Enable Kerberos Authentication for your Cloud Manager Project
On this page
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
Overview
Cloud Manager enables you to configure the Authentication Mechanisms that all clients, including the Cloud Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your projects, but you must choose only one mechanism for the Agents.
MongoDB Enterprise supports authentication using a Kerberos service. Kerberos is an industry standard authentication protocol for large client/server systems.
Important
Setting up and configuring a Kerberos deployment is beyond the scope of this document. This tutorial assumes you have configured a Kerberos principal for each Agent and you have a valid keytab file for each Agent.
To authenticate MongoDB with Kerberos, you must:
Have a properly configured Kerberos deployment,
Configure Kerberos service principals for MongoDB, and
Add the Kerberos user principals for the Agents.
The Kerberos Authentication section of the MongoDB Manual provides more detail about using MongoDB with Kerberos.
Considerations
Kerberos (GSSAPI)
is only available on MongoDB Enterprise builds. If
you have existing deployments running on a MongoDB Community
build, you must upgrade them to MongoDB Enterprise before you can enable
Kerberos (GSSAPI)
for your Cloud Manager project.
This tutorial describes how to enable Kerberos for one of your Cloud Manager projects and how to configure your Cloud Manager Agents to connect to your Kerberos-enabled deployment.
Note
If you want to reset Authentication and TLS settings for your project, first unmanage any MongoDB deployments that Cloud Manager manages in your project.
Procedures
These procedures describe how to configure and enable Kerberos authentication when using Automation. If Cloud Manager does not manage your Monitoring or Backups, you must manually configure them to authenticate using Kerberos.
See Configure the MongoDB Agent for Kerberos for instructions.
Configure an Existing Linux Deployment for Kerberos-based Authentication
If you use Cloud Manager to manage existing deployments on Linux in your project, all MongoDB deployments in the project must be configured for Kerberos authentication before you can enable Kerberos authentication for your project.
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Processes page.
Click the Processes tab for your deployment.
The Processes page displays.
When you have configured the Kerberos options for each deployment, you can proceed to enable Kerberos for your Cloud Manager project.
Enable Kerberos for your Cloud Manager Project
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Security page.
Click the Security tab for your deployment.
The Security page displays.
Go to the Security Settings dialog for your deployment.
Do one of the following actions:
If this is your first time configuring TLS, authentication, or authorization settings for this project, click Get Started.
If you have already configured TLS authentication, or authorization settings for this project, click Edit.
Specify the TLS Settings.
Field | Action | ||||
---|---|---|---|---|---|
MongoDB Deployment Transport Layer Security (TLS) | Toggle this slider to ON. | ||||
TLS CA File Path | The TLS Certificate Authority file is a The encrypted private key for the Type the file path to the TLS Certificate Authority file on every host running a MongoDB process:
This enables the Click Validate to test that each host in your deployment has a TLS Certificate Authority at the paths you specified. | ||||
Client Certificate Mode | Select if client applications or MongoDB Agents must present a TLS certificate when connecting to a TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid. Accepted values are:
|
Configure the LDAP Authorization Settings.
Important
Starting with MongoDB 3.4, you can
authenticate users using LDAP, Kerberos, and X.509 certificates
without requiring local user documents in the $external
database as long as you enable LDAP authorization first. When such a user successfully
authenticates, MongoDB performs a query against the LDAP server to
retrieve all groups which that LDAP user possesses and transforms those
groups into their equivalent MongoDB roles.
Skip this step if you don't want to enable LDAP authorization.
Enter values for the following fields:
SettingValueLDAP AuthorizationToggle to ON to enable LDAP authorization.Authorization Query TemplateSpecify a template for an LDAP query URL to retrieve a list of LDAP groups for an LDAP user.
Configure {{mechanism}} for the Agents.
You can enable more than one authentication mechanism for your MongoDB deployment, but the Cloud Manager Agents can only use one authentication mechanism. Select {{mechanism}} to connect to your MongoDB deployment.
Select the {{mechanism}} option from the Agent Auth Mechanism section.
Provide credentials for the MongoDB Agent:
If using Linux, configure:
SettingValueMongoDB Agent Kerberos PrincipalThe Kerberos Principal.MongoDB Agent Keytab PathThe path for the Agent's Keytab.If using Windows, configure:
SettingValueMongoDB Agent UsernameThe Active Directory user name.MongoDB Agent PasswordThe Active Directory password.DomainThe NetBIOS name of a domain in Active Directory Domain Services. Must be in all capital letters.
Create MongoDB Roles for LDAP Groups. (Optional)
After enabling LDAP Authorization, you need to create custom MongoDB roles for each LDAP Group you specified for LDAP Authorization.