3. 3
• Basic challenge-response
– Hashed password managed in MongoDB
• Kerberos integration using SASL
– Connects to an existing Kerberos infrastucture
– Passwords managed in existing system, not MongoDB
• Can combine these if desired in same server
• Likely adding LDAP integration in 2.6
4. 4
• Roles assigned in MongoDB
– Currently no 3rd
party integration for authorization
• Usernames are in MongoDB and have role(s)
assigned to them
• You can add roles together to build permissioning
you need for a user
5. 5
Individual DB
DB User Access
•read
•readWrite
Database admin access
•dbAdmin
•userAdmin
Individual DB
DB User Access
•read
•readWrite
Database admin access
•dbAdmin
•userAdmin
Admin DB – Cluster-wide
ClusterAdmin
Database admin access
• dbAdminAnyDatabase
• userAdminAnyDatabase
DB User Access
• readAnyDatabase
• readWriteAnyDatabase
Admin DB – Cluster-wide
ClusterAdmin
Database admin access
• dbAdminAnyDatabase
• userAdminAnyDatabase
DB User Access
• readAnyDatabase
• readWriteAnyDatabase
6. 6
Database Administrator (DBA)
Administrator for all parts of the system
MongoDB roles:
•clusterAdmin
•dbAdminAnyDatabase
•userAdminAnyDatabase
•readWriteAnyDatabase
Database Administrator (DBA)
Administrator for all parts of the system
MongoDB roles:
•clusterAdmin
•dbAdminAnyDatabase
•userAdminAnyDatabase
•readWriteAnyDatabase
Developer users
Developers in dev and test environments
MongoDB role (in dev and test):
•readWriteAnyDatabase
Developer users
Developers in dev and test environments
MongoDB role (in dev and test):
•readWriteAnyDatabase
Application users
Username for the application itself
across databases in all environments
MongoDB role:
•readWriteAnyDatabase
Application users
Username for the application itself
across databases in all environments
MongoDB role:
•readWriteAnyDatabase
7. 7
Central Permissioning Group
Only manages users and their
permissions
MongoDB role:
•userAdminAnyDatabase
Central Permissioning Group
Only manages users and their
permissions
MongoDB role:
•userAdminAnyDatabase
Database Administrator
Manages the cluster, databases,
collections, and indexes
MongoDB roles:
•clusterAdmin
•dbAdminAnyDatabase
Database Administrator
Manages the cluster, databases,
collections, and indexes
MongoDB roles:
•clusterAdmin
•dbAdminAnyDatabase
Developer users
Developers in dev and test environments
MongoDB role (in dev and test):
•readWriteAnyDatabase
Developer users
Developers in dev and test environments
MongoDB role (in dev and test):
•readWriteAnyDatabase
Application users
Username for the application itself
across databases in all environments
MongoDB role:
•readWriteAnyDatabase
Application users
Username for the application itself
across databases in all environments
MongoDB role:
•readWriteAnyDatabase
8. 8
For each applicationFor each application
Central Permissioning Group
Only manages users and their permissions
MongoDB role:
•userAdminAnyDatabase
Central Permissioning Group
Only manages users and their permissions
MongoDB role:
•userAdminAnyDatabase
Database Administrator
Manages the architecture, databases,
collections, and indexes for all DBs
MongoDB roles:
•clusterAdmin
•dbAdminAnyDatabase
Database Administrator
Manages the architecture, databases,
collections, and indexes for all DBs
MongoDB roles:
•clusterAdmin
•dbAdminAnyDatabase
Developer Users
Developers in dev and test
environments for this DB
MongoDB role (in dev and test):
•readWrite
Developer Users
Developers in dev and test
environments for this DB
MongoDB role (in dev and test):
•readWrite
Application Users
Username for the
application itself to use
for the one DB
MongoDB role:
•readWrite
Application Users
Username for the
application itself to use
for the one DB
MongoDB role:
•readWrite
Application Admin
Manages one DB only
MongoDB role
•dbAdmin
Application Admin
Manages one DB only
MongoDB role
•dbAdmin
9. 9
• Currently only a small set of operations are
logged
• Logged in the main Mongo server log
• In v2.6
– Separate audit log
– More operations will be logged (DB, collections, index
changes, etc.)
10. 10
• Data in transit
– SSL between all MongoDB components is in the
Enterprise version
– Or build in your own SSL library from the open source
version
• Data at rest
– Left to the customer for their preferred file system
encryption (e.g. IBM offers this)
11. 11
• Driven by a large mutual banking customer who
wanted additional features
– Integrating with their enterprise auditing platform
(Guardium)
– Policy-driven privileged user monitoring for ALL
operations (including reads)
– Plus many more features that Kathy will talk about now