Security Features in MongoDB 2.4

Spencer BrodySoftware Engineer, 10gen@stbrody

#mongodbdays

Security in MongoDB

Agenda1. History2. Authentication3. Authorization4. Auditing5. Transport Encryption – SSL6. MongoDB Secure Development Lifecycle7. Documentation and Notifications8. Future Work

Securing your MongoDB Implementation, Spencer Brody

History

History• Security features within mongoDB before

2.4 were limited• 2.4 offers a much better story around

security• This is something we are investing in

very heavily right now.

Securing your MongoDB Implementation, Spencer Brody

The Three A’sAuthentication

– Who are you?

Authorization– What can you do?

Auditing– What have you done?

Securing your MongoDB Implementation, Spencer Brody

Authentication

Authentication

Authentication is about proving “who” you are.

Securing your MongoDB Implementation, Spencer Brody

Password Authentication• This is the only authentication mechanism

available in MongoDB version 2.2 and prior

• Still the only version available in the free product

• In 2.4+ this mechanism is called MONGODB-CR

Securing your MongoDB Implementation, Spencer Brody

Password Authentication• Use one-way function F

mongod

I am “username”, let me in

Prove it, here is a random # N

Here is F(N, hash(<mypwd>))

Nobody else could know that, welcome back!

Knows only my password hash

Hash never transmitted over the network!

Securing your MongoDB Implementation, Spencer Brody

External AuthenticationUse common / standardized authentication

SASL: Simple Authentication and Security Layer

– Framework for building authentication– MongoDB uses the Cyrus sasl2 library

Kerberos (available in the Enterprise Edition)

– GSSAPI– driver support in python, java, C#, Node.js, perl

Securing your MongoDB Implementation, Spencer Brody

Authentication with Kerberos

KDC1. I am “username@EXAMPLE.COM”, help me prove it to mongod(UDP:88)

2. Here is a TGT

Mongod

3. TCP:27017Here is a KerberosTGT

4. Welcome, here is a Service Ticket!

{ user: ”username@EXAMPLE.COM", roles: ["readWrite"], userSource: "$external"}

Securing your MongoDB Implementation, Spencer Brody

Keytab

Granting privileges

Securing your MongoDB Implementation, Spencer Brody

# mongo mongodb.mycompany.com> use appDB;> db.system.users.find();

{ "_id": ObjectId("519e842804f5f7f7921dbf89"), "user": "spencer" "userSource": "$external", "roles": ["readWrite", "dbAdmin”]}

Authorization

AuthorizationOnce MongoDB has established “who” you are, authorization is about determining “what” you are allowed to do.

Securing your MongoDB Implementation, Spencer Brody

Authorization Roles in 2.2 and Prior

– Database level read-only– Database level read-write– System-wide read-only– System-wide read-write

Sample user document:> db.system.users.find().pretty(){ "_id": ObjectId("519e842804f5f7f7921dbf89"), "user": "spencer" "pwd": "22c83553ed7ce252d8b0c9f716cae4de", "readOnly": false}

Securing your MongoDB Implementation, Spencer Brody

Authorization Roles in 2.4– read– readWrite– dbAdmin– userAdmin– readAnyDatabase– readWriteAnyDatabase– dbAdminAnyDatabase– userAdminAnyDatabase– clusterAdmin

The roles that are bold can only be granted in the admin database.

Securing your MongoDB Implementation, Spencer Brody

userAdminThe userAdmin role on database “foo” lets you grant any db-level role to any user from the “foo” database (including yourself).

The userAdminAnyDatabase role lets you grant any role in the system to any user (including yourself).

This means they can be used to grant yourself roles you didn’t previously have!

This makes userAdmin effectively a super-user

Access to these roles should be carefully controlled!Securing your MongoDB Implementation, Spencer Brody

Example

Securing your MongoDB Implementation, Spencer Brody

User Role Database(s)appUser readWrite appdba dbAdmin appseniorDBA dbAdminAnyDataba

se, clusterAdminadmin

readWrite configCTO userAdminAnyDatab

aseadmin

Auditing

Securing your MongoDB Implementation, Spencer Brody

AuditingMonitor user activity:

– userID added to standard output in 2.4

– No separate audit log

– Much more coming in 2.6

Transport Encryption - SSL

Transport Encryption - SSL

http://docs.mongodb.org/manual/administration/ssl/

Application

SSL encryption for

client connection

SSL encryption for inter-server

traffic

Primary Secondary

Data Files Data Files

Securing your MongoDB Implementation, Spencer Brody

Outside MongoDB

Securing your MongoDB Implementation, Spencer Brody

Outside MongoDBFirewalls

– iptables & netsh– Ports, Addresses, Times, Throttle etc.

File system– Encrypt (Gazzang) [HIPAA, PCI, SOX]

Best Practices– Internal Policies (Password Reuse, Scan etc.)

Securing your MongoDB Implementation, Spencer Brody

MongoDB Partners with Gazzang• File System Encryption • 5% performance hit with HDD, 10-15%

with SSD

File System – All contents encrypted

OS Gazzang

Gazzang Key

Mgmt

MongoDB SDL

MongoDB Secure Development Lifecycle• All contributions to the open source project are

reviewed and tested by a member of the Core Server team

• Peer code reviews of all commits• Automated functional and unit tests• Active monitoring of best practices and

advisories for third party code• Static code analysis with Coverity run nightly

against the Core Server and applicable driver projects

Securing your MongoDB Implementation, Spencer Brody

Documentation & Notifications

DocumentationManual

– http://docs.mongodb.org/manual/security/• Security Features within MongoDB

• Best Practices & Strategies

• Tutorials

• Vulnerability NotificationsSecuring your MongoDB Implementation, Spencer Brody

Potential Security IssuesHow do YOU find out?

– MongoDB Alerts– Mongodb-announce Google group

How, What, Where?– Vulnerability Notification

– Jira (HTTPS) & (Secure) Email

Securing your MongoDB Implementation, Spencer Brody

Future work

DisclaimerStatements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.Securing your MongoDB Implementation, Spencer Brody

Future

• User-defined roles• Collection level access control• Field level access control• Auditing• X.509 authentication, for both user and

intra-cluster authentication.• External configuration of user’s roles (LDAP)

Securing your MongoDB Implementation, Spencer Brody

Conclusion

Conclusion• 2.2 had rudimentary security support

• 2.4 is much better & Enterprise-Level

• Authentication & Authorization

• Within & Outside

Securing your MongoDB Implementation, Spencer Brody

Software Engineer, 10genSpencer Brody

#mongodbdays

Thanks!If you liked my talk, please tweet about it! #MongoDBDays

@stbrody

Securing your MongoDB Implementation, Spencer Brody

Next Sessions at 11:005th Floor:West Side Ballroom 3&4: Schema DesignWest Side Ballroom 1&2 (this room): Data Processing and Aggregation Options Juilliard Complex: Business Track: Fireside Chat: IBM and MongoDB Set the Standard for Web and Mobile DevelopmentLyceum Complex: Ask the Experts7th Floor: Empire Complex: Performance Tuning and Monitoring Using MMS SoHo Complex: 10gen Polyglot Spatial with MongoDB