Ops Tools
228 results found
-
“Content-Security-Policy” header
Hello,
We want to add the “Content-Security-Policy” header to the OpsManager/MongoDB answers to increase the security level:
frame-ancestors 'none' (Do not render in frames)
script-src 'self': only loads scripts originating on the site (subdomains excluded)
default-src 'none': recommended for services returning HTML.
Could you please tell us how to set up these elements ?Thank you in advance for your support.
Regards
7 votes -
OPS Manager should call updateUser to change password to trace it in DB Audit.
If you enable auditing in database, you can't trace change password actions. The reason is OPS Manager updates system.user collection record directly. as a result, this action is not traceble in audit if parameter auditAuthorizationSuccess is not enabled.
But enabling this parameter cause performance degradation as all DML/DDL will be sent through audit layer.
Dropping user at the same time happening as expected and traceable in audit files.
1 vote -
Agent authentication to opsmanager using x509 credentials
Similar to how Opsmanger can use x509 to manage deployments, it should be possible to configure the agents to use x509 credentials to communicate with Opsmanager. This will allow for a more consistent security posture across the whole mongodb/opsmanager stack. It would also simplify security procedures such as credential rotation by unifying the authentication mechanism.
This will be an alternative to the existing API Key approach https://www.mongodb.com/docs/ops-manager/current/tutorial/manage-agent-api-key/index.html
1 vote -
Ability to remove parameter tlsCertificateKeyFilePassword from Advanced configuration
Currently the behavior around this parameter is tricky -once you added this parameter to advanced config - you can't remove it. if you try to remove it - OPS Manager simply ignores this action and when you run "Review and Deploy" - it displays nothing but still let you deploy this "nothing". similar if you want to set the value of this parameter to empty string from something - OPS Manager ignores it and deploy empty list of actions.
the workaround is to remove both tlsCertificateKeyFile and tlsCertificateKeyFilePassword in advanced config, but don't deploy it. then add back tlsCertificateKeyFile parameter…
1 vote -
Ops Manager API should be authenticated via Certificate
Ops Manager API uses HTTP Digest Authentication, this method requires a username and a password which are hashed and provided in the form of registered Ops Manager account, and the password which is a Public API Key associated with that account.
But as part of security feature we should be allowed to use Authentication based on SSL certificates as we are using for Client connection, This will help to secure the self automation process if we are developing any internally.
3 votes -
When changing snapshot retention, prompt user to apply new policy to existing snapshots
Currently when you change the snapshot schedule, the changes only apply to NEW snapshots.
Please allow the user the option to apply the new policy automatically to all existing snapshots. Or at the very least, notify them of them of snapshots that exist which do not meet the current policy!
Let me provide an example of the problem. If you have a retention policy of 10 days and on DAY1 you change it to 30 days, your retention will look like this:
DAY1 - 10 snapshots
DAY2 - 10 snapshots
...
DAY10 - 10 snapshots
DAY11 - 11 snapshots
DAY12…1 vote -
Lock enableLocalConfigurationServer setting on OPS Manager side
To harden security for mongodb deployment managed by OPS Manager, we can use setting enableLocalConfigurationServer = true so automation-mongod.conf won't have any passwords for ssl certs and agent will retrieve them from OPS Manager.
to disable this feature and to read all passwords for ssl certs (and hence get access to mongodb data) it's enough to comment out this parameter an restart automation service (or wait until host will be restarted).
Linux root user can modify any file on mongodb host including this file and can restart any services, so it's impossible to protect getting all passwords and mongod.conf from…
1 vote -
The Ops Manager UI provide an option to trigger election (stepDown)
Have the option to perform primary stepDown from Ops Manager UI to trigger election
4 votes -
I found what I believe to be an error in the following document
I found what I believe to be an error in the following document.
https://www.mongodb.com/docs/ops-manager/current/tutorial/install-simple-test-deployment/In the section "5. Create the Ops Manager Application Database directory," it instructs to execute the following command
sudo chown -R mongod:mongod /dataIn my environment, the mongod user does not exist and I get an error, but looking at the passwd file, the mongodb user and mongodb group seem to exist. The version is 11.7.
I think the correct command is as follows
sudo chown -R mongodb:mongodb /data1 vote -
Operating System distribution and version of a host in OPS Manager API
Hi,
would be useful having the operating system distribution and version of a host for our automation scripts.
This info is not available in any OPS Manager API request, as the case 01119828.
My suggestion is add this info at "Get Host by ID" https://www.mongodb.com/docs/ops-manager/current/reference/api/hosts/get-one-host-by-id/
Best regards,
Danilo1 vote -
Ability to mark a deployment as an INELIGIBLE restore target
Restoring to a cluster is one of the few destructive actions that Ops Manager takes and it's terrifying to see our main production cluster listed as a possible restore target!
I would love to be able to toggle a setting on this cluster to indicate that it is NOT available as a restore target.
This could be similar to the AWS "DisableApiTermination" feature that prevents instance termination.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#Using_ChangingDisableAPITermination1 vote -
Ops Manager Load Balancer
In the same way we can connect to a replica set via a connection string containing the 3 hostnames of the members (in a 3 member replica set) which indicates some load balancing built in, it would be good to allow automation agent's mmsBaseUrl parameter to accept 3 Ops Manager web app hostnames if Ops Manager was running in 3 nodes on top of a 3 member replica set OM Application DB. With this, if one of the 3 Ops Manager web apps fails, the agent's connection to OM will be uninterrupted. Currently we will have to configure our own…
2 votes -
Add recommended ulimit settings to the systemctl service definition
The Ops Manager documentation recommends higher than default ulimit settings, so why not include these in the systemctl service definition?
2 votes -
Deploy Changes without restarting mongod/mongos instance immediately.
Whenever we want to make changes, eg. set a new parameter or add new parameter in configuration (advance configuration options), after we save changes, review and deploy, automation immediately starts applying that change and does a rolling restart.
We need flexibility in restart, means one should have an option to perform immediate rolling restart or defer it to later time. We may apply multiple changes at different times and set one preferred window to restart instance instead of doing multiple restarts.15 votes -
Ability to start the bi connector using a .drdl file in Ops Manager
Ability to start the bi connector using a .drdl file in Ops Manager. Currently only possible with en premise bi connector deployment(mongosqld).
1 vote -
Add possibility to configure the process hostnames for the automation config map
In order to use external certificates could it be possible to configure the process hostnames in automation config map
1 vote -
TLS secret key config
Add option to configure the secret keys for the server and CA certificate and replace the default ones tls.crt, tls.key and ca.crt
1 vote -
Add Ops Manager alert on tlsX509ExpirationWarningThresholdDays client
Ops Manager alert, for messages posted through 'tlsX509ExpirationWarningThresholdDays' parameter to warn for client certs expiry
1 vote -
Disk metric - log drive
The ops manager is not capturing the log drive disk related metrics when the log path is different from data path. This is an important metric to monitor for anyone to consider OM as the monitoring tool.
1 vote -
add logical name to disk in metrics
when we look at hardware metric in replicaset, OPS Manager displays and groups disk stats based on internal disk name on each node. if for some reason we have disks discovered in different order on OS level, disk names will be different and it's become very messy and difficult to compare disk stats between different nodes.
Suggestion is to add ability to give disk logical name so OPS Manager will display disks for data and disks for logs in a nice way. if new disk is replaced or added - default name can be displayed so administrator will be able…
1 vote
- Don't see your idea?