第1页
第2页
Architecting Secure and Compliant Applications with MongoDB
shawn.mccarthy@mongodb.com
@sbmccarth
Solutions Architect – MongoDB Inc.
第3页
Major Security Alert
第4页
Concepts
developer friendly
production ready
MongoDB is specifically designed for an awesome out-of-box developer experience. You can get your apps up and running very easily. But, this means that most (well like all) the security features are TURNED OFF by DEFAULT. Devs love this, OPS not so much.
第5页
Concepts
Best Practices
Demo
Agenda
So, this is an OPS track – but the title of this talk starts with “Architecting” and then has Applications? WTFjQuery110204372308454418091_1459212730078?
I’m going to try and give a high-level overview of OP’s “nuts & bolts” stuff (you guys can all look this stuff up ----
Oh, good thing about working for an open source company --- I can google the real docs ☺☺ you can too!
Then cover some essential Best Practices, and wrap up with a demo show how to really make some of this stuff work—
In particular, perhap’s not so OPS-ey – yeah, you’re gonna have to “TALK” to you dev teams here!!! - show you how to create
Some application specific security stuff – WHICH YOU SHOULD DO!!!!!!
第6页
Authentication
Authorization
Validating a user is who
they say they are
Only letting a user
do certain things
Concepts
Auth – variety of supported mechanisms, integrates with LDAP, Kerberos, X.509 certs
Authorization – Role Based Access Control, out-of-box roles & privileges, ability to build custom roles- can define over whole instance, db or even collection level
第7页
Auditing
Encryption
Tracking system activity
Encoding data so that only those with the key can read it
Concepts
Auditing – logged system changes, modifications – this is not logging read/write from an application, but admin changes – use to ensure and validate you are following best practices
Encryption – support for both “at rest” (integration with 3rd party – Volmetric/IBM/etc) and file system disk-level, also in flight with SSL
第8页
WARNING
Some features only supported in MongoDB Enterprise Advanced versions!
Generally, functionality available in 2.6.x
Will call out any specific 3.x features
Need to point out-
We love and embrace open source, and wouldn’t be were we are without it.
We also support many enterprises who require the highest level of security and confidence in their software providers –
So many advanced security features are only available in the “Enterprise Advanced” versions.
第9页
password-based challenge-response mechanism
- user/pwd – defined against a DB
- Different auth mechanisms (changed in 3.0)
- SCRAM-SHA-1, MONGO-CR
- Kerberos, LDAP*
x.509 certificates
- validate members of replica set’s
and sharded cluster’s are who you think
they are
- also used in SSL connections
Authentication
Users and their password are defined with a db name – you need to authenticate against the DB you are defined with!!
Take care with different shell/mongod version and auth mechanisms
第10页
How do you make MongoDB authorize users?
$ mongod --dbpath ./db --auth
第11页
Enables authorization before creating the first user on the system. When auth is enabled, the localhost exception allows connection from the local interface to create the first user on the admin database.
This only applies when no users exist on the system
Changed in version 3.x
These connections only have access to create the first user on the admin database. Previously, connections from the local interface had unrestricted access to all MongoDB
Localhost Exception
From the docs – just want them to see and burn in this “LOCALHOST EXCEPTION” thing
第12页
Role Based Access Control
built-in and custom roles
var stockerRole = {
“role” : “acme.store.stocker”,
“privileges” : [
{ “resource” : {
“db” : “products”,
“collection” : “inventory” },
“actions” : [ “find”, “update” ]
} ],
“roles” : [ “acme.store.user” ]
}
use acme
db.createRole( stockerRole );
Authorization
So you’re building an e-commerce website – you need both front end and back end access to you data – what access would a particular person need which only manages inventory?
Roles are made up of a set of privileges, privileges are made up of a set of resources and actions – resources are things like db’s, collection’s,
Actions are commands or functions the user can perform on the resource – find, update, etc.
Lots and lots of actions/privileges defined in the system –
Roles and inherit from other roles – can build complex hierarchy of roles.
第13页
Can audit on your mongod and mongos
Send events to console, syslog, JSON or BSON file
$ mongod --dbpath data/db --auditDestination file --auditFormat JSON \
--auditPath data/db/auditLog.json
[ec2-user@ip-10-0-214-82 ~]$ tail -f auditLog.json
{ "atype" : "shutdown", "ts" : { "$date" : "2015-05-22T14:30:52.213+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param" : {}, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:30:58.960+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [ { "user" : "__system", "db" : "local" } ], "roles" : [], "param" : { "ns" : "local.startup_log" }, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:31:24.661+0000" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 56023 }, "users" : [], "roles" : [], "param" : { "ns" : "foo.foo" }, "result" : 0 }
Auditing*
System audits for schema changes (e.g. create/drop collection, add indexes), repl set/shard config changes, auth and authz, general db operations.
Supports filters – only audit things you care about
Support api for custom audit messages – “logApplicationMessage” db command
第14页
Encryption At Rest
Encrypted Storage Engine*
Whole Disk Encryption (through third party)
Required for HIPAA/PCI-DSS
Configure mongod and mongos for SSL
$ mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
Encryption In Transit
Support for SSL/TSL for all communication
Required for HIPAA/PCI-DSS
Encryption
allowSSL, preferSSL, requireSSL – settings for sslMode – use these to gradually “step up” a replica set/cluster to use SSL
第15页
http://docs.mongodb.org/manual/administration/security-checklist/
Security Checklist
Require Authentication
Configure Roles
Use SSL
Configure firewall – limit network exposure
Turn on auditing
Encrypt data on disk
Run mongod with dedicated user account
Set secure options
--noscripting
Disable REST/HTTP
Best Practices
--noscripting – turns off server-side Javascript, disabled mapReduce, group, $where
第16页
Building roles to support healthcare
application and HIPAA requirements.
In general for full details on HIPAA and PCI-DSS standards compliance see:
http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf
Demo
NOT!! Covering all details in this talk – review official documentation!!
第17页
Demo
NOT!! Covering all details in this talk – review official documentation!!
第18页
MongoGeneral Application
createFirstUser.js
createRoles.js
createUsers.js
Demo
第19页
Questions?
第20页
THANKS!
shawn.mccarthy@mongodb.com
@sbmccarth
Solutions Architect – MongoDB Inc.
Doing things right, does take time and effort – but do it from the start and build it into your culture and you will be fine