Hi,
I was struggling with the MongoDB plugin from CheckMK. The current plugin relies a lot on system namespaces collections such as (but not limited to):
- system.users
- system.sessions
In before v5 (I believe), if your monitoring user had the following roles:
db.createUser({
"user": "checkmk",
"pwd": "xxxxxxxx",
"roles": [
{ role: "read", db: "admin" },
{ role: "clusterMonitor", db: "admin" },
{ role: "read", db: "local" }
]
})
it was ok and you had a very limited user (which you want for monitoring) which has access to all system namespaces.
As with new versions you have to add a new predefined role which is much powerfull else you will get errors executing the mongog plugin. I came with:
db.createUser({
"user": "checkmk",
"pwd": "xxxxxxxx",
"roles": [
{ role: "read", db: "admin" },
{ role: "clusterMonitor", db: "admin" },
{ role: "backup", db: "admin" },
{ role: "read", db: "local" }
]
})
So basicly I came up with a backup role, in my eyes the most “limited” role you can assign to a user, but It would be cool if the plugin just plays well with the default Clustermonitor role.
And other option would be we store the user/credentials on the local server (in /etc/check_mk/mk_mongodb.cfg) but even if we say in the agent bakery not to use authentication, it will overwrite this file when agent is updated.
Basicly I don’t want to store (powerfull) account info in CheckMK server and only limited montitoring accounts.
Any thoughts?
- Gerwin