Details
-
Bug
-
Resolution: Done
-
Critical - P2
-
None
-
None
-
*Location*: https://docs.opsmanager.mongodb.com/current/tutorial/add-existing-host-to-automation/
*User-Agent*: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
*Referrer*: https://docs.opsmanager.mongodb.com/current/search/?query=mms-automation
*Screen Resolution*: 1920 x 1080
*repo*: REPONAME
*source*: tutorial/add-existing-host-to-automation
*Location*: https://docs.opsmanager.mongodb.com/current/tutorial/add-existing-host-to-automation/ *User-Agent*: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 *Referrer*: https://docs.opsmanager.mongodb.com/current/search/?query=mms-automation *Screen Resolution*: 1920 x 1080 *repo*: REPONAME *source*: tutorial/add-existing-host-to-automation
Description
It is critical that we explain in "import" documentation how auth is handled.
For example this blog post contains more information http://blog.cloud.mongodb.com/post/111860709590/introduction-to-import-existing-deployment-for in the sense that it is shown that you would need to pre-create an Automation agent user to grant the Automation agent permissions on the attached-to cluster.
Importing a cluster with Auth enabled is a complicated operation:
1) The system will try to bring in all the users / roles in that cluster. Note that if there are other clusters managed in the deployment, these users / roles will be added to the other clusters (not always wanted --> the work-around is to use a separate group whenever different clusters will have a different auth profile.
2) If a Group's Deployment already has an authentication profile enabled (e.g. isn't in a completely blank fresh state) then attached-to processes will require the mms-automation user be pre-created on them with appropriate permissions and password based on what the Automation agent expects (e.g. if "Mongodb-CR" is used then *Manager will have pre-created a random password for the mms-automation user which can be found in the Automation configuration for the Group's Deployment".
3) Note that a Group's Deployment can have authentication enabled even if there are no managed MongoDB processes (e.g. an empty deployment) which is a particularly awkward context to be unable to attach to a cluster that doesn't have the precisely correct user created yet.
Separately, attaching to an auth-enabled cluster where the Group's Deployment doesn't yet have "auth" enabled will cause the auth settings from the new deployment to be mimic'd in the Deployment. This is handy and we should point it out.
In an ideal world, when attaching to a cluster with auth enabled:
1) Create mms-automation user on cluster
2) Create new fresh / clean Group
3) Import the cluster into this new group.
Attachments
Issue Links
- is related to
-
DOCS-7861 Document how to import a deployment with auth enabled into Automation in Ops Manager 2.0 documentation
-
- Closed
-