Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Required Access for MongoDB Agent

If your MongoDB deployment enforces access control, the Ops Manager MongoDB Agent must authenticate to MongoDB as a user with the proper access.

Note

The instructions on this page are for deployments that do not use Automation. If you use Automation, Ops Manager manages authentication for you and the following instructions do not apply.

To authenticate, create a user with the appropriate roles in MongoDB. The following tutorials include instructions and examples for creating the MongoDB Agent user in your MongoDB deployment:

MongoDB user roles are separate from Ops Manager user roles. These roles and their privileges are described in the MongoDB manual beginning with the Authorization page.

Considerations

To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:

  • Create shard-local users by connecting directly to the replica set for each shard.
  • Create cluster-wide users while connected to the mongos: these credentials persist to the config servers.

Important

Every mongod and mongos process in your Ops Manager deployment must use the same username and roles for the MongoDB Agent user.

Automation

Connect to the mongod or mongos instance as a user with access to create database users. See db.createUser() method page in the MongoDB Manual.

To automate MongoDB instances, the MongoDB Agent must authenticate on the admin database as a MongoDB user with the following roles:

Backup

To backup MongoDB instances, the MongoDB Agent must authenticate on the listed database as a MongoDB user with the required roles.

MongoDB Database Version MongoDB FCV Required Role Database
4.2.x or later 4.2 or later clusterAdmin admin
3.0.0 through 4.2.x 4.0 or earlier backup admin
2.6.x   admin
2.6.x   readWrite local

Monitoring

To monitor MongoDB instances, the MongoDB Agent must authenticate on the admin database as a MongoDB user with the clusterMonitor role.

Monitoring includes gathering dbStats and database profiling information.

Authentication Mechanisms

To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines which options to set when creating the user as well as determining any additional MongoDB Agent configuration: