MongoDB Data Security-Custom Rules and Views

Adamo Tonete
Adamo joined Percona in 2015, after working as a MongoDB/MySQL Database Administrator for three years. As the main database member of a startup, he was responsible for suggesting the best architecture and data flows for a worldwide company in a 7/24 environment. Before that, he worked as a Microsoft SQL Server DBA in a large e-commerce company, mainly on performance tuning and automation. Adamo has almost eight years of experience working as a DBA and in the past three years he has moved to NoSQL technologies without giving up relational databases. He likes to play videogames and to study everything that is related to engines. Adamo lives with his wife in São Paulo, Brazil.


1.MongoDB Data Security - Custom Roles and Views Webinar - Wednesday June 26th Adamo Tonete - Support Engineer

2.About Me Adamo Tonete I've been working at Percona since 2015 as a Senior Support Engineer.

3.Agenda ● Installing MongoDB in a secure way ● Default roles ● Creating your own role ● Using views ● Views + User Defined Roles for best security ● Questions

4.Installing MongoDB By default MongoDB doesn't come with authentication and for this reason we do see a lot of news reporting data leaks and data ransomware. From version 4.0+ it is mandatory to set the bindIP, or specify manually if the database must listen to all IPS.

5.Installing MongoDB - Listen IP For new versions it is necessary to set a listening IP, which means the database will only answer queries and commands which come from this IP address.

6.Installing MongoDB - Listen IP Bad Practice net: bindIp: Good Practice net: bindIp:

7. Installing MongoDB - Enabling Authentication Authentication is not enabled by default, we need to configure and create the root user as the first step for a secure environment.

8. Installing MongoDB - Enabling Authentication mongod.conf authorization.enabled : true use admin db.createUser({user : 'administrator', pwd : '123321', roles : ["root"]})

9.Installing MongoDB - Replicasets? The minimum security option for a replica set is having a key file, that will ensure the instances can talk each other. Primary Trust each other Secondary Secondary repl

10.Installing MongoDB - Replicasets? openssl rand -base64 756 > mykeyfile chmod 400 mykeyfile mongod.conf security.keyFile : mykeyfile Alert: This change enables authentication as well!

11.Installing MongoDB - User IPS Still talking about new versions, new users can have an IP number and the database will only accept commands from there.

12.Authentication Restrictions use admin db.createUser({user : 'local_administrator', pwd : '123321', roles : ["root"], authenticationRestrictions : { clientSource: [""] }})

13.Roles Database comes with several roles - that is enough for most of the cases

14.Default Roles All the roles listed below come by default in the MongoDB database server read readWrite dbAdmin dbOwner userAdmin clusterAdmin clusterManager clusterMonitor hostManager backup restore readAnyDatabase readWriteAnyDatabase userAdminAnyDatabase dbAdminAnyDatabase root __system

15.Default Roles use admin db.createUser({user : 'read_any', pwd : '123', roles : ["readAnyDatabase"]})

16.Creating Custom Role db.createRole({ role: "view_employee", privileges: [ { resource: { db: "percona", collection: "employees" }, actions: [ "find","collStats"]} ], roles: [ { role: "read", db: "admin" } ]

17.Views How to create and maintain a view

18.Views Views are pre-established code that is executed when querying from them. For a user a view is just a collection and by default a view is read only. Views can run simple queries or complex aggregation pipelines. For this example we are going to create a view that only gives employee name and id to a third party provider that will integrate with us.

19.Creating a View Use database db.createView('vw_emp_names', 'employee', [{ $project: { _id: 1, name : 1 } } ] )

20.Creating View How to create a view? From the docs: db.createView(<view>, <source>, <pipeline>, <options>) collation: { locale: <string>, caseLevel: <boolean>, Options is basically the collation caseFirst: <string>, strength: <int>, numericOrdering: <boolean>, alternate: <string>, maxVariable: <string>, backwards: <boolean> }

21.Acceptable Pipeline Operator All the operators used in a aggregation are available in a view meaning you can use $match, $unwind, $project.. and so on..

22.Accessing a view In order to execute the view code we need to invoke a find command The following command executes the code: db.vw_emp_names.find() Views are also visible as a collection, a show collections command will return the views as well.

23.Giving Access to Views How to control who can query a view

24.Minimum Access use admin db.createRole( { role: "view_views", privileges: [ { resource: { db: "percona", collection: "system.views" }, actions: [ "find" ] }, { resource: { db: "percona", collection: "employees_name" }, actions: [ "find","collStats"]} ], roles: [ { role: "read", db: "admin" } ] } )

25.Minimum Access use admin db.createUser({user : 'intern', pwd : '123', roles : ["view_views"]})

26.Live Demonstration

27.Live Demonstration <live demo>