MongoDB in Enterprise Companies-Use Cases

NoSQL数据库,尤其是MongoDB适合所有类型的公司——从小型初创公司到企业公司。
在本次讨论中,我们将讨论MongoDB如何在企业环境中使用,以及Percona Server for MongoDB提供了哪些功能,以帮助这些公司将MongoDB与现有环境集成,并符合安全认证。
我们将演示用例,如何配置基于角色的访问,LDAP集成,审计,静态加密。

展开查看详情

1.MongoDB in Enterprise Companies - Use Cases Adamo, Dimitri

2.We.. Adamo Tonete Dimitri Vanoverbeke Support Engineer Solutions Engineer São Paulo, Brazil Bruges, Belgium @dim0 on twitter

3.Agenda ● Security ● Auditing ● Other features ● Support ● Tools

4.Users and Roles

5.Use Case ● Data access processes are essential for compliance ○ Eg. Health care data is not only sensitive but is protected by laws ○ Roles can define which user/group can access the sensitive data ● Data access roles are essential for security ○ Your organisation has an support team, they need to be able to read the information. But full access might open a new can of worms. ○ Roles can protect you again user errors (PEBKAC situations)

6.Default Roles ● read ● readWrite ● hostManager ● dbAdmin ● backup ● dbOwner ● restore ● userAdmin ● readAnyDatabase ● clusterAdmin ● readWriteAnyDatabase ● clusterMonitor ● userAdminAnyDatabase ● clusterManager ● dbAdminAnyDatabase ● root ● __system

7.Default Roles use admin db.createUser({user :'admin', pwd: '123', roles : ["root"]})

8.Default Roles use admin db.createUser({user :'intern', pwd: '123', roles : ["readAnyDatabase"]})

9.Default Roles https://docs.mongodb.com/manual/reference/privilege-actions/ db.createRole({ role : 'write_foo2_Collection', privileges : [ {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]} ], roles : ["read"] })

10.Personalized Role https://www.percona.com/blog/2017/05/17/mongodb-authentication-and-roles- creating-your-first-personalized-role/

11.LDAP

12.Use case ● Large amount of MongoDB servers, simple authentication would require you to maintain each servers user/group list ● Removing access to the infrastructure might be troublesome ● Compliancy reasons might require you to centralise access credentials

13.LDAP Authorization vs Authentication While authentication proves who you are, the authorization checks what can be done under a specific account.

14.LDAP ● LDAP stands for Lightweight Directory Access Protocol and it is a open source protocol to allow applications share users thought the network. ● Microsoft has their own service called Active Directory, IBM TDS, OpenLDAP, ...

15.LDAP LDAP Tree/Domain http://www.openldap.org/doc/admin22/intro.html

16.Log Redaction

17.Use case Access to the database is not the only venue to steal information Logs can have sensitive data to a company and if this data is not completely protected we can have a data breach

18.Log Redaction - Raw { name: "MongoDB Internal Client", version: "3.6.7-1.5" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "16.04" } } 2018-10-22T13:06:45.770+0000 I COMMAND [conn1] command percona.foo appName: "MongoDB Shell" command: find { find: "foo", filter: { credit_card: "734310273827328", name: "Adamo" }, $db: "percona" } planSummary: COLLSCAN keysExamined:0 docsExamined:1167744 cursorExhausted:1 numYields:9123 nreturned:0 reslen:84 locks:{ Global: { acquireCount: { r: 18248 } }, Database: { acquireCount: { r: 9124 } }, Collection: { acquireCount: { r: 9124 } } } protocol:op_msg 567ms

19.Log Redaction 2018-10-22T13:11:00.023+0000 I COMMAND [conn1] command percona.foo appName: "MongoDB Shell" command: find { find: "###", filter: { credit_card: "###", name: "###" }, $db: "###" } planSummary: ### keysExamined:0 docsExamined:1167744 cursorExhausted:1 numYields:9123 nreturned:0 reslen:84 locks:{ Global: { acquireCount: { r: 18248 } }, Database: { acquireCount: { r: 9124 } }, Collection: { acquireCount: { r: 9124 } } } protocol:op_msg 572ms

20.Log Redaction 2018-10-22T13:00:23.530+0000 I COMMAND [conn2] command percona.foo appName: "MongoDB Shell" command: insert { insert: "###", ordered: "###", $db: "###" } ninserted:1 keysInserted:1 numYields:0 reslen:29 locks:{ Global: { acquireCount: { r: 1, w: 1 } }, Database: { acquireCount: { w: 1 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_msg 11ms

21.Auditing

22.Use Case Databases are there to be used, however it’s difficult to keep track of actions of the infrastructure. ● Drop collection/data situations ● Security and access compliance ● Analysing application behaviour

23.Auditing ● Percona Server for MongoDB ● MongoDB enterprise

24.Auditing ● Auditing allow us to only record certain types of queries and commands. ● We can choose between saving into a text file, bson file or json. ● Lately the data can be processed and generate useful information to the security team.

25.Auditing {"atype":"authenticate","ts":{"$date":"2017-02- 14T14:11:29.975+0100"},"local":{"ip":"127.0.1.1","port":27017 },"remote":{"ip":"127.0.0.1","port":42634},"users":[],"roles" :[],"param":{"user":"root","db":"admin","mechanism":"SCRAM- SHA-1"},"result":18}

26.TDE - Transparent Data Encryption

27.TDE - use cases A required feature for PCI/HIPAA/GDPR compliance and a good practice in security. Eg. System engineers on your infrastructure do not need access, DBA’s do. TDE is one of the most demanded featured for enterprise companies.

28.TDE Percona server for MongoDB 3.6.8-2.0 now offers TDE using LOCAL KEY management. This is the first step of us to fully support all the major enterprise features and we are working to have 3rd party key management in future releases. MongoDB enterprise offers TDE with local key or third party vaults.

29.TDE ● Some overhead may be more visible when using LUKS (disk encryption) but the overwall overhead in wiredTiger can be negligible as we are trading speed per security