Advanced Ops Manager Topics

Ops Manager Advanced Administration

Cory MintzMichael Benoit

LDAP and User Roles

LDAP and User Roles

Why Use LDAP Integration?

● Users/groups already centrally managedo Active Directoryo OpenLDAP

● Complex password policies● Prevent new users from signing up

LDAP and User Roles

Mapping Ops Manager to LDAP

● Login Attribute○ uid○ username○ email address

● Group(s) attribute

LDAP and User Roles

Sample LDAP Configurationmms.ldap.url=ldap://127.0.0.1:389

mms.ldap.bindDn=CN=_search_

mms.ldap.bindPassword=password

mms.ldap.user.baseDn=OU=Users,O=MongoDB

mms.ldap.user.searchAttribute=emailAddress

mms.ldap.user.group=groups

LDAP and User Roles

Sample Global Roles Configurationmms.ldap.global.role.owner (required)

mms.ldap.global.role.automationAdmin

mms.ldap.global.role.backupAdmin

mms.ldap.global.role.monitoringAdmin

mms.ldap.global.role.userAdmin

mms.ldap.global.role.readOnly

LDAP and User Roles

Adding Users and Groups

New users can not register

LDAP and User Roles


Users in baseDN, but not belonging to any groups cannot sign in

Mike Benoit

Is this grammatically correct? "You do not belong to any Group." Shouldn't Group be plural (and probably lowercase)? Seems like we should fix this before showing it on a giant screen! :)

LDAP and User Roles


Global User Admins can create new groups

Alerts

Alerts

Global and System Alerts

ALERTS

SYSTEM ALERTS

Backing DatabaseBackup Daemons

GLOBAL ALERTS

GROUP ALERTS

Agents Users Hosts Backups Clusters

Alerts

Global and System Alerts UI

Alerts

Global and System Alerts UI

Alerts

Webhook Notifications● Integrate with your internal systems● POST alert events and state changes● Same JSON format as Public API’s Alert resource

Alerts

Setup a Webhook

Alerts

Notify a Webhook

Alerts

Anatomy of a Webhook RequestPOST /path/to/your/handler HTTP/1.1Content-Type: application/jsonX-MMS-Event: alert.openX-MMS-Signature: cbd76abcdf4627dfabcd…...

{ "id": "589bdcfd71735c5d00c9471", "groupId": "3718c7387c8457287cbdfa83", "typeName": "AGENT", "eventTypeName": "MONITORING_AGENT_DOWN", "status": "OPEN", "created": "2015-06-01T12:34:56Z", ...}

Alerts

Webhook Handling Examplesignature = hmac_digest(request.body, 'Bosco!')if signature != request.header('X-MMS-Signature'): exit('Could not validate webhook request')

alert = request.entityevent = request.header('X-MMS-Event')

if event == 'alert.open': if alert.eventTypeName == 'MONITORING_AGENT_DOWN': restart_monitoring_agent()

else if event == 'alert.close': if alert.eventTypeName == 'MONITORING_AGENT_DOWN': self.pat_on_back()

Alerts

Enabling Twilio for SMStwilio.account.sid=xxxxxxxxxxxxxxxxxxx

twilio.auth.token=yyyyyyyyyyyyyyyyyyy

twilio.from.num=1234567890

Alerts

Verifying Twilio

● Send a test SMS message

● Now, you can see additional SMS notification options

Multi-Datacenter Backup


What does Multi-Datacenter mean?● Geographically distributed corporate owned DCs● Corporate owned DCs combined with cloud hosted (AWS,

Rackspace, etc.)● Single DC with several virtual networks


Setup 1: One Instance

All Ops Manager components in a single DCPros● Fewest Ops Manager Components● Easier to get started● Easier to maintain

Cons● Bandwidth costs between DCs● Restores need to go over network● All groups on a single set of hardware


Setup 1: Diagram


Setup 2: Multiple InstancesPros● Each instance still simple to setup● Less bandwidth use● Restores local

Cons● Multiple systems to manage● Duplicated configuration● More upgrades


Setup 2: Diagram


Setup 3: One Instance w/ Group Pinning● The best of both world● Single Ops Manager instance● Backup “stack” in each DC● Pin each Ops Manager group to a “stack”


Setup 3: Diagram


Setup 3: UI


Setup 3: UI

Public API

Public API

Overview

● RESTful interface to Ops Manager features● Must be enabled for each group● Users have API keys● HTTP Digest Authentication● JSON throughout (pretty printing optional)● Access to certain endpoints is restricted to an IP whitelist

Public API

Step 1. Enable

Public API

Step 2. Keys and Whitelist

Public API

Step 3. Code!// Script to pull a backup of the last snapshot using the Ops Manager Public APIgroupId = 'cbdf73827d0c0a9d9c4d6623'

// Get a list of clusters

clusters = api_get('${groupId}/clusters')

// Find the cluster entity for the replica set named myReplSet

myReplSet = clusters.find_first( c -> c.replicaSetName == 'myReplSet' )

// Get all snapshots for the cluster

snapshots = api_get('${groupId}/clusters/${myReplSet.id}/snapshots')

// The last one is the most recent

lastSnapshot = snapshots[snapshots.length - 1]

Public API

Step 3. Code!// Create a restore job for the last snapshot

// NOTE: a replica set only creates one restore job

restoreJobs = api_post(

'${groupId}/clusters/${myReplSet.id}/restoreJobs',

{ 'snapshotId': lastSnapshot.id } )

restoreJob = restoreJobs[0]

// Poll every 30 seconds until the restore job status is FINISHED

do {

sleep(30)

restoreJob = api_get(

'${groupId}/clusters/${myReplSet.id}/restoreJobs/${restoreJob.id}'

} while (restoreJob.statusName != 'FINISHED')

Public API

Step 3. Code!// Restore ready, so download the .tar.gz file

http_get(restoreJob.delivery.url, 'myReplSet.tar.gz')

// Get the hash and verify the integrity of the downloaded file

restoreJob = api_get(

'${groupId}/clusters/${myReplSet.id}/restoreJobs/${restoreJob.id}')

serverHash = restoreJob.hashes[0].hash

myHash = sha1_hash('myReplSet.tar.gz')

assert(serverHash == myHash)

// Restore succeeded!

// Now uncompress it, shutdown mongod, copy data files, and restart

Thank You!

Technology

Advanced Ops Manager Topics