for you. To learn more about authentication, see Enable Username and Password Authentication for your Cloud Manager Project.
Prerequisites
Configure Deployments to Use Authentication
The MongoDB Agent interacts with the MongoDB databases in your deployment as a MongoDB user would. As a result, you must configure your MongoDB deployment and the MongoDB Agent to support authentication.
You can specify the deployment's authentication mechanisms when adding the deployment, or you can edit the settings for an existing deployment. At minimum, the deployment must enable the authentication mechanism you want the MongoDB Agent to use. The MongoDB Agent can use any supported authentication mechanism.
Configure Deployments Managed by Automation
When you install the MongoDB Agent with Automation, Cloud Manager creates a
user to authenticate on the MongoDB database. Cloud Manager create this
MongoDB user (mms-automation
) in the admin
database with
the correct privileges for each MongoDB Agent function.
Configure these credentials in Cloud Manager.
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Security page.
Click the Security tab for your deployment.
The Security page displays.
Configure Deployments Not Managed by Automation
Each MongoDB Agent function uses a different set of
MongoDB shell (mongosh
) commands to configure a user with the
appropriate roles and privileges.
Backup
User creation commands vary depending on the version of MongoDB that you use:
To back up MongoDB instances running FCV
4.2
and later, create a user in the admin
database.
Assign this user the roles provided in the following
example.
Use the following mongosh
command to create the
user:
db.getSiblingDB("admin").createUser( { user: "<username>", pwd: "<password>", roles: [ { role: "clusterAdmin", db: "admin" } ] } )
To learn more about the required access, see Required Access for MongoDB Agent Backup
To back up MongoDB instances running FCV
4.0 or
earlier, create a user in the admin
database.
Assign this user the roles provided in the following
example.
Use the following mongosh
command to create the
user:
db.getSiblingDB("admin").createUser( { user: "<username>", pwd: "<password>", roles: [ { role: "backup", db: "admin" } ] } )
To learn more about the required access, see Required Access for MongoDB Agent Backup
Configure Backup Credentials
After you create the user for the Backup function, add the credentials to the Backup Settings.
Navigate to Backup <backup-deployment> Edit Credentials.
Click Credentials.
Add the appropriate credentials:
SettingValueBackup Username
Enter the Backup username.
Backup Password
Enter the password for the Backup username.
Monitoring
To monitor MongoDB 4.0 or later instances that use SCRAM
authentication, add a user to the admin
database in
MongoDB. Assign this user the roles provided in the
following example.
db.getSiblingDB("admin").createUser( { user: "<username>", pwd: "<password>", roles: [ { role: "clusterMonitor", db: "admin" } ] } )
To learn what roles this function requires, see Monitoring settings.
Configure Monitoring Credentials
After you create the user for the Monitoring function, add the credentials to the Monitoring Settings.
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.