external authentication with percona server for mongodb
play

External Authentication with Percona Server for MongoDB and MongoDB - PowerPoint PPT Presentation

Jan 06, 2024 •170 likes •430 views

External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA @ Rackspace/ObjectRocket linkedin.com/in/jterpko 1 Overview Percona Server For MongoDB o SASL and LDAP o MongoDB Enterprise o Kerberos and

  1. External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA @ Rackspace/ObjectRocket linkedin.com/in/jterpko 1

  2. Overview Percona Server For MongoDB o SASL and LDAP o MongoDB Enterprise o Kerberos and Active Directory o Ops Manager o www.objectrocket.com 2

  3. Percona Server For MongoDB An enhanced free open source replacement for MongoDB Community Server All MongoDB 3.4 Community Features � SASL Authentication � More Engine Options � Hot Backup � Auditing www.objectrocket.com 3

  4. External Authentication LDAP o SASL o Authentication o www.objectrocket.com 4

  5. Centralized Authentication LDAP (Lightweight Directory Access Protocol) and Microsoft Active Directory OpenLDAP Active Directory # extended LDIF # extended LDIF ... ... dn: uid=jason,ou=dba,dc=data,dc=com dn: CN=Jason,OU=Users,DC=data,DC=com ... ... cn: jasonuid: jason cn: Jason uidNumber: 9999 memberOf: CN=dba,OU=Mongo,DC=data,DC=com gidNumber: 100 ... ... sAMAccountName: jason userPassword:: <secret> userPrincipalName: jason@data.com www.objectrocket.com 5

  6. SASL Authentication PLAIN Auth Init SASL Yes/No Yes/No SASL Auth Yes Yes OK www.objectrocket.com 6

  7. Mongos / Server Configuration /etc/mongos.conf security: keyFile: /etc/mongo.key setParameter: authenticationMechanisms: PLAIN,SCRAM-SHA-1 /etc/sysconfig/saslauthd SOCKETDIR=/run/saslauthd MECH=ldap FLAGS="-O /etc/saslauthd.conf" *LDAP Already Configured www.objectrocket.com 7

  8. Mongos / Server Configuration /etc/saslauthd.conf ldap_servers: ldap://127.0.0.1:389 ldap_search_base: dc=data,dc=com ldap_filter: (uid=%u) ldap_bind_dn: uid=bind,ou=People,dc=data,dc=com ldap_password: <secret> /etc/sasl2/mongodb.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux log_level: 1 mech_list: plain *LDAP Already Configured www.objectrocket.com 8

  9. Authentication db.getSiblingDB("$external").createUser({user : 'jason', roles: [ {role : "readWrite", db: 'prod'} ] }); db.getSiblingDB("$external").auth({mechanism: "PLAIN", "user": "jason", "pwd": ”secret", "digestPassword": false }); HelloWorld.py from pymongo import MongoClient # MongoDB Connection URI and Establish Connection uri = "mongodb://jason:terpko@localhost:27018/prod?authMechanism=PLAIN&authSource=$external” client = MongoClient(uri) … www.objectrocket.com 9

  10. MongoDB Enterprise Kerberos o Authentication o Authorization o Ops Manager o www.objectrocket.com 10

  11. MongoDB Enterprise Advance An enterprise replacement for MongoDB Community Server All MongoDB 3.4 Community Features � Ops Manager � Optional Engines � Enhanced Security � Additional Software www.objectrocket.com 11

  12. Enterprise Authentication and Kerberos Authentication o Authorization LDAP Authorization o www.objectrocket.com 12

  13. Kerberos Authentication TGT request Ticket OK Validate GSSAPI OK Cache www.objectrocket.com 13

  14. Kerberos A session ticket that authenticates a client to Kerberos enabled host and services. User Ticket Cache: # klist krb5cc_12345 Ticket cache: FILE:krb5cc_12345 Default principal: jason@DATA.COM Valid starting Expires Service principal 01/01/2017 05:28:34 01/01/2017 17:28:34 krbtgt/DATA.COM@DATA.COM renew until 01/08/2017 05:28:34 *Active Directory Configured **Client Kerberos Configured www.objectrocket.com 14

  15. Service Principle Starting MongoD with Kerberos env KRB5_KTNAME=<path to keytab file> mongod -f /etc/mongod.conf Service Principle # klist Ticket cache: FILE:krb5cc_0 … Valid starting Expires Service principal 01/01/2017 05:28:34 01/01/2017 17:28:34 mongodb/server1.data.com@DATA.COM renew until 01/08/2017 05:28:34 www.objectrocket.com 15

  16. Mongod Configuration (security.) /etc/mongod.conf security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI www.objectrocket.com 16

  17. Mongod Configuration (security.) /etc/mongod.conf security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI www.objectrocket.com 17

  18. Mongod Configuration (security.) /etc/mongod.conf security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI www.objectrocket.com 18

  19. LDAP Authorization LDAP Query memberOf Authz request Cache Authorized www.objectrocket.com 19

  20. Client Authentication db.getSiblingDB("admin").createRole( { role: "CN=dba,DC=data,DC=com", privileges: [], roles: [ "userAdminAnyDatabase", "readWriteAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin" ] }); db.getSiblingDB("$external").auth({mechanism: "GSSAPI", "user": "jason@DATA.COM" }); HelloWorld.py from pymongo import MongoClient # MongoDB Connection URI and Establish Connection uri="mongodb://jason%40DATA.COM@server1.data.com:27017,.../?replicaSet=rs1&authMechanism=GSSAPI&ssl=true” client=MongoClient(uri) … www.objectrocket.com 20

  21. Ops Manager Alternatively manage your deployment with Ops Manager. www.objectrocket.com 21

  22. Questions? www.objectrocket.com 22

  23. Rate My Session www.objectrocket.com 23

  24. We’re Hiring! Looking to join a dynamic & innovative team? https://www.objectrocket.com/careers/ or email careers@objectrocket.com www.objectrocket.com 24

  25. Thank you! Address: 100 Congress Ave Suite 400 Austin, TX 78701 Support: 1-800-961-4454 Sales: 1-888-440-3242 www.objectrocket.com 25

Recommend

Percona Backup for MongoDB Akira Kurogane Percona 3 - 2 - 1 MongoDB Percona Server for

Percona Backup for MongoDB Akira Kurogane Percona 3 - 2 - 1 MongoDB Percona Server for

Percona Backup for MongoDB Akira Kurogane Percona 3 - 2 - 1 MongoDB Percona Server for MongoDB Community Edition MongoDB Enterprise Edition Replica Set Cluster Percona Backup for MongoDB 2 Elements of MongoDB Backups 3 MongoDB oplog

1.43k views • 38 slides
What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM -

What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM -

What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM - 4:50 PM - Room B About Adamo and Akira Two of the most experienced MongoDB field experts in the world. Adamo w/ MongoDB: 2013 ~ MongoDB: 2009 ~

811 views • 66 slides
Mesosphere and Percona Server for MongoDB Peter Schwaller, Senior Director Server Eng. (Percona)

Mesosphere and Percona Server for MongoDB Peter Schwaller, Senior Director Server Eng. (Percona)

Mesosphere and Percona Server for MongoDB Peter Schwaller, Senior Director Server Eng. (Percona) Taco Scargo, Senior Solution Engineer (Mesosphere) Mesosphere DC/OS MICROSERVICES, CONTAINERS, &amp; DEV TOOLS DATA SERVICES, MACHINE LEARNING,

307 views • 18 slides
Mesosphere and Percona Server for MongoDB Jeff Sandstrom, Product Manager (Percona) Ravi Yadav,

Mesosphere and Percona Server for MongoDB Jeff Sandstrom, Product Manager (Percona) Ravi Yadav,

Mesosphere and Percona Server for MongoDB Jeff Sandstrom, Product Manager (Percona) Ravi Yadav, Tech. Partnerships Lead (Mesosphere) Mesosphere DC/OS MICROSERVICES, CONTAINERS, &amp; DEV TOOLS DATA SERVICES, MACHINE LEARNING, &amp; AI Broad

482 views • 18 slides
Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona

Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona

Open Source Transparent Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona Agenda Why encrypt? What gets encrypted? What is supported where? How does it all work? Future of open

227 views • 11 slides
Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server for MySQL? a free, fully compatible, enhanced and open source drop-in replacement for any MySQL database 2 First of All, What Is

2.47k views • 28 slides
MongoDB Backups, All Grown up! David Murphy David Murphy MongoDB Practice Manager for Percona

MongoDB Backups, All Grown up! David Murphy David Murphy MongoDB Practice Manager for Percona

MongoDB Backups, All Grown up! David Murphy David Murphy MongoDB Practice Manager for Percona Past highlights MySQL &amp; NoSQL Architect for Electronic Arts Original and Lead DBA for Objectrocket, the performance DBaaS for MongoDB

765 views • 30 slides
External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014 Basic Authentication The only authentication option in 1996 when

393 views • 21 slides
Running MongoDB in Production Tim Vaillancourt Sr Technical Operations Architect, Percona

Running MongoDB in Production Tim Vaillancourt Sr Technical Operations Architect, Percona

Running MongoDB in Production Tim Vaillancourt Sr Technical Operations Architect, Percona `whoami` { name: tim, lastname: vaillancourt, employer: percona, techs: [ mongodb, mysql, cassandra,

1.89k views • 124 slides
Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu

Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu

Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu Percona Enterprise-Grade Support For Any Database Percona Server for MySQL Percona XtraDB Cluster Percona Server for MongoDB

521 views • 16 slides
Time-Series Data in MongoDB on a Budget Peter Schwaller Senior Director Server Engineering,

Time-Series Data in MongoDB on a Budget Peter Schwaller Senior Director Server Engineering,

Time-Series Data in MongoDB on a Budget Peter Schwaller Senior Director Server Engineering, Percona Santa Clara, California | April 23th 25th, 2018 TIME SERIES DATA in MongoDB on a Budget Click to add text What is Time-Series Data?

585 views • 43 slides
MongoDB Analysis with Prometheus and Grafana Akira Kurogane Percona Talk Overview The

MongoDB Analysis with Prometheus and Grafana Akira Kurogane Percona Talk Overview The

MongoDB Analysis with Prometheus and Grafana Akira Kurogane Percona Talk Overview The 'math' in MongoDB metrics MongoDB's counters and 'gauges' mongodb_exporter metrics Prometheus equations PMM's Grafana dashboards

1.06k views • 31 slides
Deploying MySQL and MongoDB in Kubernetes Alexander Rubin Percona About me Working with

Deploying MySQL and MongoDB in Kubernetes Alexander Rubin Percona About me Working with

Deploying MySQL and MongoDB in Kubernetes Alexander Rubin Percona About me Working with MySQL for 10-15 years Started at MySQL AB, Sun Microsystems, Oracle (MySQL Consulting) Joined Percona in 2013 2 What is Kubernetes?

734 views • 60 slides
MongoDB Backup and Recovery Field Guide Tim Vaillancourt Sr Technical Operations Architect,

MongoDB Backup and Recovery Field Guide Tim Vaillancourt Sr Technical Operations Architect,

MongoDB Backup and Recovery Field Guide Tim Vaillancourt Sr Technical Operations Architect, Percona `whoami` { name: tim, lastname: vaillancourt, employer: percona, techs: [ mongodb, mysql, cassandra,

463 views • 24 slides
MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist, Percona Inc. colin.charles@percona.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter Percona Live Santa Clara 2018, Santa Clara,

681 views • 64 slides
In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings General Concept Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

780 views • 47 slides
Custom Roles and Views Room Texas 6 - 16:10 About Me Adamo Tonete I've been working at Percona

Custom Roles and Views Room Texas 6 - 16:10 About Me Adamo Tonete I've been working at Percona

MongoDB Data Security - Custom Roles and Views Room Texas 6 - 16:10 About Me Adamo Tonete I've been working at Percona since 2015 as a Senior Support Engineer. Agenda Installing MongoDB in a secure way Default roles Creating

487 views • 30 slides
1. Instillations o https://www.mongodb.com/download-center/community 2. Download and Install

1. Instillations o https://www.mongodb.com/download-center/community 2. Download and Install

1. Instillations o https://www.mongodb.com/download-center/community 2. Download and Install MongoDB community server o Create a separate installation location /directory mongodb (for windows, c:\mongodb) and install your MongoDB in that

568 views • 3 slides
Your First MongoDB Environment: What You Should Know Before Choosing MongoDB as Your Database Me

Your First MongoDB Environment: What You Should Know Before Choosing MongoDB as Your Database Me

Your First MongoDB Environment: What You Should Know Before Choosing MongoDB as Your Database Me - @adamotonete Adamo Tonete Senior Technical Engineer Brazil Agenda What is MongoDB? The good side of MongoDB with details.

715 views • 26 slides
Tuning L Linux f for M MongoDB Tim V Vaillancourt Sr. T . Technical O Operations A

Tuning L Linux f for M MongoDB Tim V Vaillancourt Sr. T . Technical O Operations A

Tuning L Linux f for M MongoDB Tim V Vaillancourt Sr. T . Technical O Operations A Architect About M Me Joined Percona in January 2016 Sr Technical Operations Architect for MongoDB Previous: EA DICE (MySQL DBA) EA

681 views • 26 slides
MongoDB cool administration tips Gabriel Ciciliani - Percona Live Europe 2018 #1 db.currentOps()

MongoDB cool administration tips Gabriel Ciciliani - Percona Live Europe 2018 #1 db.currentOps()

MongoDB cool administration tips Gabriel Ciciliani - Percona Live Europe 2018 #1 db.currentOps() flat output db.currentOps() flat output mongo&gt; db.currentOp(&lt;filters&gt;).inprog.forEach( function(d){ var q = {};

364 views • 21 slides
MongoDB Sharding 101 Agenda What is MongoDB? Single Instances Replica-set

MongoDB Sharding 101 Agenda What is MongoDB? Single Instances Replica-set

MongoDB Sharding 101 Agenda What is MongoDB? Single Instances Replica-set architecture Shard architecture Q&amp;A What is MongoDB MongoDB MongoDB is a free and open-source, cross-platform, document-oriented

600 views • 44 slides
The Backup Methods Available for MongoDB Adamo Tonete Agenda Backup importance for companies

The Backup Methods Available for MongoDB Adamo Tonete Agenda Backup importance for companies

The Backup Methods Available for MongoDB Adamo Tonete Agenda Backup importance for companies and backup plans. Available Methods: - Disk Snapshot - mongodump - rsync or copy - Point in time backup from Percona - MongoDB Cloud / Ops

618 views • 57 slides
Dos and Donts of a Hybrid Environment MySQL and MongoDB Introduction Im Rick Vasquez a

Dos and Donts of a Hybrid Environment MySQL and MongoDB Introduction Im Rick Vasquez a

Dos and Donts of a Hybrid Environment MySQL and MongoDB Introduction Im Rick Vasquez a TAM at Percona. I have all three types of customers: MongoDB only 1. MySQL only 2. MongoDB and MySQL hybrid 3. The Dos of a Hybrid

562 views • 14 slides

More recommend