MongoDB 2.6 New Security Features

Matt Kalan, Sr. Solutions Architect, MongoDB

Dylan Tong, Sr. Solutions Architect, MongoDB

2

• Review security capabilities in v2.4

• New features in v2.6– User Defined Roles– Access Control Improvements– Authentication

• x509• LDAP

– Auditing– SSL improvements

Agenda

Review Security in 2.4

4

• User authentication– Basic challenge-response

• Hashed password managed in MongoDB– Kerberos integration using SASL (Enterprise)

• Connects to an existing Kerberos infrastucture• Passwords managed in existing system, not

MongoDB– Can combine these if desired in same server

• Cluster authentication via shared keyfile

Authentication

5

• Standard roles assigned in MongoDB

• Usernames are in MongoDB and have role(s) assigned to them

• You can add standard roles together to build permissioning you need for a user

• Lowest granularity is for the database

Authorization/Access Control

6

• Only a small set of operations are logged

• Logged in the main Mongo server log

• IBM Guardium integration for enterprise policy-based security monitoring

Auditing

7

• Data in transit– SSL between all MongoDB components is in the

Enterprise version – Or build in your own SSL library from the open source

version

• Data at rest– Customer chooses to use an encrypted file system

Encryption

Upcoming Features in 2.6

Access Control

10

Role Access Control

• Read & Write on Application DatabaseApplication Server Role

• Read Only on Application DatabaseBI Role

• Read & Write on Application Database• Administration on Application Databases• Administration on MongoDB Cluster

DBA Role

11

Advanced Role Access Control

Land Lord

Land Lord Assistant

Tenant DBA

Tenant App Server

Tenant BI Role

Clusterwide Administration Rights: provision and remove tenants (eg. create and drop database)

DBA Rights within Scope of a Single Tenant: eg Delegate rights within the scope of the tenant

Scenario: Multi-tenant Database as a Service

Service-Wide Scope

Tenant-Level Scope

12

Enhancements Needed!

Current Version:

1. Privileges are limited to what is pre-defined.2. Access Controls are limited to database-level

Upcoming Version 2.6:

1. User defined privileges and roles are possible!2. Access Controls can be defined at the collection-level!

13

Access Management

Previous to version 2.6…User-privileges are pre-defined:

Read: Provides the privilege to run read type operations on a database like find().

Read/Write: Provides the privilege to run write type operations on a database like update(), insert() and remove().

User Admin: Provides the privilege to modify users such as creating users and modifying user privileges.

Database Admin: Provides the privileges to run administrative type commands that are related to the scope of a database.

Cluster Admin: Provides the privileges to run administrative type commands that are related to the scope of a cluster.

14

Example of Privilege

Read Privilege =findaggregatecheckShardingIndexcloneCollectionAsCappedcollStatscountdataSizedbHashdbStatsdistinctfilemd5geoNeargeoSearchgeoWalkgroupmapReduce (inline output only.)text (beta feature.)

The actual privilege definition is a pre-defined list of operations.

15

User Defined Role Concept

UserUsers are assigned roles

PrivilegeA set of actions on a given

resourceEg. Read action (run find query)

on “Tweets” collection

RoleA grouping of privileges

May also contain other roles

Action: an operation eg. find, ensureIndex

Resource: some system object that an action can be performed on. eg. Database, collection

16

Example Use Case

Scenario: Multi-tenant Database as a Service

Landlord Administrator (example role):

Authentication

18

Existing Security Infrastructure

Leverage Existing Standards

Identity Management Infrastructure

Access Management

Directory Services

Leverage existing security infrastructure.

Corporate Security Policies

Industry Standards and Compliance.

Centralized Management: eg. Centralized user/identity management.

19

Authentication

Existing Security Infrastructure

Identity Management Infrastructure

Access Management

Directory Services

Primary Secondary

Client Authentication

Inter-process Authentication

KerberosVersion 2.4+

LDAPVersion 2.6+

X509Version 2.6+

Partner Integrations: eg. Linux IdM

20

Authentication

Existing Security Infrastructure

Identity Management Infrastructure

Access Management

Directory Services

Primary Secondary

Client Authentication

Inter-process Authentication

Spoofed Secondary

21

X509 Authentication Benefits

Don’t have infrastructure in place?No problem! Easy to leverage external infrastructure:- Cloud solutions are commonplace. You use x509

certificates everyday through your web browsers!

Client Authentication without disadvantages of passwords:• Weak-password: Guessable, Brute-force, • Can be stolen: wiretap, careless misplacing• Maintenance: easy to forget. Too many passwords!• Re-usable: leaked by the weakest link

22

MongoDB LDAP Authorization Integration

LDAP Server

Application

Driver

saslauthdMongod

1) saslauthd config file2) setParameter- saslauthdPath=…- authenticationMechanisms=...- auth=true

3) Use $externalDb.auth( {…} )

Password in cleartext => SSL recommendedç

4) Uname/pw 5)

6) OK or NO7) OK or NO

8) Success = 1Failed = 0

Permissioning Product

0) db.addUser( …, userSource: $external, … })

Auditing

24

MongoDB Native Auditing

Application

Driver

Mongos

Primary

Secondary

Secondary

Shard 1

Primary

Secondary

Secondary

Shard 2

…Primary

Secondary

Secondary

Shard N

Audited events• Schema (DDL) Operations• Replica Set Operations• Authentication and

Authorization Operations• General Operations

Output• Syslog• Console• Text file• BSON file

Mongo shell

--auditLog --auditPath--auditFilter

SSL Improvements

26

• Optionally Prompt for SSL Certificate Passphrases at Server Startup

• Command-line Tools Now Support SSL

• MongoDB Allows Only Strong SSL Ciphers

• Support for SSL and non-SSL Connections on the Same Port

SSL Improvements

27

• New features in v2.6– User Defined Roles– Access Control Improvements– Authentication

• x509• LDAP

– Auditing– SSL improvements

• Release Notes for MongoDB 2.6 (Development Series 2.5.x)http://docs.mongodb.org/master/release-notes/2.6/

Summary

28

For More Information

Resource Location

MongoDB Downloads mongodb.com/download

Free Online Training education.mongodb.com

Webinars and Events mongodb.com/events

White Papers mongodb.com/white-papers

Case Studies mongodb.com/customers

Presentations mongodb.com/presentations

Documentation docs.mongodb.org

Additional Info info@mongodb.com

Resource Location