MongoDB Atlas is a fully-managed cloud database service that makes it incredibly easy to use MongoDB securely. With Enterprise features, Atlas allows you to take security to the next level with confidence. Learn how to leverage Atlas Enterprise features, including LDAP integration, encryption key management, and granular database auditing. We'll also look at how to do analytics via the BI Connector in popular tools.
4. About Me
Live in Austin, TX
Originally from Missouri –
aka the Show-Me State – aka “Fly over country”
Operations background – I <3 Linux
Learned from many experiences - I <3 Data so now I’m at MongoDB!
5. About You
Show of hands!
• Have used a relational DB, e.g. Oracle, MySQL, PostgreSQL, DB2, etc?
• Have used MongoDB?
• Have setup MongoDB with an advanced/enterprise feature, e.g. TLS,
LDAP (authentication or authorization), KMIP, Auditing, BI Connector or
similar?
• Have used MongoDB Atlas?
• Love … Dogs? Cats? Both?
• Need more coffee???
6. Our Mission Today
We work at GenCat – A Genetic Testing Site for Cats!!
Is your cat the cat they thought they are?
Have a HUGE new customer PetBox Inc (yea! $$$)
that demands, DEMANDS, features
we haven’t implemented yet (uh oh)!
And it all has to be ready this morning! (gulp!)
7. Sales Agreed We Would:
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench
?
8. Task 1 – Get Our MongoDB Cluster
ReadyTo Do list: (TTC ~ 3-4 weeks)
• Configure networking config: VPC, Security Groups, Elastic IPs
• Run sizing exercise to determine EC2 Instances and storage
• Create those Instances and storage, at least 3 for HA
• Update software and lock the instances down
• Setup monitoring for the underlying infrastructure
• Install MongoDB on 3 instances
• Configure MongoDB replica set with authentication and TLS
• Figure out how to monitoring MDB
• Figure out best way to backup MDB
• SQL on MongoDB???
• Figure out how to scale quickly when it’s needed …
9. Thankfully GenCat Picked Atlas!
• MongoDB as a Service
• Consumption Model
• Available on the Big 3 – AWS / Azure / GCP
• Automates MongoDB Best Practices –
Automation, Backup, Monitoring, Alerts
• Highly available by default, easily scale up and down
• Basic to Advanced Performance and Security Features Included –e.g.
authentication, TLS, IP Whitelists, encryption at rest, LDAP, KMIP,
auditing, performance advisor, and more!
• UI and API – Can spin up our new cluster in a few minutes with clicks
or calls!
TTC ~ 15 mins
18. Now for Those Enterprise Features
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench
19. Why LDAP aka BYO LDAPS?
• Lightweight Directory Access Protocol Secure – aka
LDAPS
• Almost every med to large company (and many small)
are using for auth^2
• Gives you:
• Single Sign On
• Security Administration
• Password Controls
Fancy Password Control Room
20. Why Not Just DIY?
What you Need for LDAPS
Without Atlas: TTC ~ 1-2 weeks
• Assuming already completed “Iceberg List”
• Get Coffee
• Read how to configure MongoDB for LDAP
• Manually configure all the Mongods in your
cluster for LDAP
• Test Config and hope it works *fingers crossed*
• FAILS
• Troubleshoot
• Repeat till Success just for authentication! Next
auth!
• Do again when anything changes.
What you Need for BYO LDAPS with
Atlas:
TTC ~ 5-10 mins
Just Need Information:
Authentication
Server Hostname
Server Port
Bind User Credentials
(Optional) CA Certificate for LDAP Server
(Optional) LDAP Query for Mapping
Authorization
An attribute to match to MongoDB Roles
An LDAP query to find these attributes
21. Task 2 – Use PetBox Inc’s LDAPS
server for authentication and
authorization
22. Now for Those Enterprise Features
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench
23. Why Does PetBox Want To Audit?
• Data is often our MOST IMPORTANT BUSINESS
ASSET $$$$
• If something goes wrong or there is an audit you have
to be able to prove those 5 Ws (and probably the H)
• Most certifications/compliances require the ability to
prove chain of custody, e.g. EMRs under HIPAA or
GDPR.
DATA
24. Why Not Just DIY?
What you Need Audit MDB
without Atlas: TTC ~ 1.5 weeks
• Assuming already completed “Iceberg List”
• Get Coffee
• Read how to enable and configure MongoDB
Auditing
• Manually configure all the Mongods in your
cluster for auditing.
• Manually configure your filters, e.g.
{ atype: { $in: [ "createCollection", "dropCollection" ] }
}
• Test that events are captured.
• Hope it works *fingers crossed*
• FAILS
• Troubleshoot
What you Need Audit MDB with
Atlas: TTC ~3 min
Turn it on
Define what to Audit – pre-definied check list and
custom options!
Get the data!
You are killing it – get a latte this time!
26. Now for Those Enterprise Features
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench
27. Coming Soon!
Why Use Their Key aka BYO Key?
• Atlas already provides encryption at rest but MogoDB owns
the keys
• BYO Key means you ultimately control data access – take
the key, data can’t be unencrypted
• We support easy to use KMS providers
28. Why Not Just DIY?
What you Need for LDAPS
Without Atlas: TTC ~ 1 week
(setup only)
• Assuming already completed “Iceberg List”
• Get Coffee
• Read how to configure MongoDB for KMIP
• Create your key (using a service or internally)
• Manually Configure all the MongoDs in your
cluster for KMIP
• Test Config and hope it works *fingers crossed*
• FAILS
• Troubleshoot
• Repeat till Success!
• Figure out how to rotate, alert, etc
What you Need for BYO Key with Atlas:
TTC ~ 10-15 mins (including key
creation)
Create a key, e.g. AWS KMS:
IAM User – create the key , define permissions, set rotation
policy
Then just need:
Account Credentials: Access Key and Secret Access key
Region key will reside
AWS Customer Master Key ID (CMK)
36. Now for Those Enterprise Features
• Setup an easily scalable MongoDB Cluster that is highly
available on AWS.
• Use PetBox Inc’s LDAP server for authentication and
authorization
• Provide a full audit log
• Not just have encryption at rest but sign with PetBox
Inc’s provided AWS KMS key
• Allow their analytics team to query using MySQL
Workbench
37. Why Does PetBox Want To Use SQL?
• Lots of people know SQL – 40 years of history is hard to
deny
• MQL and the aggregation framework are awesome – so
until more know it we built our BI Connector
DATA
38. Why Not Just DIY?
What you Need Speak SQL to
MDB without Atlas & the BI
Connector:
TTC ~ ?? Months to Years
• Assuming already completed “Iceberg List”
• Get Coffee
• Start coding … (Note: you can run the BI
Connector without Atlas but it’s just so much
EASIER!)
What you Need Speak SQL to MDB
without Atlas:
TTC ~ 10 mins
Turn on the BI Connector
Grab the connection info and put it in your fav BI Tool
SQL away!
41. We Got Your Back: Always Adding
Features
You Need to Succeed!Recently added:
• Temporary IP Whitelist Entries with configurable expirations
• Temporary Users with configurable expirations
• Custom DB User Roles
• More Coming Soon like x509 Authentication!
We Didn’t Even Cover:
• Alerting – Preconfigured and Configurable
• Atlas Activity Feed
• Peering
Remember – we are covering enterprise features you will probably deal with if you haven’t already. Pause through out, ask questions!
Ask, have you ever had this happen? So many of us have. These kind of situations eat time/money
TTC – time to completion – at least 3 to 4 weeks and that’s if you have a background in some of this. If not expect longer and since you’ll be relying on yourself and the community for support it will take time to learn the lessons around best ways to do each aspect.
This is all about efficiency of a limited resource, time - Why do what someone else has done when you can focus on creating something truly new. Think about how much time this would give you back to do more impactful and interesting work.
Cover create a cluster and show main screen with prebuilt cluster to use for rest.
Cover create a cluster and show main screen with prebuilt cluster to use for rest.
Cover create a cluster and show main screen with prebuilt cluster to use for rest.
Cover create a cluster and show main screen with prebuilt cluster to use for rest.
Cover create a cluster and show main screen with prebuilt cluster to use for rest.
Cover create a cluster and show main screen with prebuilt cluster to use for rest.
Cover create a cluster and show main screen with prebuilt cluster to use for rest.
Cover create a cluster and show main screen with prebuilt cluster to use for rest.
Enterprise features are just those that help you scale imho – can be small to large
Enterprise features are just those that help you scale imho – can be small to large
Enterprise features are just those that help you scale imho – can be small to large
Setup only means not rotation, byo key means with key creation and it sets up rotation
Enterprise features are just those that help you scale imho – can be small to large
We did it – we just got tons of time back. Let’s reflect on all we can do with an estimated TTC of almost 2 months vs about an hour or so max.
Enterprise features are just those that help you scale imho – can be small to large