Security Features in MongoDB 2.4


Published on

Published in: Technology, Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • I assume you have some security background, are familiar with industry standard security tech like SSL and Kerberos, are familiar with access control in RDBMS
  • SDL = Secure Development Lifecycle
  • Security before 2.4 was weakMost of our customers were small startups, we didn’t have much demand for security featuresOnce we got bigger customers who cared about security, we delivered.
  • In 2.2 security was handled outside MongoDBWe want to enable anyone to build apps on MongoDB, even if they have strict security guidelines. We were finding that big orgs couldn’t use it b/c of their internal policies.
  • GSSAPI = Generic Security Services Application Program InterfaceMeta protocol for negotiating authentication protocol
  • MongoD never sees your password or even password hashYou can centralize your authentication serviceKDC = Key Distribution CenterIntra-cluster auth still uses MONGODB-CR!!!
  • No separation of administrative operationsUse case: performance tuning dba who can profile, build indexes, dbStats, but not read data.
  • dbAdmin = build indexes, compact, dbStats, profiling
  • Best practice is to have 1 user with userAdminAnyDatabase and no other roles, and use it for all user administration.userAdmin is *effectively* (but not actually) a super-user.
  • readWrite on configdb necessary for some sharding admin tasks (like stopping/starting the balancer)This is only one example – different companies will do this differently.
  • New in 2.4 – certificate validation, windows support2.2 was a partial implementation, 2.4 is now fully implementedProvided encryption but not authentication. Keyfilestill used for intra-cluster authentication. SSL (with CA validation) ensures that the hosts are who they say they are, but that’s separate from user authentication within MongoDB
  • Defense in Depth
  • Netsh = network configuration tool for windowsDefense in Depth
  • With SSD, as the time spent processing data between OS and disk gets proportionally larger since SSD's are so much faster, it means the pert hit is 15%. You still get a major upgrade in speed, but encrypting and decrypting take a larger share.
  • Security Features in MongoDB 2.4

    1. 1. Spencer BrodySoftware Engineer, 10gen@stbrody#mongodbdaysSecurity in MongoDB
    2. 2. Agenda1. History2. Authentication3. Authorization4. Auditing5. Transport Encryption – SSL6. MongoDB Secure Development Lifecycle7. Documentation and Notifications8. Future WorkSecuring your MongoDB Implementation, Spencer Brody
    3. 3. History
    4. 4. History• Security features within mongoDB before 2.4were limited• 2.4 offers a much better story around security• This is something we are investing in veryheavily right now.Securing your MongoDB Implementation, Spencer Brody
    5. 5. The Three A’sAuthentication– Who are you?Authorization– What can you do?Auditing– What have you done?Securing your MongoDB Implementation, Spencer Brody
    6. 6. Authentication
    7. 7. AuthenticationAuthentication is about proving “who” youare.Securing your MongoDB Implementation, Spencer Brody
    8. 8. Password Authentication• This is the only authentication mechanismavailable in MongoDB version 2.2 and prior• Still the only version available in the free product• In 2.4+ this mechanism is called MONGODB-CRSecuring your MongoDB Implementation, Spencer Brody
    9. 9. Password Authentication• Use one-way function FmongodI am “username”, let me inProve it, here is a random # NHere isF(N, hash(<mypwd>))Nobody else could knowthat, welcome back!Knowsonly mypassword hashHash nevertransmittedover thenetwork!Securing your MongoDB Implementation, Spencer Brody
    10. 10. External AuthenticationUse common / standardized authenticationSASL: Simple Authentication and Security Layer– Framework for building authentication– MongoDB uses the Cyrus sasl2 libraryKerberos (available in the Enterprise Edition)– GSSAPI– driver support in python, java, C#, Node.js, perlSecuring your MongoDB Implementation, Spencer Brody
    11. 11. Authentication with KerberosKDC1. I am“username@EXAMPLE.COM”,help me prove it to mongod(UDP:88)2. Here is a TGTMongod3. TCP:27017Here is aKerberosTGT4.Welcome, here is aServiceTicket!{user: ”username@EXAMPLE.COM",roles: ["readWrite"],userSource: "$external"}Securing your MongoDB Implementation, Spencer BrodyKeytab
    12. 12. Granting privilegesSecuring your MongoDB Implementation, Spencer Brody# mongo> use appDB;> db.system.users.find();{"_id": ObjectId("519e842804f5f7f7921dbf89"),"user": "spencer""userSource": "$external","roles": ["readWrite", "dbAdmin”]}
    13. 13. Authorization
    14. 14. AuthorizationOnce MongoDB has established “who” youare, authorization is about determining“what” you are allowed to do.Securing your MongoDB Implementation, Spencer Brody
    15. 15. Authorization Roles in 2.2 andPrior– Database level read-only– Database level read-write– System-wide read-only– System-wide read-writeSample user document:> db.system.users.find().pretty(){"_id": ObjectId("519e842804f5f7f7921dbf89"),"user": "spencer""pwd": "22c83553ed7ce252d8b0c9f716cae4de","readOnly":false}Securing your MongoDB Implementation, Spencer Brody
    16. 16. Authorization Roles in 2.4– read– readWrite– dbAdmin– userAdmin– readAnyDatabase– readWriteAnyDatabase– dbAdminAnyDatabase– userAdminAnyDatabase– clusterAdminThe roles that are bold can only be granted in theadmin database.Securing your MongoDB Implementation, Spencer Brody
    17. 17. userAdminThe userAdmin role on database “foo” lets you grantany db-level role to any user from the “foo” database(including yourself).The userAdminAnyDatabase role lets you grant anyrole in the system to any user (including yourself).This means they can be used to grant yourself rolesyou didn’t previously have!This makes userAdmin effectively a super-userAccess to these roles should be carefully controlled!Securing your MongoDB Implementation, Spencer Brody
    18. 18. ExampleSecuring your MongoDB Implementation, Spencer BrodyUser Role Database(s)appUser readWrite appdba dbAdmin appseniorDBA dbAdminAnyDatabase,clusterAdminadminreadWrite configCTO userAdminAnyDatabaseadmin
    19. 19. Auditing
    20. 20. Securing your MongoDB Implementation, Spencer BrodyAuditingMonitor user activity:– userID added to standard output in 2.4– No separate audit log– Much more coming in 2.6
    21. 21. Transport Encryption -SSL
    22. 22. Transport Encryption - SSL encryptionfor clientconnectionSSL encryptionfor inter-servertrafficPrimary SecondaryData Files Data FilesSecuring your MongoDB Implementation, Spencer Brody
    23. 23. Outside MongoDB
    24. 24. Securing your MongoDB Implementation, Spencer BrodyOutside MongoDBFirewalls– iptables & netsh– Ports, Addresses, Times, Throttle etc.File system– Encrypt (Gazzang) [HIPAA, PCI, SOX]Best Practices– Internal Policies (Password Reuse, Scan etc.)
    25. 25. Securing your MongoDB Implementation, Spencer BrodyMongoDB Partners withGazzang• File System Encryption• 5% performance hit with HDD, 10-15% withSSDFile System – All contents encryptedOS GazzangGazzangKey Mgmt
    26. 26. MongoDB SDL
    27. 27. MongoDB Secure DevelopmentLifecycle• All contributions to the open source project arereviewed and tested by a member of the Core Serverteam• Peer code reviews of all commits• Automated functional and unit tests• Active monitoring of best practices and advisories forthird party code• Static code analysis with Coverity run nightly againstthe Core Server and applicable driver projectsSecuring your MongoDB Implementation, Spencer Brody
    28. 28. Documentation &Notifications
    29. 29. DocumentationManual–• Security Features within MongoDB• Best Practices & Strategies• Tutorials• Vulnerability NotificationsSecuring your MongoDB Implementation, Spencer Brody
    30. 30. Potential Security IssuesHow do YOU find out?– MongoDBAlerts– Mongodb-announce Google groupHow, What, Where?– Vulnerability Notification– Jira (HTTPS) & (Secure) EmailSecuring your MongoDB Implementation, Spencer Brody
    31. 31. Future work
    32. 32. DisclaimerStatements about future releases, availabilitydates, and feature content reflect plans only, and10gen is under no obligation to include, developor make available, commercially orotherwise, specific feature discussed a futureMongoDB build. Information is provided forgeneral understanding only, and is subject tochange at the sole discretion of 10gen inresponse to changing market conditions, deliveryschedules, customer requirements, and/or otherfactors.Securing your MongoDB Implementation, Spencer Brody
    33. 33. Future• User-defined roles• Collection level access control• Field level access control• Auditing• X.509 authentication, for both user and intra-cluster authentication.• External configuration of user’s roles (LDAP)Securing your MongoDB Implementation, Spencer Brody
    34. 34. Conclusion
    35. 35. Conclusion• 2.2 had rudimentary security support• 2.4 is much better & Enterprise-Level• Authentication & Authorization• Within & OutsideSecuring your MongoDB Implementation, Spencer Brody
    36. 36. Software Engineer, 10genSpencer Brody#mongodbdaysThanks!If you liked my talk, please tweet about it!#MongoDBDays@stbrody
    37. 37. Securing your MongoDB Implementation, Spencer BrodyNext Sessions at 11:005th Floor:West Side Ballroom 3&4: Schema DesignWest Side Ballroom 1&2 (this room): Data Processing andAggregation OptionsJuilliard Complex: Business Track: Fireside Chat: IBM andMongoDB Set the Standard for Web and Mobile DevelopmentLyceum Complex: Ask the Experts7th Floor:Empire Complex: Performance Tuning and Monitoring UsingMMSSoHo Complex: 10gen Polyglot Spatial with MongoDB