Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Webinar: MongoDB 2.4 Feature Overview and Q&A on Security

927
views

Published on

In version 2.4, MongoDB Enterprise includes Kerberos support for integration into existing enterprise security systems, as well as role-based privileges to provide more granular security for your …

In version 2.4, MongoDB Enterprise includes Kerberos support for integration into existing enterprise security systems, as well as role-based privileges to provide more granular security for your cluster. This session will introduce you to the new security features available in MongoDB.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
927
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • system.users collection with hash password
  • MongoD does not even need to know the password hash!You can centralize your authentication service – SPOF & SOS
  • read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • With SSD, as the time spent processing data between OS and disk gets proportionally larger since SSD's are so much faster, it means the pert hit is 15%. You still get a major upgrade in speed, but encrypting and decrypting take a larger share.
  • Transcript

    • 1. Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanSecuring Your MongoDBImplementation
    • 2. Agenda1. Securing MongoDB2.22. Securing MongoDB2.43. Outside MongoDB4. Documentation &Notifications5. Conclusion6. Futures7. Questions
    • 3. Securing MongoDB 2.2
    • 4. Securing MongoDB 2.2Authentication– Simple user/password scheme stored in MongoDBAuthorization– Per database: no access, read, or read-writeAuditing– Very Little
    • 5. MongoDB SSLKeyfile establishes trusthttp://docs.mongodb.org/manual/administration/ssl/ApplicationSSL encryptionfor clientconnectionSSL encryptionfor inter-servertrafficPrimary SecondaryData Files Data Files
    • 6. Securing MongoDB 2.4
    • 7. Authentication
    • 8. Authentication with passwordhash• Use one-way function FmongodI am “mark@10gen.com”, let me inProve it, here is a random # NHere is F(N,hash(<mypwd>))Nobody else could knowthat, welcome back marko!Knowsonly mypassword hashHash nevertransmittedover thenetwork!
    • 9. External AuthenticationUse common / standardized authenticationSASL: Simple Authentication and Security Layer– Framework for building authenticationKerberos– GSSAPI, drivers will be updated– Mixed system.users can work during transition
    • 10. Authentication with KerberosKDC1. I am “mark@10gen.com”,help me prove it to mongodto UDP:88 -2. Here is a TGTMongod3. TCP:27017Here is aKerberosTGT4. Welcome,here is aServiceTicket!{user: ”mark@10gen.com",roles: ["readWrite"],userSource: "$external"}Keytab
    • 11. Starting the Databaseenv KRB5_KTNAME=/etc/kserver1b.keytabmongod –auth --setParameterauthenticationMechanisms=GSSAPI--dbpath /data/db --fork --logpath/var/tmp/mongod_auth.log--replSet realm4 --keyFile /etc/keyfile
    • 12. Authenticating & Connecting# kinit mongouser….# klist…03/11/13 09:30:30 03/12/13 09:30:30…# mongo mongodb.10gen.com/$external --authenticationMechanism=GSSAPI -umongouser@10GEN.COM
    • 13. Authorization
    • 14. AUTHORIZATION• Issues with 2.2– Only read / readWrite – Edge-case with possible privilege escalation• 2.4 introduces roles– Admin level roles• userAdmin• clusterAdmin– DB level roles• userAdmin• dbAdmin• Read• ReadWriteCorrespondingAdmin level rolesfor“AnyDatabase”
    • 15. ADMIN DB• clusterAdmin• AnyDatabaseSource:https://wellsted135.files.wordpress.com/2012/10/special.gif
    • 16. Super-UseruserAdmin & userAdminAnyDatabaseareOnly these users can view details about otherusers – system.users collection
    • 17. Admin DB• userAdmin• clusterAdminAccountsDB• userAdminApp1 DB• userAdmin• dbAdmin• readWrite• readApp2 DB• userAdmin• dbAdmin• readWrite• readPasswordhashes
    • 18. I can do anythingbut I won’t berequired to do muchDB Admin: userAdmin DB Admin: clusterAdminI can add andremove shardsDB Accounts: userAdminI can create newusers but I can’tgrant themprivileges to otherDB’sDB App: userAdmin DB App: dbAdminI can grantprivileges tothe App DBonlyI cancreateindices, setprofiling, compact
    • 19. In App.system.users :{user: “fred” ,usersource: “Accounts” ,roles: [ “userAdmin” ]}{user: “george” ,usersource: “Accounts” ,roles: [ “dbAdmin“ ] ,}Each DB’s userAdmin gets togrant privileges separatelyDB App: dbAdminI can grantprivileges tothe App DBonlyI cancreateindices, setprofiling,compactCredentialsfrom AccountsDBDB App: userAdmin
    • 20. Auditing
    • 21. Additional LoggingMonitor user activity:– userID added to standardoutput– No separate audit log– Much more coming in 2.6
    • 22. Validation
    • 23. ValidationObjcheck– Helps prevent DOS– Validates input– SERVER-7769 (default)
    • 24. JS Engine
    • 25. JS EngineMove to V8– Primarily performance reasons but some security benefits– Restrictions on $where (SERVER-9124) & M/R/F– SERVER-8104 & 2.4 Release Notes
    • 26. Outside MongoDB
    • 27. Outside MongoDBFirewalls– iptables & netsh– Ports, Addresses, Times, Throttle etc.File system– Encrypt (Gazzang) [HIPAA, PCI, SOX]Best Practices– Internal Policies (Password Reuse, Scan etc.)
    • 28. MongoDB Partners withGazzang• File System Encryption• 5% performance hit with HDD, 10-15% withSSDFile System – All contents encryptedOS GazzangGazzangKey Mgmt
    • 29. Documentation &Notifications
    • 30. DocumentationManual– http://docs.mongodb.org/manual/security/• Security Features within MongoDB• Best Practices & Strategies• Tutorials• Vulnerability Notifications
    • 31. Potential Security IssuesHow do YOU know?– MongoDBAlertsHow, What, Where?– Vulnerability Notification– Jira (HTTPS) & (Secure) Email
    • 32. Future features
    • 33. DisclaimerStatements about future releases, availabilitydates, and feature content reflect plans only, and10gen is under no obligation to include, developor make available, commercially orotherwise, specific feature discussed a futureMongoDB build. Information is provided forgeneral understanding only, and is subject tochange at the sole discretion of 10gen inresponse to changing market conditions, deliveryschedules, customer requirements, and/or otherfactors.
    • 34. Future featuresAuditing– Logging to output userID associated with actions(SERVER-1891)Passwords– Stronger Hashing (SERVER-2380)Authorization– User Defined & More GranularitySSL– Client & Security Improvements
    • 35. Conclusion
    • 36. Conclusion• 2.2 needed improvement for security• 2.4 is much better & Enterprise-Level• Authentication & Authorization• Within & Outside
    • 37. Thanks• Thanks to Mike Stimpson for the awesome picshttp://imgur.com/a/0XvKw
    • 38. Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?
    • 39. Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?