mongodb 2.4 security features
TRANSCRIPT
Edouard Servan-Schreiber, Ph.D.Director of Solution Architecture10gen
#MongoDBdays
MongoDB Security
Security against Trespassing• Data in flight
• Data at rest
MongoDB SSL
Keyfile establishes trust domain
http://docs.mongodb.org/manual/administration/ssl/
Application
SSL encryption for
client connection
SSL encryption for inter-server
traffic
Primary Secondary
Data Files Data Files
MongoDB - Gazzang
• File System Encryption
• 5% performance hit with HDD, 10-15% with SSD
File System – All contents encrypted
OS Gazzang
Gazzang Key
Mgmt
Security against Insider Abuse• Authentication
– Are you who you claim to be?
• Authorization– Do you have access privileges to do what you
want to do?
• Auditing– Can I trace your activities for future verification?
New with MongoDB 2.4
• Authentication– External authentication with kerberos
• Authorization– Improved granularity of powers within a cluster to
contain abuse
• Auditing– Userid’s added to audit logs
Authentication
• 2.2– Admin users and single db users– No external auth– No sense of user across databases• Had to redefine user in several databases
• 2.4– External authentication with kerberos– Can “source” users from different databases
Authentication with only pwd hash• Use one-way function F
Mongod
I am “[email protected]”, let me in
Prove it, here is a random # N
Here is F(N, hash(<mypwd>))
Nobody else could know that, welcome back edouard!
Knows only my password hash
Hash never transmitted over the network!
Authentication with Kerberos (2.4)
KDC
I am “[email protected]”, help me prove it to mongodHere is a ticket for mongod
Mongod
Here is a Kerberosticket
Welcome!
{ user: ”[email protected]", roles: ["read"], userSource: "$external"}
AUTHORIZATION
VS
Avoiding hierarchical powers Building Regional powers
AUTHORIZATION
• Issues with 2.2– No roles --- No access / Read / ReadWrite– Hard to separate powers
• 2.4 introduces roles– Admin level roles• UserAdmin• ClusterAdmin
– DB level roles• User Admin• DB Admin• Read• ReadWrite
AUTHORIZATION
• Issues with 2.2– No roles --- No access / Read / ReadWrite– Hard to separate powers
• 2.4 introduces roles– Admin level roles• UserAdmin• ClusterAdmin
– DB level roles• User Admin• DB Admin• Read• ReadWrite
Corresponding Admin level
roles for AllDatabases
Admin DB
• UserAdmin• ClusterAdm
in
Accnts DB
• UserAdmin
App DB• UserAdmi
n• dbAdmin• ReadWrit
e• Read
Product DB
• UserAdmin• dbAdmin• ReadWrite• Read
Customer DB
• UserAdmin• dbAdmin• ReadWrite• Read
Only useful to hold pwd hashes
BI DB• UserAdmi
n• dbAdmin• ReadWrit
e• Read
I can do anything. But I won’t be required to do
much
DB Admin: UserAdmin DB Admin: ClusterAdmin
I can add and remove shards,
control the balancer
DB Accnts: userAdmin
I can create new users but I can’t
grant them privileges to other DB’s
DB App: userAdmin DB App: dbAdmin
I can grant privileges to the App
DB only
I can create
indices, set
profiling, compact
I can do anything. But I won’t be required to do
much
DB Admin: UserAdmin
In Admin.system.users :
{ user: “[email protected]” , usersource: “$external” roles: [ “userAdmin” ] , otherDBroles: { }}
{ user: “edouard” , pwd: <hash> roles: [ “userAdmin”,
“userAdminAllDatabase” ] , otherDBroles: { }}
OR
Only required to intervene if cluster admin or any other admin has to change.
Can create new databases
Is not on the critical path of any other activity.
In Admin.system.users :
{ user: “[email protected]” , usersource: “$external” roles: [ “clusterAdmin” ] , otherDBroles: { }}
{ user: “[email protected]” , usersource: “$external” , roles: [ “clusterAdmin”,
“dbAdminAnyDatabase“ ] , otherDBroles: { }}
Manages the number of shards and the balancer
Cannot act on other DBs directly (e.g. cannot enable sharding on a collection)
Cannot see any data
Can be also the admin of all other databases with “dbAdminAnyDatabase”
DB Admin: ClusterAdmin
I can add and remove shards,
control the balancer, update replSet configs
In Accnts.system.users :
{ user: “edouard”, pwd: <hash>, roles: [“userAdmin”]}
{ user: “richard” , pwd: <hash> , roles: [ “read” ]}
{ user: “asya” , pwd: <hash> , roles: [ ]}
Manages the user list for the cluster.
All users should have an entry in Accnts.system.users and this role is able to create them, while not letting them see the user list.
The Accnts DB is the authentication center
DB Accnts: UserAdmin
I can create new users but I can’t
grant them privileges on other DB’s
In Accnts.system.users :
{ user: “edouard”, pwd: <hash>, roles: [“userAdmin”]}
{ user: “richard” , pwd: <hash> , roles: [ “read” ]}
{ user: “asya” , pwd: <hash> , roles: [ ]}
Manages the user list for the cluster.
All users should have an entry in Accnts.system.users and this role is able to create them, while not letting them see the user list.
The Accnts DB is the authentication center
DB Accnts: UserAdmin
I can create new users but I can’t
grant them privileges on other DB’s
Richard can see the
information about other
users….
In Accnts.system.users :
{ user: “edouard”, pwd: <hash>, roles: [“userAdmin”]}
{ user: “richard” , pwd: <hash> , roles: [ ]}
{ user: “asya” , pwd: <hash> , roles: [ ]}
Manages the user list for the cluster.
All users should have an entry in Accnts.system.users and this role is able to create them, while not letting them see the user list.
The Accnts DB is the authentication center
DB Accnts: UserAdmin
I can create new users but I can’t
grant them privileges on other DB’s
Only the UserAdmin should see
details about other users
In App.system.users :
{ user: “richard” , usersource: “Accnts” , roles: [ “userAdmin” ]}
{ user: “asya” , usersource: “Accnts” , roles: [ “dbAdmin“ ] ,}
Each DB’s userAdmin gets to grant privileges separately
DB App: userAdmin DB App: dbAdmin
I can grant privileges to the App
DB only
I can create
indices, set
profiling, compact
Credentials from Accnts
DB
In App.system.users :
{ user: “appUser” , usersource: “Accnts” , roles: [ “readWrite” ]}
{ user: “BIUser” , usersource: “Accnts” , roles: [ “read“ ] ,}
The BI user needs to read from the app DB in order to access the data to be analyzed
And needs to read/write in another database dedicated to BI results
DB App: readWrite DB App: read
I am the app. I read
and write to the DB
I do BI and only need to
read from this DB
In BI.system.users :
{ user: “BIUser” , usersource: “Accnts” , roles: [ “readWrite” ]}
Simplifications• No need for Accnts DB if all users are
externally authenticating
• UserAdmin of AdminDB can manage and assign all the roles through {read, readWrite, dbAdmin, userAdmin}AnyDatabase– Roles: [“dbAdminAnyDatabase”,
“readAnyDatabase”]
• Can assign otherDBRoles in Admin.system.users, to grant privileges to only some DB’s– OtherDBRoles: { App: [ “Read”]
BI: [“UserAdmin”, “ReadWrite”] }
Case: one super user, one app admin, one app regular user
ADMIN.system.users:
{ user: ”SuperUser", userSource: "$external", roles: [ “userAdmin”,"clusterAdmin"],}
{ user: “ AppAdmin”, userSource:”$external”, roles: [ ], otherDBRoles: { app: [ “useradmin”, ”dbadmin" ] }}
APP.system.users:
{ user: “AppUser”, userSource: “$external”, roles: [“readWrite”]}
Auditing - Logging
Monitor user activity:
– Logging to output userID associated with actions, when available
– Sharded and single-node configurations– Not a separate audit log
Future
– Partnership / ecosystem opportunities
Disclaimer
Statements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.
Future
• Field level obfuscation– Blocking PPI data in documents from some users.
• Improved auditing
• More external authentication protocols
• External access control privileges– Central management of ACL and MongoDB able to
externally read them
Thank You