Download - MongoDB Security Users & Roles
![Page 1: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/1.jpg)
MongoDB Security (Users & Roles)
MongoDB User Group22 March 2017, Madrid
![Page 2: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/2.jpg)
Who am IJuan Roy
Twitter: @juanroycouto
Email: [email protected]
MongoDB DBA at Grupo Undanet
2
MUG Madrid 22 March 2017
![Page 3: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/3.jpg)
The Kingdom
The Castle
The King
The Collaborators
The Castle Goods
The Emissary
MongoDB - Characters
3
MUG Madrid 22 March 2017
The Moat of the Castle
The Visitors
The Auditor
The Monitor
The King without Kingdom
![Page 4: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/4.jpg)
4
MUG Madrid 22 March 2017
The MongoDB Kingdom
![Page 5: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/5.jpg)
If the security is not enabled at the castle everybody will be able to get into the rooms and take any goods.
If the security is enabled nobody will be able to get into the castle before identifying. Companies outside the kingdom can deal with this.
Without the secret key no castle will be able to join to the Kingdom.
MongoDB - The Castle
5
MUG Madrid 22 March 2017
![Page 6: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/6.jpg)
userAdminAnyDatabase
He decides his collaborators (users) to do the tasks (actions) needed in each room of the castle.
Creates, grants and revokes roles to its collaborators
MongoDB - The King
6
MUG Madrid 22 March 2017
![Page 7: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/7.jpg)
They must do specific tasks.They are not allowed to do any tasks that
are not in their role.They only can work in their workplaces
> db.createUser({ user: "uuuu", pwd: "pppp",
roles: [ { role: "roleName", db: "dbName" } ]});
> db.system.users.find();
MongoDB - The Collaborators
7
MUG Madrid 22 March 2017
![Page 8: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/8.jpg)
MongoDB - The Roles
8
MUG Madrid 22 March 2017
Roles must be standard. When a new collaborator is named assumes the role's tasks of the last one.
In the role are written down the tasks to do and the places the tasks must be done by the King's collaborator (Kingdom, castle, database, etc).
MongoDB offers built-in roles and the possibility to create new ones depending on our needs.
![Page 9: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/9.jpg)
> db.createRole({ role: "roleName", privileges: [ { resource: { db : “dbName”, collection : “collectionName” }, actions: [ 'actionName' ] } ], roles: [ { role : 'fatherRole', db : 'dbName'} ]});
> db.grantRolesToUser(‘uuuu’, [ { role : ‘roleName’, db : ‘dbname’ } ]);
> db.revokeRolesFromUser(‘uuuu’, [ { role : ‘roleName’, db : ‘dbname’ } ]);
MongoDB - The Roles
9
MUG Madrid 22 March 2017
![Page 10: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/10.jpg)
Castle assets (data) are guarded in rooms where nobody knows what's inside (disk encryption).
To access the goods is necessary a key that has to match which the guardian has.
MongoDB - The Castle Goods
10
MUG Madrid 22 March 2017
![Page 11: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/11.jpg)
He carries the messages from one castle to another (Replica Set).
These messages must be encrypted (network encryption).
MongoDB - The Emissary
11
MUG Madrid 22 March 2017
![Page 12: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/12.jpg)
FirewallsLimit incoming traffic on a specific
port to specific systems and limit incoming traffic from untrusted hosts.
Virtual Private NetworksVPNs make possible to link two
networks over an encrypted and limited-access trusted network.
MongoDB - The Moat of the Castle
12
MUG Madrid 22 March 2017
![Page 13: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/13.jpg)
read-only views
The castle’s visitors (physical persons or apps) are allowed to view only the goods the King is interested in.
> db.createView( 'viewName', 'originalCollection', [ { aggregationStages } ]);
MongoDB - The Visitors
13
MUG Madrid 22 March 2017
![Page 14: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/14.jpg)
Auditing
Records the following operations:
CRUD Operations.Schema (DDL).Authentication & Authorization.Replica Set & Sharded Cluster.
MongoDB - The Auditor
14
MUG Madrid 22 March 2017
![Page 15: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/15.jpg)
Monitoring
He monitors the goods exchanges and the state of the kingdom’s castles.
From land (OPS Manager).
And also from the air (Cloud Manager).
MongoDB - The Monitor
15
MUG Madrid 22 March 2017
![Page 16: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/16.jpg)
For those Kings without Kingdom exists a paradise (MongoDB Atlas) where they can:
Rent the castles they need.
With all the security measures.
And fully monitored, both goods and castles.
MongoDB - The King without Kingdom
16
MUG Madrid 22 March 2017
![Page 17: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/17.jpg)
User Access Management
MongoDB Authentication
MongoDB Authorization
MongoDB Auditing (forensic analysis)
MongoDB Encryption (data protection over the network -TLS- and at-rest)
Environmental & Process Control
MongoDB Security Features
17
MUG Madrid 22 March 2017
![Page 18: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/18.jpg)
Designed to confirm the identity of:
Users.
Administrators, Developers, etc.
Software systems (apps, reporting tools, etc).
Physical and logical nodes where the database runs on.
Best practices:
Create login credentials for each entity that will need access to the database.
Enforce authentication between nodes.
Supporting in-database (SCRAM-SHA-1) and Centralized User Access Management (LDAP, x.509, Kerberos).
MongoDB Authentication
18
MUG Madrid 22 March 2017
![Page 19: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/19.jpg)
MongoDB Authorization
Resources<--Actions<--Privileges<--Roles-->Users
Authorization governs what an User is allowed to do in the resource.
Best practices:
Grant minimal access to users (only to those they need to perform their functions).
Group common access privileges into roles rather than having to define them individually for each user.
Control access to sensitive data (restrict permissions to individual fields). 19
MUG Madrid 22 March 2017
![Page 20: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/20.jpg)
MongoDB AuditingAuditing can detect:
Attempts to access unauthorized data.
Changes to database configuration for each entity, recording:
Change action.
Identity.
Timestamp.
Changes to data:
Capture every query or write operation, filtering only those fields you need.
20
MUG Madrid 22 March 2017
![Page 21: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/21.jpg)
MongoDB EncryptionEncryption is the encoding of data, in transit or at rest, enabling only
authorised users to read it.
Encrypt Connections to the Database:Internal communications between castles.
Connections via drivers or shell.
Access to castles.
Encrypt Data at Rest (On-disk encryption of the database’s data files).
Sign and Rotate Encryption Keys (Encryption keys for network and disk encryption should be periodically rotated).
Enforce Strong Encryption.
21
MUG Madrid 22 March 2017
![Page 22: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/22.jpg)
Installation of firewalls.
Network configurations.
Defining file system permissions.
Creation of physical access controls to the IT environment.
DBA and Developer training.
Database provisioning, monitoring and backup.
Database maintenance.
MongoDB Environmental and Process Control
22
MUG Madrid 22 March 2017
![Page 23: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/23.jpg)
Configuration - mongod.conf
Auth enables authorization to control users access to castle resources and its actions.
...security:
keyFile: "/data/key/replicaset.key" authorization: "enabled"
...
23
MUG Madrid 22 March 2017
![Page 24: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/24.jpg)
Configuration - Key file
$ openssl rand -base64 755 > /data/key/replicaset.key
$ chmod 400 /data/key/replicaset.key
The key file stores the shared secret thatMongoDB castles use to authenticate to each other in a County or Kingdom.
24
MUG Madrid 22 March 2017
![Page 25: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/25.jpg)
RolesuserAdminAnyDatabase
clusterManager
clusterMonitor
backup
restore
dbAdmin
readWrite
read 25
MUG Madrid 22 March 2017
![Page 26: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/26.jpg)
Roles - userAdminAnyDatabaseThe King. He can create users, roles and grant or revoke roles to any
user.> use admin;
> db.createUser({ user: "uuuu", pwd: "pppp", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]});
26
MUG Madrid 22 March 2017
![Page 27: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/27.jpg)
Roles - clusterManagerThe King's architect who manage the configuration of the castles
(Replica Set & Cluster).> use admin;
> db.createUser({ user: "uuuu", pwd: "pppp", roles: [ { role: "clusterManager", db: "admin" } ]});
27
MUG Madrid 22 March 2017
![Page 28: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/28.jpg)
Roles - clusterMonitorArchitect of the King who watches over the state of the kingdom (OPS
& Cloud Manager).> use admin;
> db.createUser({ user: "uuuu", pwd: "pppp", roles: [ { role: "clusterMonitor", db: "admin" } ]});
28
MUG Madrid 22 March 2017
![Page 29: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/29.jpg)
King’s Employee who stores its goods in a safe place outside the Kingdom.
> use admin;
> db.createUser({ user: "uuuu", pwd: "pppp", roles: [ { role: "backup", db: "admin" } ]});
Roles - backup
29
MUG Madrid 22 March 2017
![Page 30: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/30.jpg)
King’s Employee who restores its goods when it is necessary.
> use admin;
> db.createUser({ user: "uuuu", pwd: "pppp", roles: [ { role: "restore", db: "admin" } ]});
Roles - restore
30
MUG Madrid 22 March 2017
![Page 31: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/31.jpg)
Roles - dbAdminDatabase Administrator> use test;
> db.createUser({ user: "uuuu", pwd: "pppp", roles: [ { role: "dbAdmin", db: "test" } ]});
31
MUG Madrid 22 March 2017
![Page 32: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/32.jpg)
Castle’s visitors who exchange goods.> use test;
> db.createUser({ user: "uuuu", pwd: "pppp", roles: [ { role: "readWrite", db: "test" } ]});
Roles - readWrite
32
MUG Madrid 22 March 2017
![Page 33: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/33.jpg)
Castle’s visitors who only want to view what there is inside.> use test;
> db.createUser({ user: "uuuu", pwd: "pppp", roles: [ { role: "read", db: "test" }, { role: "readWrite", db: "test2" } ]});
Roles - read
33
MUG Madrid 22 March 2017
![Page 34: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/34.jpg)
RolesEach role is scoped to the database in which it has been created.
A role can only include privileges that apply to its database and can only inherit from other roles in its database.
A role created in the admin database can include privileges that apply to the admin database, other databases or to the cluster resource, and can inherit from roles in other databases as well as the admin database.
> use admin;
> db.system.roles.find();34
MUG Madrid 22 March 2017
![Page 35: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/35.jpg)
Field-Level Security (Read-Only Views)Restrict access to sensitive data.
Non-materialized views expose only a subset of data from a collection.
This view is generated from an aggregation over another collection/s or view.
Permissions granted against the view are specified separately from permissions granted to the underlying collection/s.
> db.createView('viewName', 'originalCollection', [ { aggregationStages } ]);
> db.system.views.find();
35
MUG Madrid 22 March 2017
![Page 36: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/36.jpg)
Questions?
36
MUG Madrid 22 March 2017
![Page 37: MongoDB Security Users & Roles](https://reader035.vdocument.in/reader035/viewer/2022070521/58f9a8e5760da3da068b68de/html5/thumbnails/37.jpg)
Thank you!
Thank you for your attention!
37
MongoDB User Group22 March 2017, Madrid