- Agents >
- Automation Agent >
- Required Access for Automation Agent
Required Access for Automation Agent¶
On this page
If your MongoDB deployment enforces access control, the Ops Manager Automation Agent must authenticate to MongoDB as a user with the proper access.
If you use Automation, Ops Manager manages authentication. If you do not use Automation, follow the instructions on this page.
To authenticate, create a user with the appropriate roles in MongoDB. The following tutorials include instructions and examples for creating the MongoDB user:
- Configure Automation Agent for Authentication.
- Configure Automation Agent for LDAP.
- Configure the Automation Agent for Kerberos.
MongoDB user roles are separate from Ops Manager user roles and are described in the MongoDB manual beginning with the Authorization page.
Considerations¶
To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:
- Create cluster users while connected to the
mongos
: these credentials persist to the config servers. - Create shard-local users by connecting directly to the replica set for each shard.
Important
Every process in your Ops Manager deployment must use the same username and roles for the Automation Agent user.
Prerequisites¶
Connect to the mongod
or mongos
instance as a user with access to
create database users.
See db.createUser() method
page in the MongoDB Manual.
To automate MongoDB instances, the automation agent must authenticate to the database as a user with the following access:
Required Role | Database |
---|---|
clusterAdmin |
admin |
readWriteAnyDatabase |
admin |
userAdminAnyDatabase |
admin |
dbAdminAnyDatabase |
admin |
backup |
admin |
restore |
admin |
Authentication Mechanisms¶
To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines how to create the user as well as determine any additional agent configuration:
- For MONGODB-CR (MongoDB Challenge-Response) authentication, see Configure Backup Agent for Authentication.
- For LDAP authentication, see Configure Backup Agent for LDAP Authentication.
- For Kerberos authentication, see Configure the Backup Agent for Kerberos.