MongoDB 2.4 Security Features

#MongoDBdays

MongoDB Security
Edouard Servan-Schreiber, Ph.D.
Director of Solution Architecture
10gen

Security against Trespassing
• Data in flight

• Data at rest

MongoDB SSL
SSL encryption SSL encryption
for client for inter-server
connection traffic

Primary Secondary
Application

Data Files Data Files

Keyfile establishes trust domain

http://docs.mongodb.org/manual/administration/ssl/

MongoDB - Gazzang
• File System Encryption
• 5% performance hit with HDD, 10-15% with
SSD

Gazzang
Key Mgmt

OS Gazzang

File System – All contents encrypted

Security against Insider Abuse
• Authentication
– Are you who you claim to be?

• Authorization
– Do you have access privileges to do what you want to do?

• Auditing
– Can I trace your activities for future verification?

New with MongoDB 2.4
• Authentication
– External authentication with kerberos

• Authorization
– Improved granularity of powers within a cluster to contain
abuse

• Auditing
– Userid’s added to audit logs

Authentication
• 2.2
– Admin users and single db users
– No external auth
– No sense of user across databases
• Had to redefine user in several databases
• 2.4
– External authentication with kerberos
– Can “source” users from different databases

Authentication with only pwd
hash
• Use one-way function F

I am “edouard@10gen.com”, let me in

Knows
Mongod only my
Prove it, here is a random # N
passwor
d hash

Here is F(N,
hash(<mypwd>))

Nobody else could know Hash never
that, welcome back edouard! transmitted
over the
network!

Authentication with Kerberos
(2.4)
I am “edouard@10gen.com”,
help me prove it to mongod
KDC
Here is a ticket for mongod

Here is a
Kerberos Welcome!
ticket

Mongod {
user: ”edouard@10gen.com",
roles: ["read"],
userSource: "$external"
}

AUTHORIZATION
Avoiding hierarchical powers Building Regional powers

VS

AUTHORIZATION
• Issues with 2.2
– No roles --- No access / Read / ReadWrite
– Hard to separate powers

• 2.4 introduces roles
– Admin level roles – DB level roles
• UserAdmin • User Admin
• ClusterAdmin • DB Admin
• Read
• ReadWrite

AUTHORIZATION
Corresponding
• Issues with 2.2 Admin level roles
for AllDatabases
– No roles --- No access / Read / ReadWrite
– Hard to separate powers

• 2.4 introduces roles
– Admin level roles – DB level roles
• UserAdmin • User Admin
• ClusterAdmin • DB Admin
• Read
• ReadWrite

Only useful
Admin DB Accnts DB
to hold pwd
hashes
• UserAdmin
• UserAdmin
• ClusterAdmin

App DB Product
• UserAdmi DB
n • UserAdmin
• dbAdmin • dbAdmin Customer
• ReadWrite BI DB •
• Read
ReadWrite DB
• UserAdmi • Read • UserAdmin
n • dbAdmin
• dbAdmin • ReadWrite
• ReadWrite • Read
• Read

I can do anything. I can add and
But I won’t be remove
required to do much shards, control the
balancer

DB Admin: UserAdmin DB Admin: ClusterAdmin
I can
I can grant
I can create new create
privileges to
users but I can’t indices, set
the App DB
grant them profiling,
only
privileges to other compact
DB’s

DB Accnts: userAdmin DB App: userAdmin DB App: dbAdmin

Only required to intervene if
I can do anything. cluster admin or any other
But I won’t be admin has to change.
required to do much
Can create new databases

Is not on the critical path of
any other activity.
DB Admin: UserAdmin

In Admin.system.users :

{ {
user: “edouard@10gen.com” , user: “edouard” ,
usersource: “$external” pwd: <hash>
OR
roles: [ “userAdmin” ] , roles: [ “userAdmin”,
otherDBroles: { } “userAdminAllDatabase” ] ,
} otherDBroles: { }
}

I can add and Manages the number of
remove shards, shards and the balancer
control the balancer,
update replSet Cannot act on other DBs
configs directly (e.g. cannot enable
sharding on a collection)

Cannot see any data
DB Admin: ClusterAdmin
Can be also the admin of all
In Admin.system.users : other databases with
“dbAdminAnyDatabase”
{
user: “edouard@10gen.com” , {
usersource: “$external” user: “edouard@10gen.com” ,
roles: [ “clusterAdmin” ] , usersource: “$external” ,
otherDBroles: { } roles: [ “clusterAdmin”,
} “dbAdminAnyDatabase“ ] ,
otherDBroles: { }
}

Manages the user list for the
I can create new cluster.
users but I can’t
grant them All users should have an
privileges on other entry in Accnts.system.users
DB’s and this role is able to create
them, while not letting them
see the user list.

DB Accnts: UserAdmin The Accnts DB is the
authentication center
In Accnts.system.users :
{
{ user: “richard” ,
user: “edouard”, pwd: <hash> ,
pwd: <hash>, roles: [ “read” ]
roles: [“userAdmin”] }
}
{
user: “asya” ,
pwd: <hash> ,
roles: [ ]
}

users but I can’t
see the user list.

{
{ user: “richard” , Richard can
user: “edouard”, pwd: <hash> , see the
pwd: <hash>, roles: [ “read” ] information
roles: [“userAdmin”] } about other
} users….
{
user: “asya” ,
pwd: <hash> ,
roles: [ ]
}

users but I can’t
see the user list.

{
{ user: “richard” ,
user: “edouard”, pwd: <hash> ,
Only the
pwd: <hash>, roles: [ ]
UserAdmin
roles: [“userAdmin”] }
should see
}
details about
{
other users
user: “asya” ,
pwd: <hash> ,
roles: [ ]
}

I can
I can grant Each DB’s userAdmin gets to
create
privileges to grant privileges separately
indices, set
the App DB
profiling,
only
compact

DB App: userAdmin DB App: dbAdmin

In App.system.users :

{ {
user: “richard” , user: “asya” ,
usersource: “Accnts” , usersource: “Accnts” ,
roles: [ “userAdmin” ] roles: [ “dbAdmin“ ] ,
} Credentials
from Accnts DB }

I do BI and
I am the app. The BI user needs to read
only need
I read and from the app DB in order to
to read
write to the access the data to be
from this
DB analyzed
DB
And needs to read/write in
another database dedicated
to BI results

DB App: readWrite DB App: read

In App.system.users : In BI.system.users :

{ { {
user: “appUser” , user: “BIUser” , user: “BIUser” ,
usersource: “Accnts” , usersource: “Accnts” , usersource: “Accnts” ,
roles: [ “readWrite” ] roles: [ “read“ ] , roles: [ “readWrite” ]
} } }

Simplifications
• No need for Accnts DB if all users are externally
authenticating
• UserAdmin of AdminDB can manage and assign
all the roles through {read, readWrite, dbAdmin,
userAdmin}AnyDatabase
– Roles: [“dbAdminAnyDatabase”, “readAnyDatabase”]

• Can assign otherDBRoles in
Admin.system.users, to grant privileges to only
some DB’s
– OtherDBRoles: { App: [ “Read”]
BI: [“UserAdmin”, “ReadWrite”] }

Case: one super user, one app
admin, one app regular user
ADMIN.system.users:

{ user: ”SuperUser",
userSource: "$external",
roles: [ APP.system.users:
“userAdmin”,"clusterAdmin"],
} { user: “AppUser”,
userSource: “$external”,
{ user: “ AppAdmin”, roles: [“readWrite”]
userSource:”$external”, }
roles: [ ],
otherDBRoles: {
app: [ “useradmin”, ”dbadmin" ]
}
}

Auditing - Logging
Monitor user activity:
– Logging to output userID associated with actions, when
available
– Sharded and single-node configurations
– Not a separate audit log

Future
– Partnership / ecosystem opportunities

Disclaimer
Statements about future releases, availability
dates, and feature content reflect plans only, and
10gen is under no obligation to include, develop
or make available, commercially or otherwise,
specific feature discussed a future MongoDB
build. Information is provided for general
understanding only, and is subject to change at
the sole discretion of 10gen in response to
changing market conditions, delivery schedules,
customer requirements, and/or other factors.

Future
• Field level obfuscation
– Blocking PPI data in documents from some users.

• Improved auditing
• More external authentication protocols
• External access control privileges
– Central management of ACL and MongoDB able to
externally read them

MongoDB 2.4 Security Features

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (19)

En vedette

En vedette (13)

Similaire à MongoDB 2.4 Security Features

Similaire à MongoDB 2.4 Security Features (20)

Plus de MongoDB

Plus de MongoDB (20)

MongoDB 2.4 Security Features

Notes de l'éditeur