Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security Features in MongoDB 2.4


Published on

Published in: Technology, Education
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • I assume you have some security background, are familiar with industry standard security tech like SSL and Kerberos, are familiar with access control in RDBMS
  • SDL = Secure Development Lifecycle
  • Security before 2.4 was weakMost of our customers were small startups, we didn’t have much demand for security featuresOnce we got bigger customers who cared about security, we delivered.
  • In 2.2 security was handled outside MongoDBWe want to enable anyone to build apps on MongoDB, even if they have strict security guidelines. We were finding that big orgs couldn’t use it b/c of their internal policies.
  • GSSAPI = Generic Security Services Application Program InterfaceMeta protocol for negotiating authentication protocol
  • MongoD never sees your password or even password hashYou can centralize your authentication serviceKDC = Key Distribution CenterIntra-cluster auth still uses MONGODB-CR!!!
  • No separation of administrative operationsUse case: performance tuning dba who can profile, build indexes, dbStats, but not read data.
  • dbAdmin = build indexes, compact, dbStats, profiling
  • Best practice is to have 1 user with userAdminAnyDatabase and no other roles, and use it for all user administration.userAdmin is *effectively* (but not actually) a super-user.
  • readWrite on configdb necessary for some sharding admin tasks (like stopping/starting the balancer)This is only one example – different companies will do this differently.
  • New in 2.4 – certificate validation, windows support2.2 was a partial implementation, 2.4 is now fully implementedProvided encryption but not authentication. Keyfilestill used for intra-cluster authentication. SSL (with CA validation) ensures that the hosts are who they say they are, but that’s separate from user authentication within MongoDB
  • Defense in Depth
  • Netsh = network configuration tool for windowsDefense in Depth
  • With SSD, as the time spent processing data between OS and disk gets proportionally larger since SSD's are so much faster, it means the pert hit is 15%. You still get a major upgrade in speed, but encrypting and decrypting take a larger share.
  • Transcript

    • 1. Spencer BrodySoftware Engineer, 10gen@stbrody#mongodbdaysSecurity in MongoDB
    • 2. Agenda1. History2. Authentication3. Authorization4. Auditing5. Transport Encryption – SSL6. MongoDB Secure Development Lifecycle7. Documentation and Notifications8. Future WorkSecuring your MongoDB Implementation, Spencer Brody
    • 3. History
    • 4. History• Security features within mongoDB before 2.4were limited• 2.4 offers a much better story around security• This is something we are investing in veryheavily right now.Securing your MongoDB Implementation, Spencer Brody
    • 5. The Three A’sAuthentication– Who are you?Authorization– What can you do?Auditing– What have you done?Securing your MongoDB Implementation, Spencer Brody
    • 6. Authentication
    • 7. AuthenticationAuthentication is about proving “who” youare.Securing your MongoDB Implementation, Spencer Brody
    • 8. Password Authentication• This is the only authentication mechanismavailable in MongoDB version 2.2 and prior• Still the only version available in the free product• In 2.4+ this mechanism is called MONGODB-CRSecuring your MongoDB Implementation, Spencer Brody
    • 9. Password Authentication• Use one-way function FmongodI am “username”, let me inProve it, here is a random # NHere isF(N, hash(<mypwd>))Nobody else could knowthat, welcome back!Knowsonly mypassword hashHash nevertransmittedover thenetwork!Securing your MongoDB Implementation, Spencer Brody
    • 10. External AuthenticationUse common / standardized authenticationSASL: Simple Authentication and Security Layer– Framework for building authentication– MongoDB uses the Cyrus sasl2 libraryKerberos (available in the Enterprise Edition)– GSSAPI– driver support in python, java, C#, Node.js, perlSecuring your MongoDB Implementation, Spencer Brody
    • 11. Authentication with KerberosKDC1. I am“username@EXAMPLE.COM”,help me prove it to mongod(UDP:88)2. Here is a TGTMongod3. TCP:27017Here is aKerberosTGT4.Welcome, here is aServiceTicket!{user: ”username@EXAMPLE.COM",roles: ["readWrite"],userSource: "$external"}Securing your MongoDB Implementation, Spencer BrodyKeytab
    • 12. Granting privilegesSecuring your MongoDB Implementation, Spencer Brody# mongo> use appDB;> db.system.users.find();{"_id": ObjectId("519e842804f5f7f7921dbf89"),"user": "spencer""userSource": "$external","roles": ["readWrite", "dbAdmin”]}
    • 13. Authorization
    • 14. AuthorizationOnce MongoDB has established “who” youare, authorization is about determining“what” you are allowed to do.Securing your MongoDB Implementation, Spencer Brody
    • 15. Authorization Roles in 2.2 andPrior– Database level read-only– Database level read-write– System-wide read-only– System-wide read-writeSample user document:> db.system.users.find().pretty(){"_id": ObjectId("519e842804f5f7f7921dbf89"),"user": "spencer""pwd": "22c83553ed7ce252d8b0c9f716cae4de","readOnly":false}Securing your MongoDB Implementation, Spencer Brody
    • 16. Authorization Roles in 2.4– read– readWrite– dbAdmin– userAdmin– readAnyDatabase– readWriteAnyDatabase– dbAdminAnyDatabase– userAdminAnyDatabase– clusterAdminThe roles that are bold can only be granted in theadmin database.Securing your MongoDB Implementation, Spencer Brody
    • 17. userAdminThe userAdmin role on database “foo” lets you grantany db-level role to any user from the “foo” database(including yourself).The userAdminAnyDatabase role lets you grant anyrole in the system to any user (including yourself).This means they can be used to grant yourself rolesyou didn’t previously have!This makes userAdmin effectively a super-userAccess to these roles should be carefully controlled!Securing your MongoDB Implementation, Spencer Brody
    • 18. ExampleSecuring your MongoDB Implementation, Spencer BrodyUser Role Database(s)appUser readWrite appdba dbAdmin appseniorDBA dbAdminAnyDatabase,clusterAdminadminreadWrite configCTO userAdminAnyDatabaseadmin
    • 19. Auditing
    • 20. Securing your MongoDB Implementation, Spencer BrodyAuditingMonitor user activity:– userID added to standard output in 2.4– No separate audit log– Much more coming in 2.6
    • 21. Transport Encryption -SSL
    • 22. Transport Encryption - SSL encryptionfor clientconnectionSSL encryptionfor inter-servertrafficPrimary SecondaryData Files Data FilesSecuring your MongoDB Implementation, Spencer Brody
    • 23. Outside MongoDB
    • 24. Securing your MongoDB Implementation, Spencer BrodyOutside MongoDBFirewalls– iptables & netsh– Ports, Addresses, Times, Throttle etc.File system– Encrypt (Gazzang) [HIPAA, PCI, SOX]Best Practices– Internal Policies (Password Reuse, Scan etc.)
    • 25. Securing your MongoDB Implementation, Spencer BrodyMongoDB Partners withGazzang• File System Encryption• 5% performance hit with HDD, 10-15% withSSDFile System – All contents encryptedOS GazzangGazzangKey Mgmt
    • 26. MongoDB SDL
    • 27. MongoDB Secure DevelopmentLifecycle• All contributions to the open source project arereviewed and tested by a member of the Core Serverteam• Peer code reviews of all commits• Automated functional and unit tests• Active monitoring of best practices and advisories forthird party code• Static code analysis with Coverity run nightly againstthe Core Server and applicable driver projectsSecuring your MongoDB Implementation, Spencer Brody
    • 28. Documentation &Notifications
    • 29. DocumentationManual–• Security Features within MongoDB• Best Practices & Strategies• Tutorials• Vulnerability NotificationsSecuring your MongoDB Implementation, Spencer Brody
    • 30. Potential Security IssuesHow do YOU find out?– MongoDBAlerts– Mongodb-announce Google groupHow, What, Where?– Vulnerability Notification– Jira (HTTPS) & (Secure) EmailSecuring your MongoDB Implementation, Spencer Brody
    • 31. Future work
    • 32. DisclaimerStatements about future releases, availabilitydates, and feature content reflect plans only, and10gen is under no obligation to include, developor make available, commercially orotherwise, specific feature discussed a futureMongoDB build. Information is provided forgeneral understanding only, and is subject tochange at the sole discretion of 10gen inresponse to changing market conditions, deliveryschedules, customer requirements, and/or otherfactors.Securing your MongoDB Implementation, Spencer Brody
    • 33. Future• User-defined roles• Collection level access control• Field level access control• Auditing• X.509 authentication, for both user and intra-cluster authentication.• External configuration of user’s roles (LDAP)Securing your MongoDB Implementation, Spencer Brody
    • 34. Conclusion
    • 35. Conclusion• 2.2 had rudimentary security support• 2.4 is much better & Enterprise-Level• Authentication & Authorization• Within & OutsideSecuring your MongoDB Implementation, Spencer Brody
    • 36. Software Engineer, 10genSpencer Brody#mongodbdaysThanks!If you liked my talk, please tweet about it!#MongoDBDays@stbrody
    • 37. Securing your MongoDB Implementation, Spencer BrodyNext Sessions at 11:005th Floor:West Side Ballroom 3&4: Schema DesignWest Side Ballroom 1&2 (this room): Data Processing andAggregation OptionsJuilliard Complex: Business Track: Fireside Chat: IBM andMongoDB Set the Standard for Web and Mobile DevelopmentLyceum Complex: Ask the Experts7th Floor:Empire Complex: Performance Tuning and Monitoring UsingMMSSoHo Complex: 10gen Polyglot Spatial with MongoDB