• Save
Webinar: MongoDB 2.4 Feature Overview and Q&A on Security
 

Webinar: MongoDB 2.4 Feature Overview and Q&A on Security

on

  • 1,306 views

In version 2.4, MongoDB Enterprise includes Kerberos support for integration into existing enterprise security systems, as well as role-based privileges to provide more granular security for your ...

In version 2.4, MongoDB Enterprise includes Kerberos support for integration into existing enterprise security systems, as well as role-based privileges to provide more granular security for your cluster. This session will introduce you to the new security features available in MongoDB.

Statistics

Views

Total Views
1,306
Views on SlideShare
888
Embed Views
418

Actions

Likes
1
Downloads
0
Comments
0

6 Embeds 418

http://www.10gen.com 265
http://drupal-ci.10gen.cc 74
http://www.mongodb.com 59
http://drupal1.10gen.cc 18
http://www.linkedin.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • system.users collection with hash password
  • MongoD does not even need to know the password hash!You can centralize your authentication service – SPOF & SOS
  • read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • With SSD, as the time spent processing data between OS and disk gets proportionally larger since SSD's are so much faster, it means the pert hit is 15%. You still get a major upgrade in speed, but encrypting and decrypting take a larger share.

Webinar: MongoDB 2.4 Feature Overview and Q&A on Security Webinar: MongoDB 2.4 Feature Overview and Q&A on Security Presentation Transcript

  • Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanSecuring Your MongoDBImplementation
  • Agenda1. Securing MongoDB2.22. Securing MongoDB2.43. Outside MongoDB4. Documentation &Notifications5. Conclusion6. Futures7. Questions
  • Securing MongoDB 2.2
  • Securing MongoDB 2.2Authentication– Simple user/password scheme stored in MongoDBAuthorization– Per database: no access, read, or read-writeAuditing– Very Little
  • MongoDB SSLKeyfile establishes trusthttp://docs.mongodb.org/manual/administration/ssl/ApplicationSSL encryptionfor clientconnectionSSL encryptionfor inter-servertrafficPrimary SecondaryData Files Data Files
  • Securing MongoDB 2.4
  • Authentication
  • Authentication with passwordhash• Use one-way function FmongodI am “mark@10gen.com”, let me inProve it, here is a random # NHere is F(N,hash(<mypwd>))Nobody else could knowthat, welcome back marko!Knowsonly mypassword hashHash nevertransmittedover thenetwork!
  • External AuthenticationUse common / standardized authenticationSASL: Simple Authentication and Security Layer– Framework for building authenticationKerberos– GSSAPI, drivers will be updated– Mixed system.users can work during transition
  • Authentication with KerberosKDC1. I am “mark@10gen.com”,help me prove it to mongodto UDP:88 -2. Here is a TGTMongod3. TCP:27017Here is aKerberosTGT4. Welcome,here is aServiceTicket!{user: ”mark@10gen.com",roles: ["readWrite"],userSource: "$external"}Keytab
  • Starting the Databaseenv KRB5_KTNAME=/etc/kserver1b.keytabmongod –auth --setParameterauthenticationMechanisms=GSSAPI--dbpath /data/db --fork --logpath/var/tmp/mongod_auth.log--replSet realm4 --keyFile /etc/keyfile
  • Authenticating & Connecting# kinit mongouser….# klist…03/11/13 09:30:30 03/12/13 09:30:30…# mongo mongodb.10gen.com/$external --authenticationMechanism=GSSAPI -umongouser@10GEN.COM
  • Authorization
  • AUTHORIZATION• Issues with 2.2– Only read / readWrite – Edge-case with possible privilege escalation• 2.4 introduces roles– Admin level roles• userAdmin• clusterAdmin– DB level roles• userAdmin• dbAdmin• Read• ReadWriteCorrespondingAdmin level rolesfor“AnyDatabase”
  • ADMIN DB• clusterAdmin• AnyDatabaseSource:https://wellsted135.files.wordpress.com/2012/10/special.gif
  • Super-UseruserAdmin & userAdminAnyDatabaseareOnly these users can view details about otherusers – system.users collection
  • Admin DB• userAdmin• clusterAdminAccountsDB• userAdminApp1 DB• userAdmin• dbAdmin• readWrite• readApp2 DB• userAdmin• dbAdmin• readWrite• readPasswordhashes
  • I can do anythingbut I won’t berequired to do muchDB Admin: userAdmin DB Admin: clusterAdminI can add andremove shardsDB Accounts: userAdminI can create newusers but I can’tgrant themprivileges to otherDB’sDB App: userAdmin DB App: dbAdminI can grantprivileges tothe App DBonlyI cancreateindices, setprofiling, compact
  • In App.system.users :{user: “fred” ,usersource: “Accounts” ,roles: [ “userAdmin” ]}{user: “george” ,usersource: “Accounts” ,roles: [ “dbAdmin“ ] ,}Each DB’s userAdmin gets togrant privileges separatelyDB App: dbAdminI can grantprivileges tothe App DBonlyI cancreateindices, setprofiling,compactCredentialsfrom AccountsDBDB App: userAdmin
  • Auditing
  • Additional LoggingMonitor user activity:– userID added to standardoutput– No separate audit log– Much more coming in 2.6
  • Validation
  • ValidationObjcheck– Helps prevent DOS– Validates input– SERVER-7769 (default)
  • JS Engine
  • JS EngineMove to V8– Primarily performance reasons but some security benefits– Restrictions on $where (SERVER-9124) & M/R/F– SERVER-8104 & 2.4 Release Notes
  • Outside MongoDB
  • Outside MongoDBFirewalls– iptables & netsh– Ports, Addresses, Times, Throttle etc.File system– Encrypt (Gazzang) [HIPAA, PCI, SOX]Best Practices– Internal Policies (Password Reuse, Scan etc.)
  • MongoDB Partners withGazzang• File System Encryption• 5% performance hit with HDD, 10-15% withSSDFile System – All contents encryptedOS GazzangGazzangKey Mgmt
  • Documentation &Notifications
  • DocumentationManual– http://docs.mongodb.org/manual/security/• Security Features within MongoDB• Best Practices & Strategies• Tutorials• Vulnerability Notifications
  • Potential Security IssuesHow do YOU know?– MongoDBAlertsHow, What, Where?– Vulnerability Notification– Jira (HTTPS) & (Secure) Email
  • Future features
  • DisclaimerStatements about future releases, availabilitydates, and feature content reflect plans only, and10gen is under no obligation to include, developor make available, commercially orotherwise, specific feature discussed a futureMongoDB build. Information is provided forgeneral understanding only, and is subject tochange at the sole discretion of 10gen inresponse to changing market conditions, deliveryschedules, customer requirements, and/or otherfactors.
  • Future featuresAuditing– Logging to output userID associated with actions(SERVER-1891)Passwords– Stronger Hashing (SERVER-2380)Authorization– User Defined & More GranularitySSL– Client & Security Improvements
  • Conclusion
  • Conclusion• 2.2 needed improvement for security• 2.4 is much better & Enterprise-Level• Authentication & Authorization• Within & Outside
  • Thanks• Thanks to Mike Stimpson for the awesome picshttp://imgur.com/a/0XvKw
  • Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?
  • Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?