3. MongoDB SSL
SSL encryption SSL encryption
for client for inter-server
connection traffic
Primary Secondary
Application
Data Files Data Files
Keyfile establishes trust domain
http://docs.mongodb.org/manual/administration/ssl/
4. MongoDB - Gazzang
• File System Encryption
• 5% performance hit with HDD, 10-15% with
SSD
Gazzang
Key Mgmt
OS Gazzang
File System – All contents encrypted
5. Security against Insider Abuse
• Authentication
– Are you who you claim to be?
• Authorization
– Do you have access privileges to do what you want to do?
• Auditing
– Can I trace your activities for future verification?
6. New with MongoDB 2.4
• Authentication
– External authentication with kerberos
• Authorization
– Improved granularity of powers within a cluster to contain
abuse
• Auditing
– Userid’s added to audit logs
7. Authentication
• 2.2
– Admin users and single db users
– No external auth
– No sense of user across databases
• Had to redefine user in several databases
• 2.4
– External authentication with kerberos
– Can “source” users from different databases
8. Authentication with only pwd
hash
• Use one-way function F
I am “edouard@10gen.com”, let me in
Knows
Mongod only my
Prove it, here is a random # N
passwor
d hash
Here is F(N,
hash(<mypwd>))
Nobody else could know Hash never
that, welcome back edouard! transmitted
over the
network!
9. Authentication with Kerberos
(2.4)
I am “edouard@10gen.com”,
help me prove it to mongod
KDC
Here is a ticket for mongod
Here is a
Kerberos Welcome!
ticket
Mongod {
user: ”edouard@10gen.com",
roles: ["read"],
userSource: "$external"
}
11. AUTHORIZATION
• Issues with 2.2
– No roles --- No access / Read / ReadWrite
– Hard to separate powers
• 2.4 introduces roles
– Admin level roles – DB level roles
• UserAdmin • User Admin
• ClusterAdmin • DB Admin
• Read
• ReadWrite
12. AUTHORIZATION
Corresponding
• Issues with 2.2 Admin level roles
for AllDatabases
– No roles --- No access / Read / ReadWrite
– Hard to separate powers
• 2.4 introduces roles
– Admin level roles – DB level roles
• UserAdmin • User Admin
• ClusterAdmin • DB Admin
• Read
• ReadWrite
13. Only useful
Admin DB Accnts DB
to hold pwd
hashes
• UserAdmin
• UserAdmin
• ClusterAdmin
App DB Product
• UserAdmi DB
n • UserAdmin
• dbAdmin • dbAdmin Customer
• ReadWrite BI DB •
• Read
ReadWrite DB
• UserAdmi • Read • UserAdmin
n • dbAdmin
• dbAdmin • ReadWrite
• ReadWrite • Read
• Read
14. I can do anything. I can add and
But I won’t be remove
required to do much shards, control the
balancer
DB Admin: UserAdmin DB Admin: ClusterAdmin
I can
I can grant
I can create new create
privileges to
users but I can’t indices, set
the App DB
grant them profiling,
only
privileges to other compact
DB’s
DB Accnts: userAdmin DB App: userAdmin DB App: dbAdmin
15. Only required to intervene if
I can do anything. cluster admin or any other
But I won’t be admin has to change.
required to do much
Can create new databases
Is not on the critical path of
any other activity.
DB Admin: UserAdmin
In Admin.system.users :
{ {
user: “edouard@10gen.com” , user: “edouard” ,
usersource: “$external” pwd: <hash>
OR
roles: [ “userAdmin” ] , roles: [ “userAdmin”,
otherDBroles: { } “userAdminAllDatabase” ] ,
} otherDBroles: { }
}
16. I can add and Manages the number of
remove shards, shards and the balancer
control the balancer,
update replSet Cannot act on other DBs
configs directly (e.g. cannot enable
sharding on a collection)
Cannot see any data
DB Admin: ClusterAdmin
Can be also the admin of all
In Admin.system.users : other databases with
“dbAdminAnyDatabase”
{
user: “edouard@10gen.com” , {
usersource: “$external” user: “edouard@10gen.com” ,
roles: [ “clusterAdmin” ] , usersource: “$external” ,
otherDBroles: { } roles: [ “clusterAdmin”,
} “dbAdminAnyDatabase“ ] ,
otherDBroles: { }
}
17. Manages the user list for the
I can create new cluster.
users but I can’t
grant them All users should have an
privileges on other entry in Accnts.system.users
DB’s and this role is able to create
them, while not letting them
see the user list.
DB Accnts: UserAdmin The Accnts DB is the
authentication center
In Accnts.system.users :
{
{ user: “richard” ,
user: “edouard”, pwd: <hash> ,
pwd: <hash>, roles: [ “read” ]
roles: [“userAdmin”] }
}
{
user: “asya” ,
pwd: <hash> ,
roles: [ ]
}
18. Manages the user list for the
I can create new cluster.
users but I can’t
grant them All users should have an
privileges on other entry in Accnts.system.users
DB’s and this role is able to create
them, while not letting them
see the user list.
DB Accnts: UserAdmin The Accnts DB is the
authentication center
In Accnts.system.users :
{
{ user: “richard” , Richard can
user: “edouard”, pwd: <hash> , see the
pwd: <hash>, roles: [ “read” ] information
roles: [“userAdmin”] } about other
} users….
{
user: “asya” ,
pwd: <hash> ,
roles: [ ]
}
19. Manages the user list for the
I can create new cluster.
users but I can’t
grant them All users should have an
privileges on other entry in Accnts.system.users
DB’s and this role is able to create
them, while not letting them
see the user list.
DB Accnts: UserAdmin The Accnts DB is the
authentication center
In Accnts.system.users :
{
{ user: “richard” ,
user: “edouard”, pwd: <hash> ,
Only the
pwd: <hash>, roles: [ ]
UserAdmin
roles: [“userAdmin”] }
should see
}
details about
{
other users
user: “asya” ,
pwd: <hash> ,
roles: [ ]
}
20. I can
I can grant Each DB’s userAdmin gets to
create
privileges to grant privileges separately
indices, set
the App DB
profiling,
only
compact
DB App: userAdmin DB App: dbAdmin
In App.system.users :
{ {
user: “richard” , user: “asya” ,
usersource: “Accnts” , usersource: “Accnts” ,
roles: [ “userAdmin” ] roles: [ “dbAdmin“ ] ,
} Credentials
from Accnts DB }
21. I do BI and
I am the app. The BI user needs to read
only need
I read and from the app DB in order to
to read
write to the access the data to be
from this
DB analyzed
DB
And needs to read/write in
another database dedicated
to BI results
DB App: readWrite DB App: read
In App.system.users : In BI.system.users :
{ { {
user: “appUser” , user: “BIUser” , user: “BIUser” ,
usersource: “Accnts” , usersource: “Accnts” , usersource: “Accnts” ,
roles: [ “readWrite” ] roles: [ “read“ ] , roles: [ “readWrite” ]
} } }
22. Simplifications
• No need for Accnts DB if all users are externally
authenticating
• UserAdmin of AdminDB can manage and assign
all the roles through {read, readWrite, dbAdmin,
userAdmin}AnyDatabase
– Roles: [“dbAdminAnyDatabase”, “readAnyDatabase”]
• Can assign otherDBRoles in
Admin.system.users, to grant privileges to only
some DB’s
– OtherDBRoles: { App: [ “Read”]
BI: [“UserAdmin”, “ReadWrite”] }
23. Case: one super user, one app
admin, one app regular user
ADMIN.system.users:
{ user: ”SuperUser",
userSource: "$external",
roles: [ APP.system.users:
“userAdmin”,"clusterAdmin"],
} { user: “AppUser”,
userSource: “$external”,
{ user: “ AppAdmin”, roles: [“readWrite”]
userSource:”$external”, }
roles: [ ],
otherDBRoles: {
app: [ “useradmin”, ”dbadmin" ]
}
}
24. Auditing - Logging
Monitor user activity:
– Logging to output userID associated with actions, when
available
– Sharded and single-node configurations
– Not a separate audit log
Future
– Partnership / ecosystem opportunities
25. Disclaimer
Statements about future releases, availability
dates, and feature content reflect plans only, and
10gen is under no obligation to include, develop
or make available, commercially or otherwise,
specific feature discussed a future MongoDB
build. Information is provided for general
understanding only, and is subject to change at
the sole discretion of 10gen in response to
changing market conditions, delivery schedules,
customer requirements, and/or other factors.
26. Future
• Field level obfuscation
– Blocking PPI data in documents from some users.
• Improved auditing
• More external authentication protocols
• External access control privileges
– Central management of ACL and MongoDB able to
externally read them
Ok, so here are the presenters notes. Your first job is to add you name and other useful stuff so that your students can contact you afterwards.This is a good time to- introduce yourself- create a seating chart, get each student to say their name, company and what they want to learn... and write it on your seating chart
MongoD does not even need to know the password hash!You can centralize your authentication service