MongoDB in Enterprise Companies-Use Cases

1 .MongoDB in Enterprise Companies - Use Cases Adamo, Dimitri 

2 .We.. Adamo Tonete Dimitri Vanoverbeke Support Engineer Solutions Engineer São Paulo, Brazil Bruges, Belgium @dim0 on twitter 

3 .Agenda ● Security ● Auditing ● Other features ● Support ● Tools 

4 .Users and Roles 

5 .Use Case ● Data access processes are essential for compliance ○ Eg. Health care data is not only sensitive but is protected by laws ○ Roles can define which user/group can access the sensitive data ● Data access roles are essential for security ○ Your organisation has an support team, they need to be able to read the information. But full access might open a new can of worms. ○ Roles can protect you again user errors (PEBKAC situations) 

6 .Default Roles ● read ● readWrite ● hostManager ● dbAdmin ● backup ● dbOwner ● restore ● userAdmin ● readAnyDatabase ● clusterAdmin ● readWriteAnyDatabase ● clusterMonitor ● userAdminAnyDatabase ● clusterManager ● dbAdminAnyDatabase ● root ● __system 

7 .Default Roles use admin db.createUser({user :'admin', pwd: '123', roles : ["root"]}) 

8 .Default Roles use admin db.createUser({user :'intern', pwd: '123', roles : ["readAnyDatabase"]}) 

9 .Default Roles https://docs.mongodb.com/manual/reference/privilege-actions/ db.createRole({ role : 'write_foo2_Collection', privileges : [ {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]} ], roles : ["read"] }) 

10 .Personalized Role https://www.percona.com/blog/2017/05/17/mongodb-authentication-and-roles- creating-your-first-personalized-role/ 

11 .LDAP 

12 .Use case ● Large amount of MongoDB servers, simple authentication would require you to maintain each servers user/group list ● Removing access to the infrastructure might be troublesome ● Compliancy reasons might require you to centralise access credentials 

13 .LDAP Authorization vs Authentication While authentication proves who you are, the authorization checks what can be done under a specific account. 

14 .LDAP ● LDAP stands for Lightweight Directory Access Protocol and it is a open source protocol to allow applications share users thought the network. ● Microsoft has their own service called Active Directory, IBM TDS, OpenLDAP, ... 

15 .LDAP LDAP Tree/Domain http://www.openldap.org/doc/admin22/intro.html 

16 .Log Redaction 

17 .Use case Access to the database is not the only venue to steal information Logs can have sensitive data to a company and if this data is not completely protected we can have a data breach 

18 .Log Redaction - Raw { name: "MongoDB Internal Client", version: "3.6.7-1.5" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "16.04" } } 2018-10-22T13:06:45.770+0000 I COMMAND [conn1] command percona.foo appName: "MongoDB Shell" command: find { find: "foo", filter: { credit_card: "734310273827328", name: "Adamo" }, $db: "percona" } planSummary: COLLSCAN keysExamined:0 docsExamined:1167744 cursorExhausted:1 numYields:9123 nreturned:0 reslen:84 locks:{ Global: { acquireCount: { r: 18248 } }, Database: { acquireCount: { r: 9124 } }, Collection: { acquireCount: { r: 9124 } } } protocol:op_msg 567ms 

19 .Log Redaction 2018-10-22T13:11:00.023+0000 I COMMAND [conn1] command percona.foo appName: "MongoDB Shell" command: find { find: "###", filter: { credit_card: "###", name: "###" }, $db: "###" } planSummary: ### keysExamined:0 docsExamined:1167744 cursorExhausted:1 numYields:9123 nreturned:0 reslen:84 locks:{ Global: { acquireCount: { r: 18248 } }, Database: { acquireCount: { r: 9124 } }, Collection: { acquireCount: { r: 9124 } } } protocol:op_msg 572ms 

20 .Log Redaction 2018-10-22T13:00:23.530+0000 I COMMAND [conn2] command percona.foo appName: "MongoDB Shell" command: insert { insert: "###", ordered: "###", $db: "###" } ninserted:1 keysInserted:1 numYields:0 reslen:29 locks:{ Global: { acquireCount: { r: 1, w: 1 } }, Database: { acquireCount: { w: 1 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_msg 11ms 

21 .Auditing 

22 .Use Case Databases are there to be used, however it’s difficult to keep track of actions of the infrastructure. ● Drop collection/data situations ● Security and access compliance ● Analysing application behaviour 

23 .Auditing ● Percona Server for MongoDB ● MongoDB enterprise 

24 .Auditing ● Auditing allow us to only record certain types of queries and commands. ● We can choose between saving into a text file, bson file or json. ● Lately the data can be processed and generate useful information to the security team. 

25 .Auditing {"atype":"authenticate","ts":{"$date":"2017-02- 14T14:11:29.975+0100"},"local":{"ip":"127.0.1.1","port":27017 },"remote":{"ip":"127.0.0.1","port":42634},"users":[],"roles" :[],"param":{"user":"root","db":"admin","mechanism":"SCRAM- SHA-1"},"result":18} 

26 .TDE - Transparent Data Encryption 

27 .TDE - use cases A required feature for PCI/HIPAA/GDPR compliance and a good practice in security. Eg. System engineers on your infrastructure do not need access, DBA’s do. TDE is one of the most demanded featured for enterprise companies. 

28 .TDE Percona server for MongoDB 3.6.8-2.0 now offers TDE using LOCAL KEY management. This is the first step of us to fully support all the major enterprise features and we are working to have 3rd party key management in future releases. MongoDB enterprise offers TDE with local key or third party vaults. 

29 .TDE ● Some overhead may be more visible when using LUKS (disk encryption) but the overwall overhead in wiredTiger can be negligible as we are trading speed per security