Navigation

Configure MongoDB Authentication and Authorization

Your MongoDB deployments can use the access control mechanisms described here. You specify the authentication settings when adding the deployment. You can also edit the security settings after adding a deployment, as described on this page.

If a deployment uses access control, Monitoring and Backup must authenticate to the deployment as MongoDB users with appropriate access. If you are using the MongoDB Agent with Automation to manage your MongoDB deployments, you will enable and configure authentication through the Cloud Manager.

If you are not using the MongoDB Agent with Automation to manage your MongoDB deployments, you must activate and configure Monitoring and Backups.

Considerations

With access control enabled, you must create MongoDB users so that clients can access your databases.

If you are using the MongoDB Agent with Automation to manage your MongoDB deployments, Cloud Manager automatically creates users for the agents when you enable access control. The user created for the MongoDB Agent has privileges to administrate and manage other users. As such, the first user you create can have any role.

When you select an Authentication Mechanism for your Cloud Manager group, this enables access control for all the deployments in your Cloud Manager group.

Recommendation

To avoid inconsistencies, use the Cloud Manager interface to manage users and roles for MongoDB deployments.

For more information on MongoDB access control, see the Authentication and Authorization pages in the MongoDB manual.

Access Control Mechanisms

SCRAM-SHA-1 and SCRAM-SHA-256

MongoDB supports the following implementations of challenge-response mechanisms for authenticating users with passwords.

In the following table, the default authentication mechanism for the release series is marked with check square icon and acceptable authentication mechanisms are marked with check circle icon .

MongoDB Release Series MONGODB-CR SCRAM-SHA-1 SCRAM-SHA-256
4.0.x   check circle icon check square icon
3.6.x check circle icon check square icon  
3.4.x check circle icon check square icon  
3.2.x check circle icon check square icon  
3.0.x check circle icon check square icon  
Pre-3.0 check square icon    

To enable SCRAM-SHA-1 or SCRAM-SHA-256 when using:

LDAP

MongoDB Enterprise supports proxy authentication of users. This allows administrators to configure a MongoDB cluster to authenticate users by proxying authentication requests to a specified LDAP service.

To enable LDAP for your Cloud Manager project when using:

Kerberos

MongoDB Enterprise supports authentication using a Kerberos service. Kerberos is an IETF (RFC 4120) standard authentication protocol for large client/server systems.

To use MongoDB with Kerberos, you must have a properly configured Kerberos deployment, configure Kerberos service principals for MongoDB, and add the Kerberos user principal.

To enable Kerberos for your Cloud Manager project when using:

Specify Kerberos as the MongoDB process’s authentication mechanism when adding or editing the deployment.

x.509

MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.

To enable x.509 authentication for your Cloud Manager project when using:

Note

Cloud Manager does not currently support using x.509 certificates for membership authentication.

Edit Host Credentials

You can configure the deployment to use the authentication mechanism from the Cloud Manager interface. The Manage MongoDB Users and Roles tutorials describe how to configure an existing deployment to use each authentication mechanism.