MongoDB 2.4 Security Features
Transcript of MongoDB 2.4 Security Features
![Page 1: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/1.jpg)
Edouard Servan-Schreiber, Ph.D.Director of Solution Architecture10gen
#MongoDBdays
MongoDB Security
![Page 2: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/2.jpg)
Security against Trespassing• Data in flight
• Data at rest
![Page 3: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/3.jpg)
MongoDB SSL
Keyfile establishes trust domain
http://docs.mongodb.org/manual/administration/ssl/
Application
SSL encryption for
client connection
SSL encryption for inter-server
traffic
Primary Secondary
Data Files Data Files
![Page 4: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/4.jpg)
MongoDB - Gazzang
• File System Encryption
• 5% performance hit with HDD, 10-15% with SSD
File System – All contents encrypted
OS Gazzang
Gazzang Key
Mgmt
![Page 5: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/5.jpg)
Security against Insider Abuse• Authentication
– Are you who you claim to be?
• Authorization– Do you have access privileges to do what you
want to do?
• Auditing– Can I trace your activities for future verification?
![Page 6: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/6.jpg)
New with MongoDB 2.4
• Authentication– External authentication with kerberos
• Authorization– Improved granularity of powers within a cluster to
contain abuse
• Auditing– Userid’s added to audit logs
![Page 7: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/7.jpg)
Authentication
• 2.2– Admin users and single db users– No external auth– No sense of user across databases• Had to redefine user in several databases
• 2.4– External authentication with kerberos– Can “source” users from different databases
![Page 8: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/8.jpg)
Authentication with only pwd hash• Use one-way function F
Mongod
I am “[email protected]”, let me in
Prove it, here is a random # N
Here is F(N, hash(<mypwd>))
Nobody else could know that, welcome back edouard!
Knows only my password hash
Hash never transmitted over the network!
![Page 9: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/9.jpg)
Authentication with Kerberos (2.4)
KDC
I am “[email protected]”, help me prove it to mongodHere is a ticket for mongod
Mongod
Here is a Kerberosticket
Welcome!
{ user: ”[email protected]", roles: ["read"], userSource: "$external"}
![Page 10: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/10.jpg)
AUTHORIZATION
VS
Avoiding hierarchical powers Building Regional powers
![Page 11: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/11.jpg)
AUTHORIZATION
• Issues with 2.2– No roles --- No access / Read / ReadWrite– Hard to separate powers
• 2.4 introduces roles– Admin level roles• UserAdmin• ClusterAdmin
– DB level roles• User Admin• DB Admin• Read• ReadWrite
![Page 12: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/12.jpg)
AUTHORIZATION
• Issues with 2.2– No roles --- No access / Read / ReadWrite– Hard to separate powers
• 2.4 introduces roles– Admin level roles• UserAdmin• ClusterAdmin
– DB level roles• User Admin• DB Admin• Read• ReadWrite
Corresponding Admin level
roles for AllDatabases
![Page 13: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/13.jpg)
Admin DB
• UserAdmin• ClusterAdm
in
Accnts DB
• UserAdmin
App DB• UserAdmi
n• dbAdmin• ReadWrit
e• Read
Product DB
• UserAdmin• dbAdmin• ReadWrite• Read
Customer DB
• UserAdmin• dbAdmin• ReadWrite• Read
Only useful to hold pwd hashes
BI DB• UserAdmi
n• dbAdmin• ReadWrit
e• Read
![Page 14: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/14.jpg)
I can do anything. But I won’t be required to do
much
DB Admin: UserAdmin DB Admin: ClusterAdmin
I can add and remove shards,
control the balancer
DB Accnts: userAdmin
I can create new users but I can’t
grant them privileges to other DB’s
DB App: userAdmin DB App: dbAdmin
I can grant privileges to the App
DB only
I can create
indices, set
profiling, compact
![Page 15: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/15.jpg)
I can do anything. But I won’t be required to do
much
DB Admin: UserAdmin
In Admin.system.users :
{ user: “[email protected]” , usersource: “$external” roles: [ “userAdmin” ] , otherDBroles: { }}
{ user: “edouard” , pwd: <hash> roles: [ “userAdmin”,
“userAdminAllDatabase” ] , otherDBroles: { }}
OR
Only required to intervene if cluster admin or any other admin has to change.
Can create new databases
Is not on the critical path of any other activity.
![Page 16: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/16.jpg)
In Admin.system.users :
{ user: “[email protected]” , usersource: “$external” roles: [ “clusterAdmin” ] , otherDBroles: { }}
{ user: “[email protected]” , usersource: “$external” , roles: [ “clusterAdmin”,
“dbAdminAnyDatabase“ ] , otherDBroles: { }}
Manages the number of shards and the balancer
Cannot act on other DBs directly (e.g. cannot enable sharding on a collection)
Cannot see any data
Can be also the admin of all other databases with “dbAdminAnyDatabase”
DB Admin: ClusterAdmin
I can add and remove shards,
control the balancer, update replSet configs
![Page 17: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/17.jpg)
In Accnts.system.users :
{ user: “edouard”, pwd: <hash>, roles: [“userAdmin”]}
{ user: “richard” , pwd: <hash> , roles: [ “read” ]}
{ user: “asya” , pwd: <hash> , roles: [ ]}
Manages the user list for the cluster.
All users should have an entry in Accnts.system.users and this role is able to create them, while not letting them see the user list.
The Accnts DB is the authentication center
DB Accnts: UserAdmin
I can create new users but I can’t
grant them privileges on other DB’s
![Page 18: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/18.jpg)
In Accnts.system.users :
{ user: “edouard”, pwd: <hash>, roles: [“userAdmin”]}
{ user: “richard” , pwd: <hash> , roles: [ “read” ]}
{ user: “asya” , pwd: <hash> , roles: [ ]}
Manages the user list for the cluster.
All users should have an entry in Accnts.system.users and this role is able to create them, while not letting them see the user list.
The Accnts DB is the authentication center
DB Accnts: UserAdmin
I can create new users but I can’t
grant them privileges on other DB’s
Richard can see the
information about other
users….
![Page 19: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/19.jpg)
In Accnts.system.users :
{ user: “edouard”, pwd: <hash>, roles: [“userAdmin”]}
{ user: “richard” , pwd: <hash> , roles: [ ]}
{ user: “asya” , pwd: <hash> , roles: [ ]}
Manages the user list for the cluster.
All users should have an entry in Accnts.system.users and this role is able to create them, while not letting them see the user list.
The Accnts DB is the authentication center
DB Accnts: UserAdmin
I can create new users but I can’t
grant them privileges on other DB’s
Only the UserAdmin should see
details about other users
![Page 20: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/20.jpg)
In App.system.users :
{ user: “richard” , usersource: “Accnts” , roles: [ “userAdmin” ]}
{ user: “asya” , usersource: “Accnts” , roles: [ “dbAdmin“ ] ,}
Each DB’s userAdmin gets to grant privileges separately
DB App: userAdmin DB App: dbAdmin
I can grant privileges to the App
DB only
I can create
indices, set
profiling, compact
Credentials from Accnts
DB
![Page 21: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/21.jpg)
In App.system.users :
{ user: “appUser” , usersource: “Accnts” , roles: [ “readWrite” ]}
{ user: “BIUser” , usersource: “Accnts” , roles: [ “read“ ] ,}
The BI user needs to read from the app DB in order to access the data to be analyzed
And needs to read/write in another database dedicated to BI results
DB App: readWrite DB App: read
I am the app. I read
and write to the DB
I do BI and only need to
read from this DB
In BI.system.users :
{ user: “BIUser” , usersource: “Accnts” , roles: [ “readWrite” ]}
![Page 22: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/22.jpg)
Simplifications• No need for Accnts DB if all users are
externally authenticating
• UserAdmin of AdminDB can manage and assign all the roles through {read, readWrite, dbAdmin, userAdmin}AnyDatabase– Roles: [“dbAdminAnyDatabase”,
“readAnyDatabase”]
• Can assign otherDBRoles in Admin.system.users, to grant privileges to only some DB’s– OtherDBRoles: { App: [ “Read”]
BI: [“UserAdmin”, “ReadWrite”] }
![Page 23: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/23.jpg)
Case: one super user, one app admin, one app regular user
ADMIN.system.users:
{ user: ”SuperUser", userSource: "$external", roles: [ “userAdmin”,"clusterAdmin"],}
{ user: “ AppAdmin”, userSource:”$external”, roles: [ ], otherDBRoles: { app: [ “useradmin”, ”dbadmin" ] }}
APP.system.users:
{ user: “AppUser”, userSource: “$external”, roles: [“readWrite”]}
![Page 24: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/24.jpg)
Auditing - Logging
Monitor user activity:
– Logging to output userID associated with actions, when available
– Sharded and single-node configurations– Not a separate audit log
Future
– Partnership / ecosystem opportunities
![Page 25: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/25.jpg)
Disclaimer
Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.
![Page 26: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/26.jpg)
Future
• Field level obfuscation– Blocking PPI data in documents from some users.
• Improved auditing
• More external authentication protocols
• External access control privileges– Central management of ACL and MongoDB able to
externally read them
![Page 27: MongoDB 2.4 Security Features](https://reader035.fdocuments.us/reader035/viewer/2022062303/55625200d8b42a6c368b5039/html5/thumbnails/27.jpg)
Thank You