Configure MongoDB Authentication and Authorization
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
Your MongoDB deployments can use the access control mechanisms described on this page. You specify the authentication settings when adding the deployment. You can edit the security settings after adding a deployment.
If a deployment uses access control, the MongoDB Agent must authenticate to the deployment as MongoDB users with appropriate access. Enable and configure authentication through the Cloud Manager.
Considerations
With access control enabled, you must create MongoDB users so that clients can access your databases.
Cloud Manager automatically creates a user for the MongoDB Agent when you enable access control. The MongoDB Agent can administrate and manage other users. As such, the first user you create can have any role.
When you select an Authentication Mechanism for your Cloud Manager group, this enables access control for all the deployments in your Cloud Manager group.
Note
Recommendation
To avoid inconsistencies, use the Cloud Manager interface to manage users and roles for MongoDB deployments.
Tip
See also:
To learn more about MongoDB access control, see the Authentication and Authorization pages in the MongoDB manual.
Access Control Mechanisms
SCRAM-SHA-1
and SCRAM-SHA-256
MongoDB supports the following implementations of challenge-response mechanisms for authenticating users with passwords.
In the following table, the default authentication mechanism for the release series is marked with and acceptable authentication mechanisms are marked with .
MongoDB Release Series | |||
---|---|---|---|
5.x.x | |||
4.4.x | |||
4.2.x |
To enable SCRAM-SHA-1
or SCRAM-SHA-256
for your Cloud Manager project,
complete the following tasks:
LDAP
MongoDB Enterprise supports proxy authentication of users. This allows administrators to configure a MongoDB cluster to authenticate users by proxying authentication requests to a specified LDAP service.
To enable LDAP for your Cloud Manager project, complete the following tasks:
OIDC
MongoDB Enterprise allows authentication using OIDC. To authenticate with OIDC, you must first register your OIDC or OAuth application with an IdP that supports OIDC standard, such as as Microsoft Entra ID, Okta, and Ping Identity.
To enable OIDC for your Cloud Manager project, Enable Authentication and Authorization with OIDC/OAuth 2.0.
Kerberos
MongoDB Enterprise supports authentication using a Kerberos service. Kerberos is an IETF (RFC 4120) standard authentication protocol for large client/server systems.
To use MongoDB with Kerberos, you must have a properly configured Kerberos deployment, configure Kerberos service principals for MongoDB, and add the Kerberos user principal.
To enable Kerberos for your Cloud Manager project, complete the following tasks:
Specify Kerberos as the MongoDB process's authentication mechanism when adding or editing the deployment.
X.509
MongoDB supports X.509 certificate authentication for use with a secure TLS connection. The X.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.
To enable X.509 authentication for your Cloud Manager project, complete the following tasks:
You can also use X.509 certificates for membership authentication for the processes that Cloud Manager monitors.
Edit Host Credentials
You can configure the deployment to use the authentication mechanism from the Cloud Manager interface. The Manage MongoDB Users and Roles tutorials describe how to configure an existing deployment to use each authentication mechanism.