This webinar will cover new security features in MongoDB 2.6 including x.509 authentication, user defined roles, collection level access control, enterprise features like LDAP authentication and auditing, and many other SSL features. We will first give a brief overview of security features through MongoDB 2.4 then cover new features in 2.6 and coming releases.
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Webinar: MongoDB 2.6 New Security Features
1. MongoDB 2.6
New Security Features
Matt Kalan, Sr. Solutions Architect, MongoDB
Dylan Tong, Sr. Solutions Architect, MongoDB
2. Agenda
• Review security capabilities in v2.4
• New features in v2.6
– User Defined Roles
– Access Control Improvements
– Authentication
• x509
• LDAP
– Auditing
– SSL improvements
2
4. Authentication
• User authentication
– Basic challenge-response
• Hashed password managed in MongoDB
– Kerberos integration using SASL (Enterprise)
• Connects to an existing Kerberos infrastucture
• Passwords managed in existing system, not
MongoDB
– Can combine these if desired in same server
• Cluster authentication via shared keyfile
4
5. Authorization/Access Control
• Standard roles assigned in MongoDB
• Usernames are in MongoDB and have role(s)
assigned to them
• You can add standard roles together to build
permissioning you need for a user
• Lowest granularity is for the database
5
6. Auditing
• Only a small set of operations are logged
• Logged in the main Mongo server log
• IBM Guardium integration for enterprise policybased security monitoring
6
7. Encryption
• Data in transit
– SSL between all MongoDB components is in the
Enterprise version
– Or build in your own SSL library from the open source
version
• Data at rest
– Customer chooses to use an encrypted file system
7
10. Role Access Control
Application
Server Role
BI Role
DBA Role
10
• Read & Write on Application Database
• Read Only on Application Database
• Read & Write on Application Database
• Administration on Application Databases
• Administration on MongoDB Cluster
11. Advanced Role Access Control
Scenario: Multi-tenant Database as a Service
Land Lord
Clusterwide Administration Rights:
provision and remove tenants (eg. create
and drop database)
Land Lord Assistant
Service-Wide Scope
Tenant DBA
Tenant-Level Scope
DBA Rights within Scope of a Single
Tenant: eg Delegate rights within the
scope of the tenant
Tenant App
Server
11
Tenant BI
Role
12. Enhancements Needed!
Current Version:
1. Privileges are limited to what is pre-defined.
2. Access Controls are limited to database-level
Upcoming Version 2.6:
1. User defined privileges and roles are possible!
2. Access Controls can be defined at the collection-level!
12
13. Access Management
Previous to version 2.6…
User-privileges are pre-defined:
Read: Provides the privilege to run read type operations on a database like find().
Read/Write: Provides the privilege to run write type operations on a database like
update(), insert() and remove().
User Admin: Provides the privilege to modify users such as creating users and
modifying user privileges.
Database Admin: Provides the privileges to run administrative type commands that
are related to the scope of a database.
Cluster Admin: Provides the privileges to run administrative type commands that are
related to the scope of a cluster.
13
14. Example of Privilege
Read Privilege =
find
aggregate
checkShardingIndex
cloneCollectionAsCapped
collStats
count
dataSize
dbHash
dbStats
distinct
filemd5
geoNear
geoSearch
geoWalk
group
mapReduce (inline output only.)
text (beta feature.)
14
The actual privilege definition is
a pre-defined list of operations.
15. User Defined Role Concept
Privilege
A set of actions on a given resource
Eg. Read action (run find query) on
“Tweets” collection
Role
A grouping of privileges
May also contain other roles
User
Users are assigned roles
15
Action: an operation eg.
find, ensureIndex
Resource: some system
object that an action can
be performed on. eg.
Database, collection
21. X509 Authentication Benefits
Don’t have infrastructure in place?
No problem! Easy to leverage external infrastructure:
- Cloud solutions are commonplace. You use x509 certificates
everyday through your web browsers!
Client Authentication without disadvantages of passwords:
•
•
•
•
21
Weak-password: Guessable, Brute-force,
Can be stolen: wiretap, careless misplacing
Maintenance: easy to forget. Too many passwords!
Re-usable: leaked by the weakest link
22. MongoDB LDAP Authorization
Integration
Application
Driver
3) Use $external
Db.auth( {…} )
Permissioning
Product
8) Success = 1
Failed = 0
Mongod
Password in cleartext => SSL recommendedç
7) OK or NO
4) Uname/pw
saslauthd
6) OK or NO
0) db.addUser( …,
userSource: $external, … })
2) setParameter
- saslauthdPath=…
- authenticationMechanisms=...
- auth=true
22
1) saslauthd config file
5)
LDAP Server
26. SSL Improvements
• Optionally Prompt for SSL Certificate
Passphrases at Server Startup
• Command-line Tools Now Support SSL
• MongoDB Allows Only Strong SSL Ciphers
• Support for SSL and non-SSL Connections on the
Same Port
26
27. Summary
• New features in v2.6
– User Defined Roles
– Access Control Improvements
– Authentication
• x509
• LDAP
– Auditing
– SSL improvements
• Release Notes for MongoDB 2.6 (Development Series 2.5.x)
http://docs.mongodb.org/master/release-notes/2.6/
27
28. For More Information
Resource
MongoDB Downloads
mongodb.com/download
Free Online Training
education.mongodb.com
Webinars and Events
mongodb.com/events
White Papers
mongodb.com/white-papers
Case Studies
mongodb.com/customers
Presentations
mongodb.com/presentations
Documentation
docs.mongodb.org
Additional Info
28
Location
info@mongodb.com