Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Webinar: MongoDB 2.6 New Security Features

1,705
views

Published on

This webinar will cover new security features in MongoDB 2.6 including x.509 authentication, user defined roles, collection level access control, enterprise features like LDAP authentication and …

This webinar will cover new security features in MongoDB 2.6 including x.509 authentication, user defined roles, collection level access control, enterprise features like LDAP authentication and auditing, and many other SSL features. We will first give a brief overview of security features through MongoDB 2.4 then cover new features in 2.6 and coming releases.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,705
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
66
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. MongoDB 2.6 New Security Features Matt Kalan, Sr. Solutions Architect, MongoDB Dylan Tong, Sr. Solutions Architect, MongoDB
  • 2. Agenda • Review security capabilities in v2.4 • New features in v2.6 – User Defined Roles – Access Control Improvements – Authentication • x509 • LDAP – Auditing – SSL improvements 2
  • 3. Review Security in 2.4
  • 4. Authentication • User authentication – Basic challenge-response • Hashed password managed in MongoDB – Kerberos integration using SASL (Enterprise) • Connects to an existing Kerberos infrastucture • Passwords managed in existing system, not MongoDB – Can combine these if desired in same server • Cluster authentication via shared keyfile 4
  • 5. Authorization/Access Control • Standard roles assigned in MongoDB • Usernames are in MongoDB and have role(s) assigned to them • You can add standard roles together to build permissioning you need for a user • Lowest granularity is for the database 5
  • 6. Auditing • Only a small set of operations are logged • Logged in the main Mongo server log • IBM Guardium integration for enterprise policybased security monitoring 6
  • 7. Encryption • Data in transit – SSL between all MongoDB components is in the Enterprise version – Or build in your own SSL library from the open source version • Data at rest – Customer chooses to use an encrypted file system 7
  • 8. Upcoming Features in 2.6
  • 9. Access Control
  • 10. Role Access Control Application Server Role BI Role DBA Role 10 • Read & Write on Application Database • Read Only on Application Database • Read & Write on Application Database • Administration on Application Databases • Administration on MongoDB Cluster
  • 11. Advanced Role Access Control Scenario: Multi-tenant Database as a Service Land Lord Clusterwide Administration Rights: provision and remove tenants (eg. create and drop database) Land Lord Assistant Service-Wide Scope Tenant DBA Tenant-Level Scope DBA Rights within Scope of a Single Tenant: eg Delegate rights within the scope of the tenant Tenant App Server 11 Tenant BI Role
  • 12. Enhancements Needed! Current Version: 1. Privileges are limited to what is pre-defined. 2. Access Controls are limited to database-level Upcoming Version 2.6: 1. User defined privileges and roles are possible! 2. Access Controls can be defined at the collection-level! 12
  • 13. Access Management Previous to version 2.6… User-privileges are pre-defined: Read: Provides the privilege to run read type operations on a database like find(). Read/Write: Provides the privilege to run write type operations on a database like update(), insert() and remove(). User Admin: Provides the privilege to modify users such as creating users and modifying user privileges. Database Admin: Provides the privileges to run administrative type commands that are related to the scope of a database. Cluster Admin: Provides the privileges to run administrative type commands that are related to the scope of a cluster. 13
  • 14. Example of Privilege Read Privilege = find aggregate checkShardingIndex cloneCollectionAsCapped collStats count dataSize dbHash dbStats distinct filemd5 geoNear geoSearch geoWalk group mapReduce (inline output only.) text (beta feature.) 14 The actual privilege definition is a pre-defined list of operations.
  • 15. User Defined Role Concept Privilege A set of actions on a given resource Eg. Read action (run find query) on “Tweets” collection Role A grouping of privileges May also contain other roles User Users are assigned roles 15 Action: an operation eg. find, ensureIndex Resource: some system object that an action can be performed on. eg. Database, collection
  • 16. Example Use Case Scenario: Multi-tenant Database as a Service Landlord Administrator (example role): 16
  • 17. Authentication
  • 18. Leverage Existing Standards Existing Security Infrastructure Identity Management Infrastructure Access Management Directory Services  Leverage existing security infrastructure.  Corporate Security Policies  Industry Standards and Compliance.  Centralized Management: eg. Centralized user/identity management. 18
  • 19. Authentication Existing Security Infrastructure Partner Integrations: eg. Linux IdM Kerberos Version 2.4+ Identity Management Infrastructure Access Management LDAP Directory Services Version 2.6+ X509 Version 2.6+ Primary Client Authentication 19 Secondary Inter-process Authentication
  • 20. Authentication Existing Security Infrastructure Identity Management Infrastructure Access Management Directory Services Spoofed Secondary Primary Client Authentication 20 Secondary Inter-process Authentication
  • 21. X509 Authentication Benefits Don’t have infrastructure in place? No problem! Easy to leverage external infrastructure: - Cloud solutions are commonplace. You use x509 certificates everyday through your web browsers! Client Authentication without disadvantages of passwords: • • • • 21 Weak-password: Guessable, Brute-force, Can be stolen: wiretap, careless misplacing Maintenance: easy to forget. Too many passwords! Re-usable: leaked by the weakest link
  • 22. MongoDB LDAP Authorization Integration Application Driver 3) Use $external Db.auth( {…} ) Permissioning Product 8) Success = 1 Failed = 0 Mongod Password in cleartext => SSL recommendedç 7) OK or NO 4) Uname/pw saslauthd 6) OK or NO 0) db.addUser( …, userSource: $external, … }) 2) setParameter - saslauthdPath=… - authenticationMechanisms=... - auth=true 22 1) saslauthd config file 5) LDAP Server
  • 23. Auditing
  • 24. MongoDB Native Auditing Audited events • Schema (DDL) Operations • Replica Set Operations • Authentication and Authorization Operations • General Operations Application Mongo shell Driver Mongos --auditLog --auditPath --auditFilter Shard 1 Shard N Primary Primary Primary Secondary Secondary Secondary 24 Shard 2 Secondary … Secondary Secondary Output • Syslog • Console • Text file • BSON file
  • 25. SSL Improvements
  • 26. SSL Improvements • Optionally Prompt for SSL Certificate Passphrases at Server Startup • Command-line Tools Now Support SSL • MongoDB Allows Only Strong SSL Ciphers • Support for SSL and non-SSL Connections on the Same Port 26
  • 27. Summary • New features in v2.6 – User Defined Roles – Access Control Improvements – Authentication • x509 • LDAP – Auditing – SSL improvements • Release Notes for MongoDB 2.6 (Development Series 2.5.x) http://docs.mongodb.org/master/release-notes/2.6/ 27
  • 28. For More Information Resource MongoDB Downloads mongodb.com/download Free Online Training education.mongodb.com Webinars and Events mongodb.com/events White Papers mongodb.com/white-papers Case Studies mongodb.com/customers Presentations mongodb.com/presentations Documentation docs.mongodb.org Additional Info 28 Location info@mongodb.com

×