• Like
  • Save

Webinar: MongoDB 2.4 Feature Overview and Q&A on Security

  • 884 views
Uploaded on

In version 2.4, MongoDB Enterprise includes Kerberos support for integration into existing enterprise security systems, as well as role-based privileges to provide more granular security for your …

In version 2.4, MongoDB Enterprise includes Kerberos support for integration into existing enterprise security systems, as well as role-based privileges to provide more granular security for your cluster. This session will introduce you to the new security features available in MongoDB.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
884
On Slideshare
0
From Embeds
0
Number of Embeds
6

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • system.users collection with hash password
  • MongoD does not even need to know the password hash!You can centralize your authentication service – SPOF & SOS
  • read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • read: access to read documentsreadWrite: access to read and write documentsuserAdmin: manage, modify user access to a dbdbAdmin: compact, repair, validate etc.clusterAdmin: stuff with shards
  • With SSD, as the time spent processing data between OS and disk gets proportionally larger since SSD's are so much faster, it means the pert hit is 15%. You still get a major upgrade in speed, but encrypting and decrypting take a larger share.

Transcript

  • 1. Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanSecuring Your MongoDBImplementation
  • 2. Agenda1. Securing MongoDB2.22. Securing MongoDB2.43. Outside MongoDB4. Documentation &Notifications5. Conclusion6. Futures7. Questions
  • 3. Securing MongoDB 2.2
  • 4. Securing MongoDB 2.2Authentication– Simple user/password scheme stored in MongoDBAuthorization– Per database: no access, read, or read-writeAuditing– Very Little
  • 5. MongoDB SSLKeyfile establishes trusthttp://docs.mongodb.org/manual/administration/ssl/ApplicationSSL encryptionfor clientconnectionSSL encryptionfor inter-servertrafficPrimary SecondaryData Files Data Files
  • 6. Securing MongoDB 2.4
  • 7. Authentication
  • 8. Authentication with passwordhash• Use one-way function FmongodI am “mark@10gen.com”, let me inProve it, here is a random # NHere is F(N,hash(<mypwd>))Nobody else could knowthat, welcome back marko!Knowsonly mypassword hashHash nevertransmittedover thenetwork!
  • 9. External AuthenticationUse common / standardized authenticationSASL: Simple Authentication and Security Layer– Framework for building authenticationKerberos– GSSAPI, drivers will be updated– Mixed system.users can work during transition
  • 10. Authentication with KerberosKDC1. I am “mark@10gen.com”,help me prove it to mongodto UDP:88 -2. Here is a TGTMongod3. TCP:27017Here is aKerberosTGT4. Welcome,here is aServiceTicket!{user: ”mark@10gen.com",roles: ["readWrite"],userSource: "$external"}Keytab
  • 11. Starting the Databaseenv KRB5_KTNAME=/etc/kserver1b.keytabmongod –auth --setParameterauthenticationMechanisms=GSSAPI--dbpath /data/db --fork --logpath/var/tmp/mongod_auth.log--replSet realm4 --keyFile /etc/keyfile
  • 12. Authenticating & Connecting# kinit mongouser….# klist…03/11/13 09:30:30 03/12/13 09:30:30…# mongo mongodb.10gen.com/$external --authenticationMechanism=GSSAPI -umongouser@10GEN.COM
  • 13. Authorization
  • 14. AUTHORIZATION• Issues with 2.2– Only read / readWrite – Edge-case with possible privilege escalation• 2.4 introduces roles– Admin level roles• userAdmin• clusterAdmin– DB level roles• userAdmin• dbAdmin• Read• ReadWriteCorrespondingAdmin level rolesfor“AnyDatabase”
  • 15. ADMIN DB• clusterAdmin• AnyDatabaseSource:https://wellsted135.files.wordpress.com/2012/10/special.gif
  • 16. Super-UseruserAdmin & userAdminAnyDatabaseareOnly these users can view details about otherusers – system.users collection
  • 17. Admin DB• userAdmin• clusterAdminAccountsDB• userAdminApp1 DB• userAdmin• dbAdmin• readWrite• readApp2 DB• userAdmin• dbAdmin• readWrite• readPasswordhashes
  • 18. I can do anythingbut I won’t berequired to do muchDB Admin: userAdmin DB Admin: clusterAdminI can add andremove shardsDB Accounts: userAdminI can create newusers but I can’tgrant themprivileges to otherDB’sDB App: userAdmin DB App: dbAdminI can grantprivileges tothe App DBonlyI cancreateindices, setprofiling, compact
  • 19. In App.system.users :{user: “fred” ,usersource: “Accounts” ,roles: [ “userAdmin” ]}{user: “george” ,usersource: “Accounts” ,roles: [ “dbAdmin“ ] ,}Each DB’s userAdmin gets togrant privileges separatelyDB App: dbAdminI can grantprivileges tothe App DBonlyI cancreateindices, setprofiling,compactCredentialsfrom AccountsDBDB App: userAdmin
  • 20. Auditing
  • 21. Additional LoggingMonitor user activity:– userID added to standardoutput– No separate audit log– Much more coming in 2.6
  • 22. Validation
  • 23. ValidationObjcheck– Helps prevent DOS– Validates input– SERVER-7769 (default)
  • 24. JS Engine
  • 25. JS EngineMove to V8– Primarily performance reasons but some security benefits– Restrictions on $where (SERVER-9124) & M/R/F– SERVER-8104 & 2.4 Release Notes
  • 26. Outside MongoDB
  • 27. Outside MongoDBFirewalls– iptables & netsh– Ports, Addresses, Times, Throttle etc.File system– Encrypt (Gazzang) [HIPAA, PCI, SOX]Best Practices– Internal Policies (Password Reuse, Scan etc.)
  • 28. MongoDB Partners withGazzang• File System Encryption• 5% performance hit with HDD, 10-15% withSSDFile System – All contents encryptedOS GazzangGazzangKey Mgmt
  • 29. Documentation &Notifications
  • 30. DocumentationManual– http://docs.mongodb.org/manual/security/• Security Features within MongoDB• Best Practices & Strategies• Tutorials• Vulnerability Notifications
  • 31. Potential Security IssuesHow do YOU know?– MongoDBAlertsHow, What, Where?– Vulnerability Notification– Jira (HTTPS) & (Secure) Email
  • 32. Future features
  • 33. DisclaimerStatements about future releases, availabilitydates, and feature content reflect plans only, and10gen is under no obligation to include, developor make available, commercially orotherwise, specific feature discussed a futureMongoDB build. Information is provided forgeneral understanding only, and is subject tochange at the sole discretion of 10gen inresponse to changing market conditions, deliveryschedules, customer requirements, and/or otherfactors.
  • 34. Future featuresAuditing– Logging to output userID associated with actions(SERVER-1891)Passwords– Stronger Hashing (SERVER-2380)Authorization– User Defined & More GranularitySSL– Client & Security Improvements
  • 35. Conclusion
  • 36. Conclusion• 2.2 needed improvement for security• 2.4 is much better & Enterprise-Level• Authentication & Authorization• Within & Outside
  • 37. Thanks• Thanks to Mike Stimpson for the awesome picshttp://imgur.com/a/0XvKw
  • 38. Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?
  • 39. Sr. Solutions Architect, 10genMatt Kalan@MatthewKalanQuestions?