展开查看详情
1 .MongoDB Data Security - Custom Roles and Views
Webinar - Wednesday June 26th
Adamo Tonete - Support Engineer
�
2 .About Me
Adamo Tonete
I've been working at Percona since 2015 as a Senior Support Engineer.
�
3 .Agenda
● Installing MongoDB in a secure way
● Default roles
● Creating your own role
● Using views
● Views + User Defined Roles for best security
● Questions
�
4 .Installing MongoDB
By default MongoDB doesn't come with authentication and for this reason
we do see a lot of news reporting data leaks and data ransomware.
From version 4.0+ it is mandatory to set the bindIP, or specify manually if
the database must listen to all IPS.
�
5 .Installing MongoDB - Listen IP
For new versions it is necessary to set a listening IP, which means the
database will only answer queries and commands which come from this
IP address.
�
6 .Installing MongoDB - Listen IP
Bad Practice
net:
bindIp: 0.0.0.0
Good Practice
net:
bindIp: 172.10.10.122
�
7 . Installing MongoDB - Enabling Authentication
Authentication is not enabled by default, we need to configure and create
the root user as the first step for a secure environment.
�
8 . Installing MongoDB - Enabling Authentication
mongod.conf
authorization.enabled : true
use admin
db.createUser({user : 'administrator',
pwd : '123321',
roles : ["root"]})
�
9 .Installing MongoDB - Replicasets?
The minimum security option for a replica set is having a key file, that will
ensure the instances can talk each other.
Primary
Trust each other
Secondary Secondary
repl
�
10 .Installing MongoDB - Replicasets?
openssl rand -base64 756 > mykeyfile
chmod 400 mykeyfile
mongod.conf
security.keyFile : mykeyfile
Alert: This change enables authentication as well!
�
11 .Installing MongoDB - User IPS
Still talking about new versions, new users can have an IP number and
the database will only accept commands from there.
�
12 .Authentication Restrictions
use admin
db.createUser({user : 'local_administrator',
pwd : '123321',
roles : ["root"],
authenticationRestrictions : {
clientSource: ["127.0.0.1"]
}})
�
13 .Roles
Database comes with several roles - that is enough for most of the cases
�
14 .Default Roles
All the roles listed below come by default in the MongoDB database
server
read readWrite dbAdmin dbOwner userAdmin
clusterAdmin clusterManager clusterMonitor hostManager backup
restore readAnyDatabase readWriteAnyDatabase userAdminAnyDatabase
dbAdminAnyDatabase root __system
�
15 .Default Roles
use admin
db.createUser({user : 'read_any',
pwd : '123',
roles : ["readAnyDatabase"]})
�
16 .Creating Custom Role
db.createRole({
role: "view_employee",
privileges: [
{ resource: { db: "percona", collection: "employees" }, actions: [
"find","collStats"]}
],
roles: [
{ role: "read", db: "admin" }
]
�
17 .Views
How to create and maintain a view
�
18 .Views
Views are pre-established code that is executed when querying from
them.
For a user a view is just a collection and by default a view is read only.
Views can run simple queries or complex aggregation pipelines.
For this example we are going to create a view that only gives
employee name and id to a third party provider that will integrate with
us.
�
19 .Creating a View
Use database
db.createView('vw_emp_names', 'employee',
[{ $project: { _id: 1, name : 1 } } ]
)
�
20 .Creating View
How to create a view?
From the docs:
db.createView(<view>, <source>, <pipeline>, <options>)
collation: {
locale: <string>,
caseLevel: <boolean>,
Options is basically the collation caseFirst: <string>,
strength: <int>,
numericOrdering: <boolean>,
alternate: <string>,
maxVariable: <string>,
backwards: <boolean>
}
�
21 .Acceptable Pipeline Operator
All the operators used in a aggregation are available in a view meaning
you can use $match, $unwind, $project.. and so on..
https://docs.mongodb.com/manual/meta/aggregation-quick-reference/
�
22 .Accessing a view
In order to execute the view code we need to invoke a find command
The following command executes the code:
db.vw_emp_names.find()
Views are also visible as a collection, a show collections command will
return the views as well.
�
23 .Giving Access to Views
How to control who can query a view
�
24 .Minimum Access
use admin
db.createRole(
{
role: "view_views",
privileges: [
{ resource: { db: "percona", collection: "system.views" }, actions: [ "find" ]
},
{ resource: { db: "percona", collection: "employees_name" }, actions: [
"find","collStats"]}
],
roles: [
{ role: "read", db: "admin" }
]
}
)
�
25 .Minimum Access
use admin
db.createUser({user : 'intern', pwd : '123', roles : ["view_views"]})
�
27 .Live Demonstration
<live demo>
�
热门城市
