Zum Hauptinhalt springen

MongoDB Security

Commands

Commands:

CommandExplanation
use adminswitch to the administrator database
db.createUser( { user: "...", pwd: passwordPrompt(), roles: [ ... ] ] } )create a user
db.getUsers()get all users
db.getUser("userName")get a specific user
quit()quit MongoDB sub shell

Authentication

  • verifies the identity of users and applications

Enabling Access Control

  1. add security.authorization setting to the configuration file
  2. connect to the database: mongosh localhost:27017
    • because of the localhost exception is no login needed
    • localhost exception: when there are no users defined
  3. switch to the admin database: use admin
  4. create a user 
    db.createUser(
      {
        user: "globalUserAdmin",
        pwd: passwordPrompt(),
        roles: [
          { role: "userAdminAnyDatabase", db: "admin" }
        ]
      }
    )
security:
 authorization: enabled

Login with a username

mongosh --username globalUserAdmin

Authentication mechanisms

SCRAM

  • Salted Challenge Response Authentication Mechanism
  • Default
  • verifies identity by exchanging a challenge and response that are protected by a cryptographic key

Authorization

Create User

```mongodb
db.createUser(
  {
    user: "globalUserAdmin",
    pwd: passwordPrompt(),
    roles: [
      { role: "userAdminAnyDatabase", db: "admin" }
    ]
  }
)

Login as a user

mongosh "mongodb://exampleUser@localhost:27017/sample_analytics?authSource=admin"

mongosh localhost:27017/admin --username exampleUser

mongosh --username exampleUser
  • the password can be entered after the command

RBAC: Role-Based Access Control

  • uses roles to determine what actions users can perform
  • helps protect against unauthorized access and modification
  • reduces risk that users access data not required for their role

Roles

Built-in roles:

  • read
  • readWrite
  • dbAdmin
  • dbOwner
  • readAnyDatabase
  • userAdminAnyDatabase
    • for administrator
    • create and modify users and roles

Remove Roles of a User

use admin
db.revokeRolesFromUser(
  "exampleUser",
  [
    { role: "read", db: "example_db" },
    { role: "readWrite", db: "books" }
  ]
)

Auditing

  • monitoring and recording changes to data and database configuration
  • locations
    • Console
    • Syslog (only Linux and macOS)
    • BSON

Audit Log File (JSON or BSON)

  • configured in the MongoDB configuration file /etc/mongod.conf

    • under auditLog.path

  • access:

    sudo tail /var/log/mongodb/auditLog.json | jq

    jq: JSON pretty printer

  • atype

    • action type

  • result

    • result of action
    • 0: success

Encryption

Categories:

  • transport encryption / network encryption
  • encryption at rest
  • in-use encryption

Transport Encryption

  • or network encryption
  • secure communication between client and server
  • example: Transport Layer Security (TLS)
    • must have a valid certificate
    • should always be enabled
    • MongoDB Atlas
      • enabled by default
    • self-managed deployment
      • you must enable TLS

Enable TLS

Change MongoDB Configuration File:

# network interfaces
net:
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/tls/mongodb.pem

#replication:
replication:
  replSetName: TLSEnabledReplSet

Restart server:

sudo systemctl restart mongod

Initiate Replica Set (more than one server with same MongoDB databases):

  1. connect to the server 
    mongosh "mongodb://mongod0.replset.com/?tls=true&tlsCAFile=/etc/tls/root-ca.pem"
  2. initiate the replica set in the MongoDB shell 
    use admin
    rs.initiate(
      {
        _id: "TLSEnabledReplSet",
        version: 1
        members: [
          { _id: 0, host : "mongod0.replset.com" },
          { _id: 1, host : "mongod1.replset.com" },
          { _id: 2, host : "mongod2.replset.com" }
        ]
      }
    )
  3. Test the TLS requirement 
    exit
    mongosh "mongodb://mongod0.replset.com,mongod1.replset.com,mongod2.replset.com/?replicaSet=TLSEnabledReplSet&tls=true&tlsCAFile=/etc/tls/root-ca.pem"
    exit
    Now connect without TLS: 
    mongosh "mongodb://mongod0.replset.com,mongod1.replset.com,mongod2.replset.com/?replicaSet=TLSEnabledReplSet"

Encryption at Rest

  • encrypts data files and backups
  • limitations
    • key management
    • insider threats
    • attacks on data in memory
  • Encrypted Storage Engine
    • encrypt MongoDB data files on disk
    • only in Enterprise version

In-Use Encryption

  • protects data when it leaves the client application
  • Client-Side Field Level Encryption

Client-Side Field Level Encryption (CSFLE)

  • client
    • encrypts data in the client before it is sent to the database
    • gets keys from key management system
  • server
    • keeps data encrypted on the server once it's loaded into the memory
  • additional layer of security
  • protects individual fields

MongoDB Configuration File

  • /etc/mongod.conf
# mongod.conf


# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/


# Where and how to store data.
storage:
 dbPath: /var/lib/mongodb
#  engine:
#  wiredTiger:


# where to write logging data.
systemLog:
 destination: file
 logAppend: true
 path: /var/log/mongodb/mongod.log


# network interfaces
net:
 port: 27017
 bindIp: 127.0.0.1
 tls:
    mode: requireTLS # if TLS is required
    certificateKeyFile: /etc/tls/mongodb.pem


# how the process runs
processManagement:
 timeZoneInfo: /usr/share/zoneinfo


#security:
security:
 authorization: enabled


#operationProfiling:


#replication:
replication:
  replSetName: TLSEnabledReplSet

#sharding:


## Enterprise-Only Options:


#auditLog:


#snmp: