External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA @ Rackspace/ObjectRocket linkedin.com/in/jterpko 1
Overview Percona Server For MongoDB o SASL and LDAP o MongoDB Enterprise o Kerberos and Active Directory o Ops Manager o www.objectrocket.com 2
Percona Server For MongoDB An enhanced free open source replacement for MongoDB Community Server All MongoDB 3.4 Community Features � SASL Authentication � More Engine Options � Hot Backup � Auditing www.objectrocket.com 3
External Authentication LDAP o SASL o Authentication o www.objectrocket.com 4
Centralized Authentication LDAP (Lightweight Directory Access Protocol) and Microsoft Active Directory OpenLDAP Active Directory # extended LDIF # extended LDIF ... ... dn: uid=jason,ou=dba,dc=data,dc=com dn: CN=Jason,OU=Users,DC=data,DC=com ... ... cn: jasonuid: jason cn: Jason uidNumber: 9999 memberOf: CN=dba,OU=Mongo,DC=data,DC=com gidNumber: 100 ... ... sAMAccountName: jason userPassword:: <secret> userPrincipalName: jason@data.com www.objectrocket.com 5
SASL Authentication PLAIN Auth Init SASL Yes/No Yes/No SASL Auth Yes Yes OK www.objectrocket.com 6
Mongos / Server Configuration /etc/mongos.conf security: keyFile: /etc/mongo.key setParameter: authenticationMechanisms: PLAIN,SCRAM-SHA-1 /etc/sysconfig/saslauthd SOCKETDIR=/run/saslauthd MECH=ldap FLAGS="-O /etc/saslauthd.conf" *LDAP Already Configured www.objectrocket.com 7
Mongos / Server Configuration /etc/saslauthd.conf ldap_servers: ldap://127.0.0.1:389 ldap_search_base: dc=data,dc=com ldap_filter: (uid=%u) ldap_bind_dn: uid=bind,ou=People,dc=data,dc=com ldap_password: <secret> /etc/sasl2/mongodb.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux log_level: 1 mech_list: plain *LDAP Already Configured www.objectrocket.com 8
Authentication db.getSiblingDB("$external").createUser({user : 'jason', roles: [ {role : "readWrite", db: 'prod'} ] }); db.getSiblingDB("$external").auth({mechanism: "PLAIN", "user": "jason", "pwd": ”secret", "digestPassword": false }); HelloWorld.py from pymongo import MongoClient # MongoDB Connection URI and Establish Connection uri = "mongodb://jason:terpko@localhost:27018/prod?authMechanism=PLAIN&authSource=$external” client = MongoClient(uri) … www.objectrocket.com 9
MongoDB Enterprise Kerberos o Authentication o Authorization o Ops Manager o www.objectrocket.com 10
MongoDB Enterprise Advance An enterprise replacement for MongoDB Community Server All MongoDB 3.4 Community Features � Ops Manager � Optional Engines � Enhanced Security � Additional Software www.objectrocket.com 11
Enterprise Authentication and Kerberos Authentication o Authorization LDAP Authorization o www.objectrocket.com 12
Kerberos Authentication TGT request Ticket OK Validate GSSAPI OK Cache www.objectrocket.com 13
Kerberos A session ticket that authenticates a client to Kerberos enabled host and services. User Ticket Cache: # klist krb5cc_12345 Ticket cache: FILE:krb5cc_12345 Default principal: jason@DATA.COM Valid starting Expires Service principal 01/01/2017 05:28:34 01/01/2017 17:28:34 krbtgt/DATA.COM@DATA.COM renew until 01/08/2017 05:28:34 *Active Directory Configured **Client Kerberos Configured www.objectrocket.com 14
Service Principle Starting MongoD with Kerberos env KRB5_KTNAME=<path to keytab file> mongod -f /etc/mongod.conf Service Principle # klist Ticket cache: FILE:krb5cc_0 … Valid starting Expires Service principal 01/01/2017 05:28:34 01/01/2017 17:28:34 mongodb/server1.data.com@DATA.COM renew until 01/08/2017 05:28:34 www.objectrocket.com 15
Mongod Configuration (security.) /etc/mongod.conf security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI www.objectrocket.com 16
Mongod Configuration (security.) /etc/mongod.conf security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI www.objectrocket.com 17
Mongod Configuration (security.) /etc/mongod.conf security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI www.objectrocket.com 18
LDAP Authorization LDAP Query memberOf Authz request Cache Authorized www.objectrocket.com 19
Client Authentication db.getSiblingDB("admin").createRole( { role: "CN=dba,DC=data,DC=com", privileges: [], roles: [ "userAdminAnyDatabase", "readWriteAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin" ] }); db.getSiblingDB("$external").auth({mechanism: "GSSAPI", "user": "jason@DATA.COM" }); HelloWorld.py from pymongo import MongoClient # MongoDB Connection URI and Establish Connection uri="mongodb://jason%40DATA.COM@server1.data.com:27017,.../?replicaSet=rs1&authMechanism=GSSAPI&ssl=true” client=MongoClient(uri) … www.objectrocket.com 20
Ops Manager Alternatively manage your deployment with Ops Manager. www.objectrocket.com 21
Questions? www.objectrocket.com 22
Rate My Session www.objectrocket.com 23
We’re Hiring! Looking to join a dynamic & innovative team? https://www.objectrocket.com/careers/ or email careers@objectrocket.com www.objectrocket.com 24
Thank you! Address: 100 Congress Ave Suite 400 Austin, TX 78701 Support: 1-800-961-4454 Sales: 1-888-440-3242 www.objectrocket.com 25
Recommend
More recommend