senior solutions architect, mongodb james kerr security features preview field level access control
TRANSCRIPT
Senior Solutions Architect, MongoDB
James Kerr
Security Features PreviewField Level Access Control
Key Security Considerations
Reference Architecture
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
Authentication
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
Which users/apps
are accessing
the DB
Which nodes
are joining
the cluster
Which users are accessing
the DB
Authorization
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
What permissions does an App have?
What permissions does an
Admin have?
What data can a user
see?
What data can an admin see?
Auditing
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
Who made which
changes and when?
Who made which
changes and when?
Encryption
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
SSL Encryptio
n
SSL Encryptio
n
File system
Encryption
Today - Authorization
Clients
Authorization
What permissions does an App have?
What data can a user
see?
Authorization
Authorization Features
• Database Level Access Control (2.4)– Admin roles – DB, user, cluster– Application roles – reader, reader/writer
• Collection Level Access Control (coming soon)– User defined roles– Privileges granted to roles for actions on
resources– Database, collection and system resource types
• Field Level Access Control (2.5 nightly)– Redact documents and/or fields based on security
labels
Field Level Access Control Goals
• Restrict access to certain documents within a collection
• Restrict access to certain fields within documents
• Provide a generic capability to handle different marking schemes
• Describe policies in terms of existing MongoDB query languages, or extensions thereof
FLAC Features and Functionality
• New $redact aggregation framework phase– Performs a pre-order traversal of the document
tree– For each node, the expression conditionally
returns one of• "$$KEEP” , "$$PRUNE” or "$$DESCEND”
• New query language operators– Sets (⊆, =, ∖, ∩, ∪)– Arrays (any true, all true)– Variables (let, map)
FLAC Features and Functionality (cont.)
• Aggregation can return a cursor– Have to use "aggregate" command until 2.5 is
feature-complete– Can use the the temporary mongo shell helper
db.collection.aggregateCursor()
• Aggregation can write directly to another collection– $out phase
Redaction Logic
• Expression is evaluated as the nodes in the document are traversed
• $$KEEP – inserts the node and the node's children into the output
• $$PRUNE – puts no node in the output document, and continues the traversal of the sibling nodes
• $$DESCEND – inserts a corresponding node in the output document and continues the traversals of the node's children
Set Operators
• $setIsSubset
• $setEquals
• $setDifference
• $setIntersection
• $setUnion
Array Operators
• $allElementsTrue
• $anyElementTrue
Variable Operators
• $let – Binds variables for use in sub-expressions
• $map– Applies a sub-expression to each item in an array and
returns an array with the result of the sub-expression
• Available the in $project, $group, and $redact pipeline stages
{ $project: { remaining: { $let : {
vars: { tally: 75, count: 50 } ,
in: { $subtract: [ "$$tally", "$$count" ] }
} } } }
{ remaining: 25 }
$let Example
Bind the "tally" and "count" variables
Evaluate the subexpression defined by the "in" field with the bound variables
{ skews: [ 1, 2, 3 ] }
{ $project: { adjusted: {
$map: {
input: "$skews",
as: "adj",
in: { $add: [ "$$adj", 12 ] }
}
} } }
{ adjusted : [ 13, 14, 15 ] }
$map Example
Use the "skews" field as the input to the $map operationAssign each element in the input array to the "adj" variableExecute expression for each element in the input array
{ $redact:
{ $cond: [{ $anyElementTrue:
{ $map: { input: "$sl",
as: "setNeeded",
in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] }
}
}
},
"$$DESCEND", "$$PRUNE"]
}
}
$redact Example
Input labels. IE, these would come from the user's attributes
Field security labels are in the "sl" field
FLAC Pipeline – Basic
$redact
Query
$match
Redaction Expression
User Attribute
s
FLAC Pipeline – Optimized
$match
Query
$redact
$match
Redaction Expression
User Attribute
s
To make the pipeline more selective, parts of the $match may be promoted by the execution engine or manually.* Don't promote negative queryterms ($ne, $nin, $nor, etc)
FLAC Pipeline – Document Level Filters
$match
Query
$redact
$match
Redaction Expression
User Attribute
s
Security Match
Expression
Document level accessmay be selective and benefit from index usein the first $match phase
Markings Reference Implementation
• Field visibility is controlled by the "sl" field
• Top level "sl" applies to the whole document
• Restrictive markings on a parent field removes it and any children
Markings Reference Implementation{
_id: 1,
sl: [ ["A", "B"], ["C"] ],
field1 : { sl : [ ["A", "B"] ], data : “field1 value” },
field2 : { sl : [ ["C"] ], data : “field2 value” },
field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” }
}
User needs A&B|C to see the documentUser needs A&B to see field1User needs C to see field2User needs A&C|B&D to see field3
Markings Reference Implementation{
_id: 2,
sl: [ ["A", "B", "C"], ["A", "B", "D"] ],
field1 : { sl : [ ["A", "B"] ],
field2 : { sl : [ ["C"] ], data : "field2 value" },
field3 : { sl : [ ["D"] ], data : "field3 value" }
}
}
User needs A&B&C|A&B&D to see the documentUser needs A&B to see field1User needs A&B&C to see field1.field2User needs A&B&D to see field1.field3
{ $redact:
{ $cond: [{ $anyElementTrue:
{ $map: { input: "$sl",
as: "setNeeded",
in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] }
}
}
},
"$$DESCEND", "$$PRUNE"]
}
}
$redact Reference Example
User has labels "A" , "B" and "D"
Field security labels are in the "sl" field
{
_id: 1,
sl: [ ["A", "B"], ["C"] ],
field1 : { sl : [ ["A", "B"] ], data : “field1 value” },
field2 : { sl : [ ["C"] ], data : “field2 value” },
field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” }
}
{
_id: 1,
sl: [ ["A", "B"], ["C"] ],
field1 : { sl : [ ["A", "B"] ], data : “field1 value” },
field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” }
}
$redact Output
User labels = ["A", "B", "D"]
{
_id: 2,
sl: [ ["A", "B", "C"], ["A", "B", "D"] ],
field1 : { sl : [ ["A", "B"] ],
field2 : { sl : [ ["C"] ], data : “field2 value” },
field3 : { sl : [ [“D"] ], data : “field3 value” }
}
}
{
_id: 2,
sl: [ ["A", "B", "C"], ["A", "B", "D"] ],
field1 : { sl : [ ["A", "B"] ],
field3 : { sl : [ [“D"] ], data : “field3 value” }
}
}
$redact Output
User labels = ["A", "B", "D"]
FLAC Design – Trusted Middleware
TrustedMiddleware/Application
Identity Managemen
t
Driver
1. Authenticate Untrusted User2. Retrieve User Attributes3. Create query and $redact Expression
1. Authenticate Trusted User2. Run Query3. Apply $redact Expression
Query + $redactTrusted user
UntrustedUser/
Application
Collection
Disclaimer
Statements about future releases, availability dates, and feature content reflect plans only, and MongoDB is under no obligation to include, develop or make available, commercially or otherwise, specific features discussed in a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of MongoDB in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.
Integrated FLAC (Conceptual)*
• Collection Views
• Read-only Views
• Parameterized Views– Configurable redaction expression– Document content based on the user attributes
and field markings
* See Disclaimer
FLAC Design – Views*
TrustedMiddleware/Application
Identity Management
Driver
1. Authenticate Untrusted User2. Retrieve User Attributes
1. Authenticate Trusted User2. Run Query3. Create/Apply $redact Expression
Query + attributesTrusted user
UntrustedUser/
Application
CollectionView
($redact)
* See Disclaimer
FLAC Design – Fully Integrated*
UntrustedMiddleware/Application
Identity Managemen
t
Driver
1. Authenticate Untrusted User 1. Authenticate Untrusted User2. Retrieve User Attributes3. Run Query4. Create/Apply $redact Expression
QueryUntrusted user
UntrustedUser/
Application
CollectionView
($redact)
* See Disclaimer
{ $redact:
{ $cond: [{ $anyElementTrue:
{ $map: { input: "$sl",
as: "setNeeded",
in: { $setIsSubset: ["$$setNeeded", "$$USER.security.tags"] }
}
}
},
"$$DESCEND", "$$PRUNE"]
}
}
Parameterized View Concept*
* See Disclaimer
User labels retrieved from security "context"
Other Features*
• LDAP Authentication
• x.509 Authentication
• Keyfile alternative
• Auditing (admin functions – DDL, DCL)
• User defined roles
• Collection level access control
* See Disclaimer
Next Steps
• Looking for customers to evaluate
• Trusted middleware example code
References
• http://docs.mongodb.org/manual/release-notes/2.6/
• http://docs.mongodb.org/manual/security/
