In version 2.4, MongoDB Enterprise includes Kerberos support for integration into existing enterprise security systems, as well as role-based privileges to provide more granular security for your cluster. This session will introduce you to the new security features available in MongoDB.

1. Sr. Solutions Architect, 10gen
Matt Kalan
@MatthewKalan
Securing Your MongoDB
Implementation

2. Agenda
1. Securing MongoDB
2.2
2. Securing MongoDB
2.4
3. Outside MongoDB
4. Documentation &
Notifications
5. Conclusion
6. Futures
7. Questions

3. Securing MongoDB 2.2

4. Securing MongoDB 2.2
Authentication
– Simple user/password scheme stored in MongoDB
Authorization
– Per database: no access, read, or read-write
Auditing
– Very Little

5. MongoDB SSL
Keyfile establishes trust
http://docs.mongodb.org/manual/administration/ssl/
Application
SSL encryption
for client
connection
SSL encryption
for inter-server
traffic
Primary Secondary
Data Files Data Files

6. Securing MongoDB 2.4

7. Authentication

8. Authentication with password
hash• Use one-way function F
mongod
I am “mark@10gen.com”, let me in
Prove it, here is a random # N
Here is F(N,
hash(<mypwd>))
Nobody else could know
that, welcome back marko!
Knows
only my
passwor
d hash
Hash never
transmitted
over the
network!

9. External Authentication
Use common / standardized authentication
SASL: Simple Authentication and Security Layer
– Framework for building authentication
Kerberos
– GSSAPI, drivers will be updated
– Mixed system.users can work during transition

10. Authentication with Kerberos
KDC
1. I am “mark@10gen.com”,
help me prove it to mongod
to UDP:88 -
2. Here is a TGT
Mongod
3. TCP:27017
Here is a
Kerberos
TGT
4. Welcome,
here is a
Service
Ticket!
{
user: ”mark@10gen.com",
roles: ["readWrite"],
userSource: "$external"
}
Keytab

11. Starting the Database
env KRB5_KTNAME=/etc/kserver1b.keytab
mongod –auth --setParameter
authenticationMechanisms=GSSAPI
--dbpath /data/db --fork --logpath
/var/tmp/mongod_auth.log
--replSet realm4 --keyFile /etc/keyfile

12. Authenticating & Connecting
# kinit mongouser
….
# klist
…
03/11/13 09:30:30 03/12/13 09:30:30
…
# mongo mongodb.10gen.com/$external -
-authenticationMechanism=GSSAPI -u
mongouser@10GEN.COM

13. Authorization

14. AUTHORIZATION
• Issues with 2.2
– Only read / readWrite 
– Edge-case with possible privilege escalation
• 2.4 introduces roles
– Admin level roles
• userAdmin
• clusterAdmin
– DB level roles
• userAdmin
• dbAdmin
• Read
• ReadWrite
Corresponding
Admin level roles
for
“AnyDatabase”

15. ADMIN DB
• clusterAdmin
• AnyDatabase
Source:https://wellsted135.files.wordpress.com/2012/10/special.gif

16. Super-User
userAdmin & userAdminAnyDatabase
are
Only these users can view details about other
users – system.users collection

17. Admin DB
• userAdmin
• clusterAdmin
Accounts
DB
• userAdmin
App1 DB
• userAdmin
• dbAdmin
• readWrite
• read
App2 DB
• userAdmin
• dbAdmin
• readWrite
• read
Password
hashes

18. I can do anything
but I won’t be
required to do much
DB Admin: userAdmin DB Admin: clusterAdmin
I can add and
remove shards
DB Accounts: userAdmin
I can create new
users but I can’t
grant them
privileges to other
DB’s
DB App: userAdmin DB App: dbAdmin
I can grant
privileges to
the App DB
only
I can
create
indices, set
profiling, co
mpact

19. In App.system.users :
{
user: “fred” ,
usersource: “Accounts” ,
roles: [ “userAdmin” ]
}
{
user: “george” ,
usersource: “Accounts” ,
roles: [ “dbAdmin“ ] ,
}
Each DB’s userAdmin gets to
grant privileges separately
DB App: dbAdmin
I can grant
privileges to
the App DB
only
I can
create
indices, set
profiling,
compact
Credentials
from Accounts
DB
DB App: userAdmin

20. Auditing

21. Additional Logging
Monitor user activity:
– userID added to standard
output
– No separate audit log
– Much more coming in 2.6

22. Validation

23. Validation
Objcheck
– Helps prevent DOS
– Validates input
– SERVER-7769 (default)

24. JS Engine

25. JS Engine
Move to V8
– Primarily performance reasons but some security benefits
– Restrictions on $where (SERVER-9124) & M/R/F
– SERVER-8104 & 2.4 Release Notes

26. Outside MongoDB

27. Outside MongoDB
Firewalls
– iptables & netsh
– Ports, Addresses, Times, Throttle etc.
File system
– Encrypt (Gazzang) [HIPAA, PCI, SOX]
Best Practices
– Internal Policies (Password Reuse, Scan etc.)

28. MongoDB Partners with
Gazzang
• File System Encryption
• 5% performance hit with HDD, 10-15% with
SSD
File System – All contents encrypted
OS Gazzang
Gazzang
Key Mgmt

29. Documentation &
Notifications

30. Documentation
Manual
– http://docs.mongodb.org/manual/security/
• Security Features within MongoDB
• Best Practices & Strategies
• Tutorials
• Vulnerability Notifications

31. Potential Security Issues
How do YOU know?
– MongoDBAlerts
How, What, Where?
– Vulnerability Notification
– Jira (HTTPS) & (Secure) Email

32. Future features

33. Disclaimer
Statements about future releases, availability
dates, and feature content reflect plans only, and
10gen is under no obligation to include, develop
or make available, commercially or
otherwise, specific feature discussed a future
MongoDB build. Information is provided for
general understanding only, and is subject to
change at the sole discretion of 10gen in
response to changing market conditions, delivery
schedules, customer requirements, and/or other
factors.

34. Future features
Auditing
– Logging to output userID associated with actions
(SERVER-1891)
Passwords
– Stronger Hashing (SERVER-2380)
Authorization
– User Defined & More Granularity
SSL
– Client & Security Improvements

35. Conclusion

36. Conclusion
• 2.2 needed improvement for security
• 2.4 is much better & Enterprise-Level
• Authentication & Authorization
• Within & Outside

37. Thanks
• Thanks to Mike Stimpson for the awesome pics

http://imgur.com/a/0XvKw

38. Sr. Solutions Architect, 10gen
Matt Kalan
@MatthewKalan
Questions?

39. Sr. Solutions Architect, 10gen
Matt Kalan
@MatthewKalan
Questions?