MongoDB, Inc has made impressive strides over the past 18 months. One of the areas of the product that has seen the most significant improvement has been the area of Security. Security is of paramout importance for a production database. Existing relational databases provides a number of knobs and controls to help the DB administrator manage the security of his database and MongoDB is getting to a similar place as well. In this post we will delve deeper into the security features in the areas of Authentication, Authorization & Auditing.
MongoDB offers a variety of mechanisms to authenticate the users connection to the database. Choose the mechanism that provides the best balance of security and management. Although optional it is recommended security practice that all production systems have authentication turned on.
Challenge Response Authentication (MongoDB-CR)
This is the traditional username password based authentication. The users can be created at the scope of a database or the entire cluster. If a user only needs to access data in a particular database it is recommend to only create the user specific to that database. Cluster level access should be restricted for administrators.
X.509 certificate Authentication
Users can authenticate to their mongodb database using X.509 certificate. In order to do this the MongoDB server needs to have SSL enabled. By default the community builds of MongoDB do not have SSL enabled. You need to roll out your own build or sign up to use the Enterprise edition. You can create a user in MongoDB for each x.509 certificate with a unique subject. For more step by step details refer to the MongoDB X.509 certificate setup instructions.
The enterprise builds of MongoDB support authenticating using Kerberos which is the industry standard for client server authentication. E.g. If you are an enterprise with an Active Directory installation use can use the Kerberos authentication mechanism to authenticate your users – this avoids the hassle of managing username/passwords or certificates. Click here for instructions to integrate MongoDB with Active directory.
The Authorization system determines what operations users can perform once they have completed Authentication. MongoDB supports a Role based Access control (RBAC) model. Each user is assigned specific roles which determine what operations he is allowed to perform. MongoDB has a set of built in roles and you can also create your own custom roles. Each role is assigned a set of privileges that pair resources with allowed operations on that resource. MongoDB provides built in roles at the following scopes
Database user roles – read, readWrite
Database administrator roles – dbAdmin, dbOwner, userAdmin
Cluster administrator roles – clusterAdmin, clusterManager, clusterMonitor, hostManager
Backup and restore roles – backup, restore
All Database roles – readAnyDatabase, readWriteAnyDatabase,userAdminAnyDatabase
Superuser roles - root
Refer to Built in roles documentation for a more detailed understanding of the roles that need to assigned to the user.
MongoDB Enterprise 2.6 release adds support for auditing. You can configure the MongoDB server to generate audit events for interesting mongodb operations like user login, DDL changes, replica set config changes etc. This enables you to use your existing enterprise auditing tool to pick up and process the necessary events. For more information refer to the list of MongoDB events that can be audited.
For more tips on improving the security of your MongoDB database please refer to our other blog post – 10 tips to improve your MongoDB security