External Authentication with Percona Server for MongoDB and MongoDB - - PowerPoint PPT Presentation

external authentication with percona server for mongodb
SMART_READER_LITE
LIVE PREVIEW

External Authentication with Percona Server for MongoDB and MongoDB - - PowerPoint PPT Presentation

Jan 06, 2024 170 likes •432 views

External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA @ Rackspace/ObjectRocket linkedin.com/in/jterpko 1 Overview Percona Server For MongoDB o SASL and LDAP o MongoDB Enterprise o Kerberos and

slide-1
SLIDE 1

External Authentication with Percona Server for MongoDB and MongoDB Enterprise

Jason Terpko DBA @ Rackspace/ObjectRocket linkedin.com/in/jterpko

1

slide-2
SLIDE 2

Overview

www.objectrocket.com

2

  • Percona Server For MongoDB
  • MongoDB Enterprise
  • SASL and LDAP
  • Kerberos and Active Directory
  • Ops Manager
slide-3
SLIDE 3

Percona Server For MongoDB

www.objectrocket.com

3

An enhanced free open source replacement for MongoDB Community Server SASL Authentication More Engine Options Hot Backup Auditing All MongoDB 3.4 Community Features

slide-4
SLIDE 4

External Authentication

www.objectrocket.com

4

  • LDAP
  • SASL
  • Authentication
slide-5
SLIDE 5

Centralized Authentication

www.objectrocket.com

5

LDAP (Lightweight Directory Access Protocol) and Microsoft Active Directory # extended LDIF ... dn: uid=jason,ou=dba,dc=data,dc=com ... cn: jasonuid: jason uidNumber: 9999 gidNumber: 100 ... userPassword:: <secret> # extended LDIF ... dn: CN=Jason,OU=Users,DC=data,DC=com ... cn: Jason memberOf: CN=dba,OU=Mongo,DC=data,DC=com ... sAMAccountName: jason userPrincipalName: jason@data.com OpenLDAP Active Directory

slide-6
SLIDE 6

SASL Authentication

www.objectrocket.com

6

PLAIN Auth Init SASL SASL Auth Yes/No Yes/No Yes Yes OK

slide-7
SLIDE 7

Mongos / Server Configuration

www.objectrocket.com

7

/etc/sysconfig/saslauthd SOCKETDIR=/run/saslauthd MECH=ldap FLAGS="-O /etc/saslauthd.conf" /etc/mongos.conf security: keyFile: /etc/mongo.key setParameter: authenticationMechanisms: PLAIN,SCRAM-SHA-1

*LDAP Already Configured

slide-8
SLIDE 8

Mongos / Server Configuration

www.objectrocket.com

8

/etc/saslauthd.conf ldap_servers: ldap://127.0.0.1:389 ldap_search_base: dc=data,dc=com ldap_filter: (uid=%u) ldap_bind_dn: uid=bind,ou=People,dc=data,dc=com ldap_password: <secret> /etc/sasl2/mongodb.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux log_level: 1 mech_list: plain

*LDAP Already Configured

slide-9
SLIDE 9

Authentication

www.objectrocket.com

9 db.getSiblingDB("$external").createUser({user : 'jason', roles: [ {role : "readWrite", db: 'prod'} ] }); db.getSiblingDB("$external").auth({mechanism: "PLAIN", "user": "jason", "pwd": ”secret", "digestPassword": false }); HelloWorld.py from pymongo import MongoClient # MongoDB Connection URI and Establish Connection uri = "mongodb://jason:terpko@localhost:27018/prod?authMechanism=PLAIN&authSource=$external” client = MongoClient(uri) …

slide-10
SLIDE 10

MongoDB Enterprise

www.objectrocket.com

10

  • Kerberos
  • Authentication
  • Authorization
  • Ops Manager
slide-11
SLIDE 11

MongoDB Enterprise Advance

www.objectrocket.com

11

An enterprise replacement for MongoDB Community Server All MongoDB 3.4 Community Features Ops Manager Optional Engines Enhanced Security Additional Software

slide-12
SLIDE 12

Enterprise Authentication and Authorization

www.objectrocket.com

12

  • Kerberos Authentication
  • LDAP Authorization
slide-13
SLIDE 13

Kerberos Authentication

www.objectrocket.com

13

TGT request Ticket GSSAPI OK Cache Validate OK

slide-14
SLIDE 14

Kerberos

www.objectrocket.com

14

A session ticket that authenticates a client to Kerberos enabled host and services.

# klist krb5cc_12345 Ticket cache: FILE:krb5cc_12345 Default principal: jason@DATA.COM Valid starting Expires Service principal 01/01/2017 05:28:34 01/01/2017 17:28:34 krbtgt/DATA.COM@DATA.COM renew until 01/08/2017 05:28:34

User Ticket Cache:

*Active Directory Configured **Client Kerberos Configured

slide-15
SLIDE 15

Service Principle

www.objectrocket.com

15 env KRB5_KTNAME=<path to keytab file> mongod -f /etc/mongod.conf

Starting MongoD with Kerberos Service Principle

# klist Ticket cache: FILE:krb5cc_0 … Valid starting Expires Service principal 01/01/2017 05:28:34 01/01/2017 17:28:34 mongodb/server1.data.com@DATA.COM renew until 01/08/2017 05:28:34

slide-16
SLIDE 16

Mongod Configuration (security.)

www.objectrocket.com

16

security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI

/etc/mongod.conf

slide-17
SLIDE 17

Mongod Configuration (security.)

www.objectrocket.com

17

security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI

/etc/mongod.conf

slide-18
SLIDE 18

Mongod Configuration (security.)

www.objectrocket.com

18

security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI

/etc/mongod.conf

slide-19
SLIDE 19

LDAP Authorization

www.objectrocket.com

19

Cache Authz request LDAP Query memberOf Authorized

slide-20
SLIDE 20

Client Authentication

www.objectrocket.com

20 db.getSiblingDB("admin").createRole( { role: "CN=dba,DC=data,DC=com", privileges: [], roles: [ "userAdminAnyDatabase", "readWriteAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin" ] }); db.getSiblingDB("$external").auth({mechanism: "GSSAPI", "user": "jason@DATA.COM" });

HelloWorld.py from pymongo import MongoClient # MongoDB Connection URI and Establish Connection uri="mongodb://jason%40DATA.COM@server1.data.com:27017,.../?replicaSet=rs1&authMechanism=GSSAPI&ssl=true” client=MongoClient(uri) …

slide-21
SLIDE 21

Ops Manager

www.objectrocket.com

21

Alternatively manage your deployment with Ops Manager.

slide-22
SLIDE 22

Questions?

www.objectrocket.com

22

slide-23
SLIDE 23

Rate My Session

www.objectrocket.com

23

slide-24
SLIDE 24

www.objectrocket.com

24

We’re Hiring!

Looking to join a dynamic & innovative team? https://www.objectrocket.com/careers/

  • r email careers@objectrocket.com
slide-25
SLIDE 25

Thank you!

Address: 100 Congress Ave Suite 400 Austin, TX 78701 Support: 1-800-961-4454 Sales: 1-888-440-3242 www.objectrocket.com

25