MongoDB Data Security - Custom Rules and Views

在本演示中,我们将讨论如何在默认规则不足以用于应用程序时创建自定义规则。
您是否需要为用户提供一个更宽松的规则,因为该用户想运行一个特定的命令?
此外,我们还将讨论如何在不希望用户阅读所有集合时使用视图来隐藏字段。如果你对安全有顾虑,就来参加这次谈话。

展开查看详情

1.MongoDB Data Security - Custom Roles and Views Room Texas 6 - 16:10

2.About Me Adamo Tonete I've been working at Percona since 2015 as a Senior Support Engineer.

3.Agenda ● Installing MongoDB in a secure way ● Default roles ● Creating your own role ● Using views ● Views + User Defined Roles for best security ● Questions

4.Installing MongoDB By default MongoDB doesn't come with authentication and for this reason we do see a lot of news reporting data leaks. From version 4.0+ it is mandatory to set the bindIP, or specify manually if the database must listen to all IPS.

5.Installing MongoDB - Listen IP For new versions it is necessary to set a listening IP, which means the database will only answer queries and commands which come from this IP address.

6.Installing MongoDB - Listen IP Bad Practice net: bindIp: 0.0.0.0 Good Practice net: bindIp: 172.10.10.122

7.Installing MongoDB - Enabling Authentication Authentication is not enabled by default, we need to configure and create the root user as the first step for a secure environment.

8.Installing MongoDB - Enabling Authentication mongod.conf authorization.enabled : true use admin db.createUser({user : 'administrator', pwd : '123321', roles : ["root"]})

9.Installing MongoDB - Replicasets? The minimum security option for a replica set is having a key file, that will ensure the instances can talk each other. Primary Trust each other Secondary Secondary repl

10.Installing MongoDB - Replicasets? openssl rand -base64 756 > mykeyfile chmod 400 mykeyfile mongod.conf security.keyFile : mykeyfile Alert: This change enables authentication as well!

11.Installing MongoDB - User IPS Still talking about new versions, new users can have an IP number and the database will only accept commands from there.

12.Authentication Restrictions use admin db.createUser({user : 'local_administrator', pwd : '123321', roles : ["root"], authenticationRestrictions : { clientSource: ["127.0.0.1"] }})

13. Roles Database comes with several roles - that is enough for most of the cases

14. Default Roles All the roles listed below come by default in the MongoDB database server read readWrite dbAdmin dbOwner userAdmin clusterAdmin clusterManager clusterMonitor hostManager backup restore readAnyDatabase readWriteAnyDatabase userAdminAnyDatabase dbAdminAnyDatabase root __system

15.Default Roles use admin db.createUser({user : 'read_any', pwd : '123', roles : ["readAnyDatabase"]})

16.Creating Custom Role db.createRole({ role: "view_employee", privileges: [ { resource: { db: "percona", collection: "employees" }, actions: [ "find","collStats"]} ], roles: [ { role: "read", db: "admin" } ] }

17. Views How to create and maintain a view

18.Views Views are pre-established code that is executed when querying from them. For a user a view is just a collection and by default a view is read only. Views can run simple queries or complex aggregation pipelines. For this example we are going to create a view that only gives employee name and id to a third party provider that will integrate with us.

19.Creating a View Use database db.createView('vw_emp_names', 'employee', [{ $project: { _id: 1, name : 1 } } ] )

20.Creating View How to create a view? From the docs: db.createView(<view>, <source>, <pipeline>, <options>) collation: { locale: <string>, caseLevel: <boolean>, Options is basically the collation caseFirst: <string>, strength: <int>, numericOrdering: <boolean>, alternate: <string>, maxVariable: <string>, backwards: <boolean> }

21.Acceptable Pipeline Operator All the operators used in a aggregation are available in a view meaning you can use $match, $unwind, $project.. and so on.. https://docs.mongodb.com/manual/meta/aggregation-quick-reference/

22.Accessing a view In order to execute the view code we need to invoke a find command The following command executes the code: db.vw_emp_names.find() Views are also visible as a collection, a show collections command will return the views as well.

23.Giving Access to Views How to control who can query a view

24.Minimum Access use admin db.createRole( { role: "view_views", privileges: [ { resource: { db: "percona", collection: "system.views" }, actions: [ "find" ] }, { resource: { db: "percona", collection: "employees_name" }, actions: [ "find","collStats"]} ], roles: [ { role: "read", db: "admin" } ] } )

25.Minimum Access use admin db.createUser({user : 'intern', pwd : '123', roles : ["view_views"]})

26.Live Demonstration

27.Live Demonstration <live demo>

28.Questions

29.Thank You to Our Sponsors