webinar: mongodb 2.6 new security features
DESCRIPTION
This webinar will cover new security features in MongoDB 2.6 including x.509 authentication, user defined roles, collection level access control, enterprise features like LDAP authentication and auditing, and many other SSL features. We will first give a brief overview of security features through MongoDB 2.4 then cover new features in 2.6 and coming releases.TRANSCRIPT
MongoDB 2.6 New Security Features
Matt Kalan, Sr. Solutions Architect, MongoDB
Dylan Tong, Sr. Solutions Architect, MongoDB
2
• Review security capabilities in v2.4
• New features in v2.6– User Defined Roles– Access Control Improvements– Authentication
• x509• LDAP
– Auditing– SSL improvements
Agenda
4
• User authentication– Basic challenge-response
• Hashed password managed in MongoDB– Kerberos integration using SASL (Enterprise)
• Connects to an existing Kerberos infrastucture• Passwords managed in existing system, not
MongoDB– Can combine these if desired in same server
• Cluster authentication via shared keyfile
Authentication
5
• Standard roles assigned in MongoDB
• Usernames are in MongoDB and have role(s) assigned to them
• You can add standard roles together to build permissioning you need for a user
• Lowest granularity is for the database
Authorization/Access Control
6
• Only a small set of operations are logged
• Logged in the main Mongo server log
• IBM Guardium integration for enterprise policy-based security monitoring
Auditing
7
• Data in transit– SSL between all MongoDB components is in the
Enterprise version – Or build in your own SSL library from the open source
version
• Data at rest– Customer chooses to use an encrypted file system
Encryption
10
Role Access Control
• Read & Write on Application DatabaseApplication Server Role
• Read Only on Application DatabaseBI Role
• Read & Write on Application Database• Administration on Application Databases• Administration on MongoDB Cluster
DBA Role
11
Advanced Role Access Control
Land Lord
Land Lord Assistant
Tenant DBA
Tenant App Server
Tenant BI Role
Clusterwide Administration Rights: provision and remove tenants (eg. create and drop database)
DBA Rights within Scope of a Single Tenant: eg Delegate rights within the scope of the tenant
Scenario: Multi-tenant Database as a Service
Service-Wide Scope
Tenant-Level Scope
12
Enhancements Needed!
Current Version:
1. Privileges are limited to what is pre-defined.2. Access Controls are limited to database-level
Upcoming Version 2.6:
1. User defined privileges and roles are possible!2. Access Controls can be defined at the collection-level!
13
Access Management
Previous to version 2.6…User-privileges are pre-defined:
Read: Provides the privilege to run read type operations on a database like find().
Read/Write: Provides the privilege to run write type operations on a database like update(), insert() and remove().
User Admin: Provides the privilege to modify users such as creating users and modifying user privileges.
Database Admin: Provides the privileges to run administrative type commands that are related to the scope of a database.
Cluster Admin: Provides the privileges to run administrative type commands that are related to the scope of a cluster.
14
Example of Privilege
Read Privilege =findaggregatecheckShardingIndexcloneCollectionAsCappedcollStatscountdataSizedbHashdbStatsdistinctfilemd5geoNeargeoSearchgeoWalkgroupmapReduce (inline output only.)text (beta feature.)
The actual privilege definition is a pre-defined list of operations.
15
User Defined Role Concept
UserUsers are assigned roles
PrivilegeA set of actions on a given
resourceEg. Read action (run find query)
on “Tweets” collection
RoleA grouping of privileges
May also contain other roles
Action: an operation eg. find, ensureIndex
Resource: some system object that an action can be performed on. eg. Database, collection
16
Example Use Case
Scenario: Multi-tenant Database as a Service
Landlord Administrator (example role):
18
Existing Security Infrastructure
Leverage Existing Standards
Identity Management Infrastructure
Access Management
Directory Services
Leverage existing security infrastructure.
Corporate Security Policies
Industry Standards and Compliance.
Centralized Management: eg. Centralized user/identity management.
19
Authentication
Existing Security Infrastructure
Identity Management Infrastructure
Access Management
Directory Services
Primary Secondary
Client Authentication
Inter-process Authentication
KerberosVersion 2.4+
LDAPVersion 2.6+
X509Version 2.6+
Partner Integrations: eg. Linux IdM
20
Authentication
Existing Security Infrastructure
Identity Management Infrastructure
Access Management
Directory Services
Primary Secondary
Client Authentication
Inter-process Authentication
Spoofed Secondary
21
X509 Authentication Benefits
Don’t have infrastructure in place?No problem! Easy to leverage external infrastructure:- Cloud solutions are commonplace. You use x509
certificates everyday through your web browsers!
Client Authentication without disadvantages of passwords:• Weak-password: Guessable, Brute-force, • Can be stolen: wiretap, careless misplacing• Maintenance: easy to forget. Too many passwords!• Re-usable: leaked by the weakest link
22
MongoDB LDAP Authorization Integration
LDAP Server
Application
Driver
saslauthdMongod
1) saslauthd config file2) setParameter- saslauthdPath=…- authenticationMechanisms=...- auth=true
3) Use $externalDb.auth( {…} )
Password in cleartext => SSL recommendedç
4) Uname/pw 5)
6) OK or NO7) OK or NO
8) Success = 1Failed = 0
Permissioning Product
0) db.addUser( …, userSource: $external, … })
24
MongoDB Native Auditing
Application
Driver
Mongos
Primary
Secondary
Secondary
Shard 1
Primary
Secondary
Secondary
Shard 2
…Primary
Secondary
Secondary
Shard N
Audited events• Schema (DDL) Operations• Replica Set Operations• Authentication and
Authorization Operations• General Operations
Output• Syslog• Console• Text file• BSON file
Mongo shell
--auditLog --auditPath--auditFilter
26
• Optionally Prompt for SSL Certificate Passphrases at Server Startup
• Command-line Tools Now Support SSL
• MongoDB Allows Only Strong SSL Ciphers
• Support for SSL and non-SSL Connections on the Same Port
SSL Improvements
27
• New features in v2.6– User Defined Roles– Access Control Improvements– Authentication
• x509• LDAP
– Auditing– SSL improvements
• Release Notes for MongoDB 2.6 (Development Series 2.5.x)http://docs.mongodb.org/master/release-notes/2.6/
Summary
28
For More Information
Resource Location
MongoDB Downloads mongodb.com/download
Free Online Training education.mongodb.com
Webinars and Events mongodb.com/events
White Papers mongodb.com/white-papers
Case Studies mongodb.com/customers
Presentations mongodb.com/presentations
Documentation docs.mongodb.org
Additional Info [email protected]
Resource Location