Navigation

Required Access for MongoDB Agent

If your MongoDB deployment enforces access control, the Cloud Manager MongoDB Agent must authenticate to MongoDB as a user with the proper access.

Note

The instructions on this page are for deployments that do not use Automation. If you use Automation, Cloud Manager manages authentication for you and the following instructions do not apply.

To authenticate, create a user with the appropriate roles in MongoDB. The following tutorials include instructions and examples for creating the MongoDB Agent user in your MongoDB deployment:

MongoDB user roles are separate from Cloud Manager user roles. These roles and their privileges are described in the MongoDB manual beginning with the Authorization page.

Considerations

To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:

  • Create shard-local users by connecting directly to the replica set for each shard.
  • Create cluster-wide users while connected to the mongos: these credentials persist to the config servers.

Important

Every mongod and mongos process in your Cloud Manager deployment must use the same username and roles for the MongoDB Agent user.

Automation

Connect to the mongod or mongos instance as a user with access to create database users. See db.createUser() method page in the MongoDB Manual.

To automate MongoDB instances, the MongoDB Agent must authenticate to the database as a MongoDB user with the following access:

Required Role Database
clusterAdmin admin
readWriteAnyDatabase admin
userAdminAnyDatabase admin
dbAdminAnyDatabase admin
backup admin
restore admin

Backup

To backup MongoDB instances running 3.0 and later, the MongoDB Agent must authenticate as a user with the following role:

Required Role Database
backup admin

To backup MongoDB instances running 2.6, the MongoDB Agent must authenticate as a user with the following roles:

Required Role Database
clusterAdmin admin
readAnyDatabase admin
userAdminAnyDatabase admin
readWrite admin
readWrite local

Monitoring

To monitor MongoDB 2.6 instances, including dbStats and database profiling information, the MongoDB Agent must authenticate to the database as a user with the following role:

Required Role Database
clusterMonitor admin

Monitor without Database Profiling

To monitor MongoDB 2.4 instances, including dbStats operations, the MongoDB Agent must authenticate as a user with the following roles:

Required Roles Database
clusterAdmin admin
readAnyDatabase admin

However, a user with the specified access cannot monitor with profiling. If this user tries to monitor with profiling, the mongod log file may report the following message at the default logging level:

command denied: { profile: -1 }

You can ignore this message if you do not want Cloud Manager to collect profile data. If you want to collect profile data, configure Cloud Manager monitoring as specified in “Monitor with Database Profiling”.

Monitor with Database Profiling

Profiling captures in-progress read and write operations, cursor operations, and database command information about the database.

To monitor MongoDB 2.4 databases with database profiling, the MongoDB Agent must authenticate as a user with the following roles:

Required Roles Database
clusterAdmin admin
readAnyDatabase admin
dbAdminAnyDatabase admin

Monitor without :dbcommand:`dbStats`

Monitoring without dbStats excludes database storage, records, indexes, and other statistics.

To monitor MongoDB 2.4 databases without dbStats, the MongoDB Agent must authenticate as a user with the following role:

Required Role Database
clusterAdmin admin

Authentication Mechanisms

To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines which options to set when creating the user as well as determining any additional MongoDB Agent configuration: