Spencer Brody Software Engineer, 10gen @stbrody #mongodbdays Security in MongoDB
Sep 03, 2014
Spencer BrodySoftware Engineer, 10gen@stbrody
#mongodbdays
Security in MongoDB
Agenda1. History2. Authentication3. Authorization4. Auditing5. Transport Encryption – SSL6. MongoDB Secure Development Lifecycle7. Documentation and Notifications8. Future Work
Securing your MongoDB Implementation, Spencer Brody
History
History• Security features within mongoDB before
2.4 were limited• 2.4 offers a much better story around
security• This is something we are investing in
very heavily right now.
Securing your MongoDB Implementation, Spencer Brody
The Three A’sAuthentication
– Who are you?
Authorization– What can you do?
Auditing– What have you done?
Securing your MongoDB Implementation, Spencer Brody
Authentication
Authentication
Authentication is about proving “who” you are.
Securing your MongoDB Implementation, Spencer Brody
Password Authentication• This is the only authentication mechanism
available in MongoDB version 2.2 and prior
• Still the only version available in the free product
• In 2.4+ this mechanism is called MONGODB-CR
Securing your MongoDB Implementation, Spencer Brody
Password Authentication• Use one-way function F
mongod
I am “username”, let me in
Prove it, here is a random # N
Here is F(N, hash(<mypwd>))
Nobody else could know that, welcome back!
Knows only my password hash
Hash never transmitted over the network!
Securing your MongoDB Implementation, Spencer Brody
External AuthenticationUse common / standardized authentication
SASL: Simple Authentication and Security Layer
– Framework for building authentication– MongoDB uses the Cyrus sasl2 library
Kerberos (available in the Enterprise Edition)
– GSSAPI– driver support in python, java, C#, Node.js, perl
Securing your MongoDB Implementation, Spencer Brody
Authentication with Kerberos
KDC1. I am “[email protected]”, help me prove it to mongod(UDP:88)
2. Here is a TGT
Mongod
3. TCP:27017Here is a KerberosTGT
4. Welcome, here is a Service Ticket!
{ user: ”[email protected]", roles: ["readWrite"], userSource: "$external"}
Securing your MongoDB Implementation, Spencer Brody
Keytab
Granting privileges
Securing your MongoDB Implementation, Spencer Brody
# mongo mongodb.mycompany.com> use appDB;> db.system.users.find();
{ "_id": ObjectId("519e842804f5f7f7921dbf89"), "user": "spencer" "userSource": "$external", "roles": ["readWrite", "dbAdmin”]}
Authorization
AuthorizationOnce MongoDB has established “who” you are, authorization is about determining “what” you are allowed to do.
Securing your MongoDB Implementation, Spencer Brody
Authorization Roles in 2.2 and Prior
– Database level read-only– Database level read-write– System-wide read-only– System-wide read-write
Sample user document:> db.system.users.find().pretty(){ "_id": ObjectId("519e842804f5f7f7921dbf89"), "user": "spencer" "pwd": "22c83553ed7ce252d8b0c9f716cae4de", "readOnly": false}
Securing your MongoDB Implementation, Spencer Brody
Authorization Roles in 2.4– read– readWrite– dbAdmin– userAdmin– readAnyDatabase– readWriteAnyDatabase– dbAdminAnyDatabase– userAdminAnyDatabase– clusterAdmin
The roles that are bold can only be granted in the admin database.
Securing your MongoDB Implementation, Spencer Brody
userAdminThe userAdmin role on database “foo” lets you grant any db-level role to any user from the “foo” database (including yourself).
The userAdminAnyDatabase role lets you grant any role in the system to any user (including yourself).
This means they can be used to grant yourself roles you didn’t previously have!
This makes userAdmin effectively a super-user
Access to these roles should be carefully controlled!Securing your MongoDB Implementation, Spencer Brody
Example
Securing your MongoDB Implementation, Spencer Brody
User Role Database(s)appUser readWrite appdba dbAdmin appseniorDBA dbAdminAnyDataba
se, clusterAdminadmin
readWrite configCTO userAdminAnyDatab
aseadmin
Auditing
Securing your MongoDB Implementation, Spencer Brody
AuditingMonitor user activity:
– userID added to standard output in 2.4
– No separate audit log
– Much more coming in 2.6
Transport Encryption - SSL
Transport Encryption - SSL
http://docs.mongodb.org/manual/administration/ssl/
Application
SSL encryption for
client connection
SSL encryption for inter-server
traffic
Primary Secondary
Data Files Data Files
Securing your MongoDB Implementation, Spencer Brody
Outside MongoDB
Securing your MongoDB Implementation, Spencer Brody
Outside MongoDBFirewalls
– iptables & netsh– Ports, Addresses, Times, Throttle etc.
File system– Encrypt (Gazzang) [HIPAA, PCI, SOX]
Best Practices– Internal Policies (Password Reuse, Scan etc.)
Securing your MongoDB Implementation, Spencer Brody
MongoDB Partners with Gazzang• File System Encryption • 5% performance hit with HDD, 10-15%
with SSD
File System – All contents encrypted
OS Gazzang
Gazzang Key
Mgmt
MongoDB SDL
MongoDB Secure Development Lifecycle• All contributions to the open source project are
reviewed and tested by a member of the Core Server team
• Peer code reviews of all commits• Automated functional and unit tests• Active monitoring of best practices and
advisories for third party code• Static code analysis with Coverity run nightly
against the Core Server and applicable driver projects
Securing your MongoDB Implementation, Spencer Brody
Documentation & Notifications
DocumentationManual
– http://docs.mongodb.org/manual/security/• Security Features within MongoDB
• Best Practices & Strategies
• Tutorials
• Vulnerability NotificationsSecuring your MongoDB Implementation, Spencer Brody
Potential Security IssuesHow do YOU find out?
– MongoDB Alerts– Mongodb-announce Google group
How, What, Where?– Vulnerability Notification
– Jira (HTTPS) & (Secure) Email
Securing your MongoDB Implementation, Spencer Brody
Future work
DisclaimerStatements about future releases, availability dates, and feature content reflect plans only, and 10gen is under no obligation to include, develop or make available, commercially or otherwise, specific feature discussed a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of 10gen in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.Securing your MongoDB Implementation, Spencer Brody
Future
• User-defined roles• Collection level access control• Field level access control• Auditing• X.509 authentication, for both user and
intra-cluster authentication.• External configuration of user’s roles (LDAP)
Securing your MongoDB Implementation, Spencer Brody
Conclusion
Conclusion• 2.2 had rudimentary security support
• 2.4 is much better & Enterprise-Level
• Authentication & Authorization
• Within & Outside
Securing your MongoDB Implementation, Spencer Brody
Software Engineer, 10genSpencer Brody
#mongodbdays
Thanks!If you liked my talk, please tweet about it! #MongoDBDays
@stbrody
Securing your MongoDB Implementation, Spencer Brody
Next Sessions at 11:005th Floor:West Side Ballroom 3&4: Schema DesignWest Side Ballroom 1&2 (this room): Data Processing and Aggregation Options Juilliard Complex: Business Track: Fireside Chat: IBM and MongoDB Set the Standard for Web and Mobile DevelopmentLyceum Complex: Ask the Experts7th Floor: Empire Complex: Performance Tuning and Monitoring Using MMS SoHo Complex: 10gen Polyglot Spatial with MongoDB