- Agents >
- MongoDB Agent >
- Required Access for MongoDB Agent
Required Access for MongoDB Agent¶
On this page
If your MongoDB deployment enforces access control, the Ops Manager MongoDB Agent must authenticate to MongoDB as a user with the proper access.
Note
The instructions on this page are for deployments that do not use Automation. If you use Automation, Ops Manager manages authentication for you and the following instructions do not apply.
To authenticate, create a user with the appropriate roles in MongoDB. The following tutorials include instructions and examples for creating the MongoDB Agent user in your MongoDB deployment:
- Configure MongoDB Agent for Authentication.
- Configure MongoDB Agent for LDAP.
- Configure the MongoDB Agent for Kerberos.
- Configure the MongoDB Agent for X.509 Authentication.
MongoDB user roles are separate from Ops Manager user roles. These roles and their privileges are described in the MongoDB manual beginning with the Authorization page.
Considerations¶
To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:
- Create shard-local users by connecting directly to the replica set for each shard.
- Create cluster-wide users while connected to the
mongos
: these credentials persist to the config servers.
Important
Every mongod
and mongos
process in your Ops Manager deployment
must use the same username and roles for the MongoDB Agent user.
Automation¶
Connect to the mongod
or mongos
instance as a user with access to
create database users.
See db.createUser() method
page in the MongoDB Manual.
To automate MongoDB instances, the MongoDB Agent must authenticate to the database as a MongoDB user with the following access:
Required Role | Database |
---|---|
clusterAdmin |
admin |
readWriteAnyDatabase |
admin |
userAdminAnyDatabase |
admin |
dbAdminAnyDatabase |
admin |
backup |
admin |
restore |
admin |
Backup¶
- MongoDB 3.0 or later
- MongoDB 2.6
To backup MongoDB instances running 3.0 and later, the MongoDB Agent must authenticate as a user with the following role:
Required Role | Database |
---|---|
backup |
admin |
To backup MongoDB instances running 2.6, the MongoDB Agent must authenticate as a user with the following roles:
Required Role | Database |
---|---|
clusterAdmin |
admin |
readAnyDatabase |
admin |
userAdminAnyDatabase |
admin |
readWrite |
admin |
readWrite |
local |
Monitoring¶
- MongoDB 2.6 or later
- MongoDB 2.4
To monitor MongoDB 2.6 instances, including dbStats
and database profiling
information, the MongoDB Agent must authenticate to the database
as a user with the following role:
Required Role | Database |
---|---|
clusterMonitor |
admin |
Monitor without Database Profiling
To monitor MongoDB 2.4 instances, including dbStats
operations, the MongoDB Agent must authenticate as a user with the
following roles:
Required Roles | Database |
---|---|
clusterAdmin |
admin |
readAnyDatabase |
admin |
However, a user with the specified access cannot monitor with profiling. If this user tries to monitor with profiling, the mongod log file may report the following message at the default logging level:
You can ignore this message if you do not want Ops Manager to collect profile data. If you want to collect profile data, configure Ops Manager monitoring as specified in “Monitor with Database Profiling”.
Monitor with Database Profiling
Profiling captures in-progress read and write operations, cursor operations, and database command information about the database.
To monitor MongoDB 2.4 databases with database profiling, the MongoDB Agent must authenticate as a user with the following roles:
Required Roles | Database |
---|---|
clusterAdmin |
admin |
readAnyDatabase |
admin |
dbAdminAnyDatabase |
admin |
Monitor without :dbcommand:`dbStats`
Monitoring without dbStats
excludes database
storage, records, indexes, and other statistics.
To monitor MongoDB 2.4 databases without dbStats
,
the MongoDB Agent must authenticate as a user with the following
role:
Required Role | Database |
---|---|
clusterAdmin |
admin |
Authentication Mechanisms¶
To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines which options to set when creating the user as well as determining any additional MongoDB Agent configuration:
- For SCRAM authentication, see Configure MongoDB Agent for Authentication.
- For LDAP authentication, see Configure MongoDB Agent for LDAP.
- For Kerberos authentication, see Configure the MongoDB Agent for Kerberos.
- For X.509 authentication, see Configure the MongoDB Agent for X.509 Authentication.