Security Overview
On this page
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
Cloud Manager provides configurable encryption, authentication, and authorization to ensure the security of your MongoDB Agents and MongoDB deployments. Cloud Manager supports TLS, SCRAM-SHA-1 and SCRAM-SHA-256, LDAP, and Kerberos.
TLS Encryption
Cloud Manager can use TLS for encrypting communications for when the MongoDB Agent connects to:
Cloud Manager.
MongoDB instances that use TLS. You must set each MongoDB host's Use TLS setting in Cloud Manager and must configure the agent's TLS settings. See Configure MongoDB Agent to Use TLS.
Access Control and Authentication
MongoDB uses Role-Based Access Control (RBAC) to determine access to a MongoDB system. When run with access control, MongoDB requires users to authenticate themselves and then determines that user's permissions.
If your MongoDB deployment uses authentication and the MongoDB Agent:
Uses Automation to manage the deployment, Cloud Manager creates the appropriate MongoDB user, gives it all necessary roles, and authenticates to the deployments as that MongoDB user.
Does not use Automation to manage the deployment, you must create a MongoDB user for the MongoDB Agent Monitoring and Backup functions with appropriate access.
Note
Kerberos and LDAP authentication are available with MongoDB Enterprise only.
SCRAM-SHA-1 and SCRAM-SHA-256
Cloud Manager can use the SCRAM-SHA-1 and SCRAM-SHA-256
authentication mechanisms to authenticate a user on a MongoDB
deployment.
If your MongoDB deployment uses SCRAM authentication and the
MongoDB Agent:
Uses Automation to manage the deployment, Cloud Manager creates the appropriate MongoDB user and gives it all necessary roles.
Does not use Automation to manage the deployment, you must create a MongoDB user for the MongoDB Agent Monitoring and Backup functions.
LDAP
Note
Starting with MongoDB 8.0, LDAP authentication and authorization is deprecated. The feature is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.
For details, see LDAP Deprecation.
The MongoDB Agent can use the LDAP authentication mechanism to authenticate to the MongoDB deployment.
If your MongoDB deployment uses LDAP for authentication, you must create a MongoDB user for the MongoDB Agent and specify the host's authentication settings when you:
Edit the settings for an existing host.
Kerberos
The MongoDB Agent can use the Kerberos authentication mechanism to authenticate to the MongoDB deployment.
If your MongoDB deployment uses Kerberos for authentication, you must:
Use the same Kerberos UPN for Automation and Backup functions.
Specify the host's authentication settings when you:
Add a host or
Edit the settings for an existing host.