- 本月热门
-
漫谈Web前端的『组件化』 by 郑海波@网易 -
ANGULAR2 vs REACT(简介及框架比较) by 500Tech -
21CN前端开发团队之发展史 by 蔡立勋 -
运维开发前端转型之道—Angularjs by 林香鑫@网易 -
Docker 1.10 Security Improvements(Docker安全改进) by Diogo Mónica -
整站scss设计 by 结一 -
Red Hat OpenStack Platform 7 Training -
同一个世界,同一个Web by 刘宇@工信部电信研究院 -
积木系统-工业化运营的尝试 by jerojiang -
MVVM及其组件体系_angular_react_vue by 杨文坚
加收藏
用MongoDB构建安全和兼容的应用程序 by sbmccarth
第1页
第2页
Architecting Secure and Compliant Applications with MongoDB
shawn.mccarthy@mongodb.com
@sbmccarth
Solutions Architect – MongoDB Inc.
第3页
Major Security Alert
第4页
Concepts
developer friendly
production ready
MongoDB is specifically designed for an awesome out-of-box developer experience. You can get your apps up and running very easily. But, this means that most (well like all) the security features are TURNED OFF by DEFAULT. Devs love this, OPS not so much.
第5页
Concepts
Best Practices
Demo
Best Practices
Demo
Agenda
So, this is an OPS track – but the title of this talk starts with “Architecting” and then has Applications? WTFjQuery110204372308454418091_1459212730078?
I’m going to try and give a high-level overview of OP’s “nuts & bolts” stuff (you guys can all look this stuff up ----
Oh, good thing about working for an open source company --- I can google the real docs ☺☺ you can too!
Then cover some essential Best Practices, and wrap up with a demo show how to really make some of this stuff work—
In particular, perhap’s not so OPS-ey – yeah, you’re gonna have to “TALK” to you dev teams here!!! - show you how to create
Some application specific security stuff – WHICH YOU SHOULD DO!!!!!!
第6页
Authentication
Authorization
Validating a user is who
they say they are
they say they are
Only letting a user
do certain things
do certain things
Concepts
Auth – variety of supported mechanisms, integrates with LDAP, Kerberos, X.509 certs
Authorization – Role Based Access Control, out-of-box roles & privileges, ability to build custom roles- can define over whole instance, db or even collection level
第7页
Auditing
Encryption
Tracking system activity
Encoding data so that only those with the key can read it
Concepts
Auditing – logged system changes, modifications – this is not logging read/write from an application, but admin changes – use to ensure and validate you are following best practices
Encryption – support for both “at rest” (integration with 3rd party – Volmetric/IBM/etc) and file system disk-level, also in flight with SSL
第8页
WARNING
Some features only supported in MongoDB Enterprise Advanced versions!
Generally, functionality available in 2.6.x
Will call out any specific 3.x features
Will call out any specific 3.x features
Need to point out-
We love and embrace open source, and wouldn’t be were we are without it.
We also support many enterprises who require the highest level of security and confidence in their software providers –
So many advanced security features are only available in the “Enterprise Advanced” versions.
第9页
password-based challenge-response mechanism
- user/pwd – defined against a DB
- Different auth mechanisms (changed in 3.0)
- SCRAM-SHA-1, MONGO-CR
- Kerberos, LDAP*
x.509 certificates
- validate members of replica set’s
and sharded cluster’s are who you think
they are
- also used in SSL connections
- user/pwd – defined against a DB
- Different auth mechanisms (changed in 3.0)
- SCRAM-SHA-1, MONGO-CR
- Kerberos, LDAP*
x.509 certificates
- validate members of replica set’s
and sharded cluster’s are who you think
they are
- also used in SSL connections
Authentication
Users and their password are defined with a db name – you need to authenticate against the DB you are defined with!!
Take care with different shell/mongod version and auth mechanisms
第10页
How do you make MongoDB authorize users?
$ mongod --dbpath ./db --auth
第11页
Enables authorization before creating the first user on the system. When auth is enabled, the localhost exception allows connection from the local interface to create the first user on the admin database.
This only applies when no users exist on the system
Changed in version 3.x
These connections only have access to create the first user on the admin database. Previously, connections from the local interface had unrestricted access to all MongoDB
This only applies when no users exist on the system
Changed in version 3.x
These connections only have access to create the first user on the admin database. Previously, connections from the local interface had unrestricted access to all MongoDB
Localhost Exception
From the docs – just want them to see and burn in this “LOCALHOST EXCEPTION” thing
第12页
Role Based Access Control
built-in and custom roles
built-in and custom roles
var stockerRole = {
“role” : “acme.store.stocker”,
“privileges” : [
{ “resource” : {
“db” : “products”,
“collection” : “inventory” },
“actions” : [ “find”, “update” ]
} ],
“roles” : [ “acme.store.user” ]
}
use acme
db.createRole( stockerRole );
“role” : “acme.store.stocker”,
“privileges” : [
{ “resource” : {
“db” : “products”,
“collection” : “inventory” },
“actions” : [ “find”, “update” ]
} ],
“roles” : [ “acme.store.user” ]
}
use acme
db.createRole( stockerRole );
Authorization
So you’re building an e-commerce website – you need both front end and back end access to you data – what access would a particular person need which only manages inventory?
Roles are made up of a set of privileges, privileges are made up of a set of resources and actions – resources are things like db’s, collection’s,
Actions are commands or functions the user can perform on the resource – find, update, etc.
Lots and lots of actions/privileges defined in the system –
Roles and inherit from other roles – can build complex hierarchy of roles.
第13页
Can audit on your mongod and mongos
Send events to console, syslog, JSON or BSON file
Send events to console, syslog, JSON or BSON file
$ mongod --dbpath data/db --auditDestination file --auditFormat JSON \
--auditPath data/db/auditLog.json
--auditPath data/db/auditLog.json
[ec2-user@ip-10-0-214-82 ~]$ tail -f auditLog.json
{ "atype" : "shutdown", "ts" : { "$date" : "2015-05-22T14:30:52.213+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param" : {}, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:30:58.960+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [ { "user" : "__system", "db" : "local" } ], "roles" : [], "param" : { "ns" : "local.startup_log" }, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:31:24.661+0000" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 56023 }, "users" : [], "roles" : [], "param" : { "ns" : "foo.foo" }, "result" : 0 }
{ "atype" : "shutdown", "ts" : { "$date" : "2015-05-22T14:30:52.213+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param" : {}, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:30:58.960+0000" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [ { "user" : "__system", "db" : "local" } ], "roles" : [], "param" : { "ns" : "local.startup_log" }, "result" : 0 }
{ "atype" : "createCollection", "ts" : { "$date" : "2015-05-22T14:31:24.661+0000" }, "local" : { "ip" : "127.0.0.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 56023 }, "users" : [], "roles" : [], "param" : { "ns" : "foo.foo" }, "result" : 0 }
Auditing*
System audits for schema changes (e.g. create/drop collection, add indexes), repl set/shard config changes, auth and authz, general db operations.
Supports filters – only audit things you care about
Support api for custom audit messages – “logApplicationMessage” db command
第14页
Encryption At Rest
Encrypted Storage Engine*
Whole Disk Encryption (through third party)
Required for HIPAA/PCI-DSS
Encrypted Storage Engine*
Whole Disk Encryption (through third party)
Required for HIPAA/PCI-DSS
Configure mongod and mongos for SSL
$ mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem
Encryption In Transit
Support for SSL/TSL for all communication
Required for HIPAA/PCI-DSS
Support for SSL/TSL for all communication
Required for HIPAA/PCI-DSS
Encryption
allowSSL, preferSSL, requireSSL – settings for sslMode – use these to gradually “step up” a replica set/cluster to use SSL
第15页
http://docs.mongodb.org/manual/administration/security-checklist/
Security Checklist
Require Authentication
Configure Roles
Use SSL
Configure firewall – limit network exposure
Turn on auditing
Encrypt data on disk
Run mongod with dedicated user account
Set secure options
--noscripting
Disable REST/HTTP
Configure Roles
Use SSL
Configure firewall – limit network exposure
Turn on auditing
Encrypt data on disk
Run mongod with dedicated user account
Set secure options
--noscripting
Disable REST/HTTP
Best Practices
--noscripting – turns off server-side Javascript, disabled mapReduce, group, $where
第16页
Building roles to support healthcare
application and HIPAA requirements.
application and HIPAA requirements.
In general for full details on HIPAA and PCI-DSS standards compliance see:
http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf
http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf
Demo
NOT!! Covering all details in this talk – review official documentation!!
第17页
Demo
NOT!! Covering all details in this talk – review official documentation!!
第18页
MongoGeneral Application
createFirstUser.js
createRoles.js
createUsers.js
createFirstUser.js
createRoles.js
createUsers.js
Demo
第19页
Questions?
第20页
THANKS!
shawn.mccarthy@mongodb.com
@sbmccarth
Solutions Architect – MongoDB Inc.
Doing things right, does take time and effort – but do it from the start and build it into your culture and you will be fine