Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Webinar: MongoDB 2.6 New Security Features

2,815 views

Published on

This webinar will cover new security features in MongoDB 2.6 including x.509 authentication, user defined roles, collection level access control, enterprise features like LDAP authentication and auditing, and many other SSL features. We will first give a brief overview of security features through MongoDB 2.4 then cover new features in 2.6 and coming releases.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Webinar: MongoDB 2.6 New Security Features

  1. 1. MongoDB 2.6 New Security Features Matt Kalan, Sr. Solutions Architect, MongoDB Dylan Tong, Sr. Solutions Architect, MongoDB
  2. 2. Agenda • Review security capabilities in v2.4 • New features in v2.6 – User Defined Roles – Access Control Improvements – Authentication • x509 • LDAP – Auditing – SSL improvements 2
  3. 3. Review Security in 2.4
  4. 4. Authentication • User authentication – Basic challenge-response • Hashed password managed in MongoDB – Kerberos integration using SASL (Enterprise) • Connects to an existing Kerberos infrastucture • Passwords managed in existing system, not MongoDB – Can combine these if desired in same server • Cluster authentication via shared keyfile 4
  5. 5. Authorization/Access Control • Standard roles assigned in MongoDB • Usernames are in MongoDB and have role(s) assigned to them • You can add standard roles together to build permissioning you need for a user • Lowest granularity is for the database 5
  6. 6. Auditing • Only a small set of operations are logged • Logged in the main Mongo server log • IBM Guardium integration for enterprise policybased security monitoring 6
  7. 7. Encryption • Data in transit – SSL between all MongoDB components is in the Enterprise version – Or build in your own SSL library from the open source version • Data at rest – Customer chooses to use an encrypted file system 7
  8. 8. Upcoming Features in 2.6
  9. 9. Access Control
  10. 10. Role Access Control Application Server Role BI Role DBA Role 10 • Read & Write on Application Database • Read Only on Application Database • Read & Write on Application Database • Administration on Application Databases • Administration on MongoDB Cluster
  11. 11. Advanced Role Access Control Scenario: Multi-tenant Database as a Service Land Lord Clusterwide Administration Rights: provision and remove tenants (eg. create and drop database) Land Lord Assistant Service-Wide Scope Tenant DBA Tenant-Level Scope DBA Rights within Scope of a Single Tenant: eg Delegate rights within the scope of the tenant Tenant App Server 11 Tenant BI Role
  12. 12. Enhancements Needed! Current Version: 1. Privileges are limited to what is pre-defined. 2. Access Controls are limited to database-level Upcoming Version 2.6: 1. User defined privileges and roles are possible! 2. Access Controls can be defined at the collection-level! 12
  13. 13. Access Management Previous to version 2.6… User-privileges are pre-defined: Read: Provides the privilege to run read type operations on a database like find(). Read/Write: Provides the privilege to run write type operations on a database like update(), insert() and remove(). User Admin: Provides the privilege to modify users such as creating users and modifying user privileges. Database Admin: Provides the privileges to run administrative type commands that are related to the scope of a database. Cluster Admin: Provides the privileges to run administrative type commands that are related to the scope of a cluster. 13
  14. 14. Example of Privilege Read Privilege = find aggregate checkShardingIndex cloneCollectionAsCapped collStats count dataSize dbHash dbStats distinct filemd5 geoNear geoSearch geoWalk group mapReduce (inline output only.) text (beta feature.) 14 The actual privilege definition is a pre-defined list of operations.
  15. 15. User Defined Role Concept Privilege A set of actions on a given resource Eg. Read action (run find query) on “Tweets” collection Role A grouping of privileges May also contain other roles User Users are assigned roles 15 Action: an operation eg. find, ensureIndex Resource: some system object that an action can be performed on. eg. Database, collection
  16. 16. Example Use Case Scenario: Multi-tenant Database as a Service Landlord Administrator (example role): 16
  17. 17. Authentication
  18. 18. Leverage Existing Standards Existing Security Infrastructure Identity Management Infrastructure Access Management Directory Services  Leverage existing security infrastructure.  Corporate Security Policies  Industry Standards and Compliance.  Centralized Management: eg. Centralized user/identity management. 18
  19. 19. Authentication Existing Security Infrastructure Partner Integrations: eg. Linux IdM Kerberos Version 2.4+ Identity Management Infrastructure Access Management LDAP Directory Services Version 2.6+ X509 Version 2.6+ Primary Client Authentication 19 Secondary Inter-process Authentication
  20. 20. Authentication Existing Security Infrastructure Identity Management Infrastructure Access Management Directory Services Spoofed Secondary Primary Client Authentication 20 Secondary Inter-process Authentication
  21. 21. X509 Authentication Benefits Don’t have infrastructure in place? No problem! Easy to leverage external infrastructure: - Cloud solutions are commonplace. You use x509 certificates everyday through your web browsers! Client Authentication without disadvantages of passwords: • • • • 21 Weak-password: Guessable, Brute-force, Can be stolen: wiretap, careless misplacing Maintenance: easy to forget. Too many passwords! Re-usable: leaked by the weakest link
  22. 22. MongoDB LDAP Authorization Integration Application Driver 3) Use $external Db.auth( {…} ) Permissioning Product 8) Success = 1 Failed = 0 Mongod Password in cleartext => SSL recommendedç 7) OK or NO 4) Uname/pw saslauthd 6) OK or NO 0) db.addUser( …, userSource: $external, … }) 2) setParameter - saslauthdPath=… - authenticationMechanisms=... - auth=true 22 1) saslauthd config file 5) LDAP Server
  23. 23. Auditing
  24. 24. MongoDB Native Auditing Audited events • Schema (DDL) Operations • Replica Set Operations • Authentication and Authorization Operations • General Operations Application Mongo shell Driver Mongos --auditLog --auditPath --auditFilter Shard 1 Shard N Primary Primary Primary Secondary Secondary Secondary 24 Shard 2 Secondary … Secondary Secondary Output • Syslog • Console • Text file • BSON file
  25. 25. SSL Improvements
  26. 26. SSL Improvements • Optionally Prompt for SSL Certificate Passphrases at Server Startup • Command-line Tools Now Support SSL • MongoDB Allows Only Strong SSL Ciphers • Support for SSL and non-SSL Connections on the Same Port 26
  27. 27. Summary • New features in v2.6 – User Defined Roles – Access Control Improvements – Authentication • x509 • LDAP – Auditing – SSL improvements • Release Notes for MongoDB 2.6 (Development Series 2.5.x) http://docs.mongodb.org/master/release-notes/2.6/ 27
  28. 28. For More Information Resource MongoDB Downloads mongodb.com/download Free Online Training education.mongodb.com Webinars and Events mongodb.com/events White Papers mongodb.com/white-papers Case Studies mongodb.com/customers Presentations mongodb.com/presentations Documentation docs.mongodb.org Additional Info 28 Location info@mongodb.com

×