Navigation

Add Monitored Processes to Automation

Overview

Cloud Manager Automation lets you deploy, reconfigure and upgrade your MongoDB databases directly from the Cloud Manager console.

If Cloud Manager is already monitoring your MongoDB processes, you can add them to Automation.

Automation relies on the Automation Agent, which you install on each server that hosts a process to be added to automated management. The Automation Agents regularly poll Cloud Manager to determine goal configuration and deploy changes as needed.

Considerations

Automation supports most but not all available MongoDB options. See Supported MongoDB Options for Automation for supported MongoDB deployment options.

When adding a MongoDB deployment requiring authentication, you have the option of importing that process’s users and roles. During import, Cloud Manager prompts you to resolve any conflicts that may occur between the imported users and roles and the managed users and roles.

Automation and Updated Security Settings Upon Import

Adding a MongoDB deployment to automation may affect the security settings of the Cloud Manager group or the MongoDB deployment or both.

Enables Cloud Manager Group Security Setting

If the MongoDB deployment requires authentication but the Cloud Manager group does not have authentication settings enabled, upon successful addition of the MongoDB deployment to automation, the group’s security settings will have the security settings of the newly imported deployment.

Note

The import process only enables the Cloud Manager group’s security setting if the group’s security setting is currently not enabled. If the group’s security setting is currently enabled, the import process does not disable the group’s security setting or change its enabled authentication mechanism.

Imports MongoDB Users and Roles

Note

The following applies for situations where at least either the MongoDB deployment requires authentication or the Cloud Manager group has authentication settings enabled.

If the MongoDB deployment contains users or user-defined roles, you can choose to import these users and roles for Cloud Manager to manage. The imported users and roles are Synced to all managed deployments in the Cloud Manager group.

If the Enforce Consistent Set value for the Cloud Manager group is YES, users and roles not imported are deleted from the MongoDB deployment.

If the Enforce Consistent Set value for the Cloud Manager group is No, the Cloud Manager group does not manage the non-imported users and roles. All non-imported and existing users and roles remain in the MongoDB deployment. To manage these users and roles, you must connect directly to the MongoDB deployment.

If importing users and roles, before you confirm and deploy the changes, you can, from the Authentication & Users and Authentication & Roles screens, remove specific users and roles from being imported by unmanaging these users. For details on unmanaging MongoDB users, see Manage or Unmanage MongoDB Users.

If the imported MongoDB deployment already has mms-backup-agent and mms-monitoring-agent users in its admin database, the import procedure overrides the roles of these users with the roles for mms-backup-agent and mms-monitoring-agent users as set in the Cloud Manager group.

Applies to All Deployments in Cloud Manager Group

The group’s updated security settings, including all users and roles managed as part of the Cloud Manager group, apply to all deployments in the group, including the imported MongoDB deployment.

Cloud Manager restarts all deployments in the group with the new setting, including the imported MongoDB deployment. All deployments in the group will use the Cloud Manager automation keyfile upon restart.

If the existing deployment or deployments in the group require a different security profile from the imported process, create a new group into which you can import the MongoDB deployment.

Examples of Imported Users

Note

The following applies for situations where at least either the MongoDB deployment requires authentication or the Cloud Manager group has authentication settings enabled.

If you choose to import the MongoDB users and custom roles, once Cloud Manager group manages the MongoDB deployment, regardless of the value of Enforce Consistent Set:

Enforce Consistent Set Results
Yes or No
Cloud Manager group:
  • Authentication is enabled.
  • Manages the imported users and roles.
  • Syncs the new users and roles to all its managed deployments.
The MongoDB deployment:
  • Has access control enabled and requires authentication.
  • All users and roles that the Cloud Manager group manages (i.e. has Synced set to Yes ) exist in the MongoDB deployment.

If you choose not to import the users, once Cloud Manager group manages the MongoDB deployment:

Enforce Consistent Set Results
Yes
Cloud Manager group:
  • Authentication is enabled.
  • Has no changes to its managed users and roles.
The MongoDB deployment:
  • Has access control enabled and requires authentication.
  • The non-imported MongoDB users and roles will be deleted from the MongoDB deployment.
  • All users and roles that the Cloud Manager group manages (i.e. has Synced set to Yes ) exist in the MongoDB deployment.
No
Cloud Manager group:
  • Authentication is enabled.
  • Has no changes to its security settings, including users and roles.
The MongoDB deployment:
  • Has access control enabled and requires authentication.
  • The non-imported MongoDB users and roles remain in the MongoDB deployment.
  • All users and roles managed by the Cloud Manager group (i.e. has Synced set to Yes ) exist in the MongoDB deployment.

Prerequisites

Cloud Manager is Monitoring the Processes

Cloud Manager must be currently monitoring the MongoDB processes, and the Monitoring Agent must be running. The processes must appear on the Cloud Manager Deployment page.

See also

Add Existing MongoDB Processes to Cloud Manager to enable Cloud Manager to automate and monitor your MongoDB processes if Cloud Manager does not currently do so.

Before proceeding, please ensure that your deployment meets the Deployment Prerequisites.

Add Automation Agent User to MongoDB Process

  • If the Cloud Manager group does not have authentication settings enabled, but the MongoDB process requires authentication, add an automation user for the Cloud Manager group with the appropriate roles. The import process displays the required roles for the user. The added user becomes the group’s Automation Agent user.

  • If the Cloud Manager group has authentication settings enabled, add the Cloud Manager group’s Automation Agent user to the MongoDB process. To find the Automation Agent user, click Deployments, then Security, then Users.

  • To find the password for the Cloud Manager group’s Automation Agent user, you can use the UI, the API or the configuration backup file:

    Using the UI
    1. Navigate to Deployment, Security, and then Authentication & TLS/SSL

    2. Click Edit Settings.

    3. Click Next until you see the Configure Cloud Manager Agents page.

    4. Click Show to the right of the Automation Agent Password field.

      The Automation Agent’s password displays.

    Using the API

    Use the Automation Configuration Resource endpoint:

    curl -u "<username>:<apikey>" --digest -i "<host>/api/public/v1.0/groups/<Group-ID>/automationConfig"
    
    Using the Cloud Manager Configuration Backup file

    Open the mmsConfigBackup file in your preferred text editor and find the autoPwd value.

Example

If the Cloud Manager group has Username/Password mechanism selected for its authentication settings, add the group’s Cloud Manager Automation Agents User mms-automation to the admin database in the MongoDB deployment to import.

use admin

db.createUser(
   {
     user: "mms-automation",
     pwd: <password>,
     roles: [
        'clusterAdmin',
        'dbAdminAnyDatabase',
        'readWriteAnyDatabase',
        'userAdminAnyDatabase',
        'restore'
     ]
   }
)

Important

If you are adding a sharded cluster, you must create this user through the mongos and on every shard. That is, create the user both as a cluster wide user through mongos as well as a shard local user on each shard.

Procedure

1

Click Deployment, then the Processes tab, then the Topology view.

2

On the line listing the process, click Add.

3

Follow the prompts to add the replica set, cluster, or standalone to Automation.

If either the MongoDB deployment requires authentication or the Cloud Manager group has authentication enabled, you may import the MongoDB’s users and roles for Cloud Manager to manage. The imported users and roles will be Synced to all deployments in the Cloud Manager group.

Warning

If the Enforce Consistent Set value for the Cloud Manager group is YES, any users and roles not imported are deleted from the MongoDB deployment.

If the Enforce Consistent Set value for the Cloud Manager group is No, any users and roles not imported remain in the MongoDB deployment and are not managed by Cloud Manager.

To import users and roles:

  1. Check Yes, import users and roles from this deployment item to have Cloud Manager manage these MongoDB users and roles.
  2. Click Continue.
4

Resolve conflicts for merged users and roles. (Optional)

If you chose to import the MongoDB users and roles and one or more conflict with those already in the automated deployment, you are prompted to select which versions of the users and roles should be used:

  1. Select the correct user or role.
  2. Click Review & Deploy.

Warning

If you choose not to resolve conflicts, the conflicting records are overridden by the current configuration. Any non-conflicting users can be imported later. You can create new, or modify existing, users and roles for the added deployment once it is under automation.

See Manage Cloud Manager Users for how to create or modify users and Cloud Manager Roles for the list and definitions of roles in Cloud Manager.