MongoDB in Enterprise Companies - Use Cases Adamo, Dimitri We.. - PowerPoint PPT Presentation

MongoDB in Enterprise Companies - Use Cases Adamo, Dimitri

We.. Adamo Tonete Dimitri Vanoverbeke Support Engineer Solutions Engineer São Paulo, Brazil Bruges, Belgium @dim0 on twitter

Agenda ● Security ● Auditing ● Other features ● Support ● Tools

Users and Roles

Use Case ● Data access processes are essential for compliance ○ Eg. Health care data is not only sensitive but is protected by laws ○ Roles can define which user/group can access the sensitive data ● Data access roles are essential for security ○ Your organisation has an support team, they need to be able to read the information. But full access might open a new can of worms. ○ Roles can protect you again user errors (PEBKAC situations)

Default Roles ● read ● hostManager ● readWrite ● backup ● dbAdmin ● restore ● dbOwner ● readAnyDatabase ● userAdmin ● readWriteAnyDatabase ● clusterAdmin ● userAdminAnyDatabase ● clusterMonitor ● dbAdminAnyDatabase ● clusterManager ● root ● __system

Default Roles use admin db.createUser({user :'admin', pwd: '123', roles : ["root"]})

Default Roles use admin db.createUser({user :'intern', pwd: '123', roles : ["readAnyDatabase"]})

Default Roles https://docs.mongodb.com/manual/reference/privilege-actions/ db.createRole({ role : 'write_foo2_Collection', privileges : [ {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]} ], roles : ["read"] })

Personalized Role https://www.percona.com/blog/2017/05/17/mongodb-authentication-and-roles- creating-your-first-personalized-role/

LDAP

Use case ● Large amount of MongoDB servers, simple authentication would require you to maintain each servers user/group list ● Removing access to the infrastructure might be troublesome ● Compliancy reasons might require you to centralise access credentials

LDAP Authorization vs Authentication While authentication proves who you are , the authorization checks what can be done under a specific account .

LDAP ● LDAP stands for Lightweight Directory Access Protocol and it is a open source protocol to allow applications share users thought the network. ● Microsoft has their own service called Active Directory, IBM TDS, OpenLDAP, ...

LDAP LDAP Tree/Domain http://www.openldap.org/doc/admin22/intro.html

Log Redaction

Use case Access to the database is not the only venue to steal information Logs can have sensitive data to a company and if this data is not completely protected we can have a data breach

Log Redaction - Raw { name: "MongoDB Internal Client", version: "3.6.7-1.5" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "16.04" } } 2018-10-22T13:06:45.770+0000 I COMMAND [conn1] command percona.foo appName: "MongoDB Shell" command: find { find: "foo", filter: { credit_card: "734310273827328", name: "Adamo" }, $db: "percona" } planSummary: COLLSCAN keysExamined:0 docsExamined:1167744 cursorExhausted:1 numYields:9123 nreturned:0 reslen:84 locks:{ Global: { acquireCount: { r: 18248 } }, Database: { acquireCount: { r: 9124 } }, Collection: { acquireCount: { r: 9124 } } } protocol:op_msg 567ms

Log Redaction 2018-10-22T13:11:00.023+0000 I COMMAND [conn1] command percona.foo appName: "MongoDB Shell" command: find { find: "###", filter: { credit_card: "###", name: "###" }, $db: "###" } planSummary: ### keysExamined:0 docsExamined:1167744 cursorExhausted:1 numYields:9123 nreturned: 0 reslen:84 locks:{ Global: { acquireCount: { r: 18248 } }, Database: { acquireCount: { r: 9124 } }, Collection: { acquireCount: { r: 9124 } } } protocol:op_msg 572ms

Log Redaction 2018-10-22T13:00:23.530+0000 I COMMAND [conn2] command percona.foo appName: "MongoDB Shell" command: insert { insert: "###", ordered: "###", $db: "###" } ninserted:1 keysInserted:1 numYields:0 reslen:29 locks:{ Global: { acquireCount: { r: 1, w: 1 } }, Database: { acquireCount: { w: 1 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_msg 11ms

Auditing

Use Case Databases are there to be used, however it’s difficult to keep track of actions of the infrastructure. ● Drop collection/data situations ● Security and access compliance ● Analysing application behaviour

Auditing ● Percona Server for MongoDB ● MongoDB enterprise

Auditing ● Auditing allow us to only record certain types of queries and commands. ● We can choose between saving into a text file, bson file or json. ● Lately the data can be processed and generate useful information to the security team.

Auditing {"atype":"authenticate","ts":{"$date":"2017-02- 14T14:11:29.975+0100"},"local":{"ip":"127.0.1.1","port":27017 },"remote":{"ip":"127.0.0.1","port":42634},"users":[],"roles" :[],"param":{"user":"root","db":"admin","mechanism":"SCRAM- SHA-1"},"result":18}

TDE - Transparent Data Encryption

TDE - use cases A required feature for PCI/HIPAA/GDPR compliance and a good practice in security. Eg. System engineers on your infrastructure do not need access, DBA’s do. TDE is one of the most demanded featured for enterprise companies.

TDE Percona server for MongoDB 3.6.8-2.0 now offers TDE using LOCAL KEY management. This is the first step of us to fully support all the major enterprise features and we are working to have 3rd party key management in future releases. MongoDB enterprise offers TDE with local key or third party vaults.

TDE ● Some overhead may be more visible when using LUKS (disk encryption) but the overwall overhead in wiredTiger can be negligible as we are trading speed per security

TDE Consequences ● Added complexity during DR ● If encryption key is lost no one can read the files.

TLS/SSL

Use cases Encryption at Rest only protects access on the server. Encryption in transit protects you against breaches on other servers. Eg. One of your monitoring server is in the same subnet as your database environment, sniffing will give the ability to read the transactions.

TLS/SSL By default all the communication between mongod instances and clients are not encrypted which leaves some space to sniff packages. And this is as easy as: sudo tcpdump dst port 27017 -A -s 1240 -ttt -w tcpdump.tcp -i eth0

TLS/SSL I've run an insert in the database with the following values: > use percona switched to db percona > db.creditcard.insert({number : '123456753443435', code : '123', name : 'Adamo'}) WriteResult({ "nInserted" : 1 }) > exit

TLS/SSL

TLS/SSL

Backups

Use case Do we really need to explain?

MongoDump Standard utility for making a binary export of MongoDB data Output is: <directory> ------> Mydatabase (folder) -----> Mycollection.bson -----> Mycollection.metadata.json -----> system.indexes.bson

Consistent Backup ● Works on repl, sharded servers ● Creates consistent backups ● Runs multiple mongodumps ● Keeps track of changes in oplog ● (oplogtail) ● Labs ● Upload to S3 possible

Atlas (MongoDB) ● Fully managed backup solution ● $$$ ● Continuous backups ○ Consistent backups using marker on shards (mongos) ● Cloud snapshots (AWS and Azure)

Hot Backup (PSMDB) ● Included in Percona server for mongodb ● Lightweight backup solution ● Point in time backup ● Performs wiredtiger snapshots (LVM snapshot comparable but on a database level)

Specific use cases Storage Engine

Use cases In some cases you have a specific workload: ● Massive inserts, sporadic data access ● Significant caching requirements ● Requiring predictable latency for reads

Percona Memory Engine 100% open source solution Focuses on delivering: ● High performance reads with predictable latency ● Can replace memcached for sessions ● High speed data manipulation

Support Just come to us! Compare on our website if you want!

Tools

Tools ● mongostat ● mongotop ● mongoreply ● PMM and QAN ● $ MongoDB Cloud ● Compass ● 3rd party tools (http://mongodb-tools.com)

Wrapping up

Wrapping up It is possible to have almost the same as MongoDB Enterprise features for free using Percona Server for MongoDB. There are some useful tools free and also paid. A safe environment depends on the company policies. A lot of root users means no root user

Features comparison

Features comparison LDAP does offer authentication but not authorization. Every user must exists in the mongodb database with a role assigned. It is possible to have a script sync’ing users from a ldap to mongodb.

Questions

Rate My Session 54

Thank You Sponsors!! 55