external authentication with percona server for mongodb
play

External Authentication with Percona Server for MongoDB and MongoDB - PowerPoint PPT Presentation

Jan 06, 2024 •170 likes •430 views

External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA @ Rackspace/ObjectRocket linkedin.com/in/jterpko 1 Overview Percona Server For MongoDB o SASL and LDAP o MongoDB Enterprise o Kerberos and

  1. External Authentication with Percona Server for MongoDB and MongoDB Enterprise Jason Terpko DBA @ Rackspace/ObjectRocket linkedin.com/in/jterpko 1

  2. Overview Percona Server For MongoDB o SASL and LDAP o MongoDB Enterprise o Kerberos and Active Directory o Ops Manager o www.objectrocket.com 2

  3. Percona Server For MongoDB An enhanced free open source replacement for MongoDB Community Server All MongoDB 3.4 Community Features � SASL Authentication � More Engine Options � Hot Backup � Auditing www.objectrocket.com 3

  4. External Authentication LDAP o SASL o Authentication o www.objectrocket.com 4

  5. Centralized Authentication LDAP (Lightweight Directory Access Protocol) and Microsoft Active Directory OpenLDAP Active Directory # extended LDIF # extended LDIF ... ... dn: uid=jason,ou=dba,dc=data,dc=com dn: CN=Jason,OU=Users,DC=data,DC=com ... ... cn: jasonuid: jason cn: Jason uidNumber: 9999 memberOf: CN=dba,OU=Mongo,DC=data,DC=com gidNumber: 100 ... ... sAMAccountName: jason userPassword:: <secret> userPrincipalName: jason@data.com www.objectrocket.com 5

  6. SASL Authentication PLAIN Auth Init SASL Yes/No Yes/No SASL Auth Yes Yes OK www.objectrocket.com 6

  7. Mongos / Server Configuration /etc/mongos.conf security: keyFile: /etc/mongo.key setParameter: authenticationMechanisms: PLAIN,SCRAM-SHA-1 /etc/sysconfig/saslauthd SOCKETDIR=/run/saslauthd MECH=ldap FLAGS="-O /etc/saslauthd.conf" *LDAP Already Configured www.objectrocket.com 7

  8. Mongos / Server Configuration /etc/saslauthd.conf ldap_servers: ldap://127.0.0.1:389 ldap_search_base: dc=data,dc=com ldap_filter: (uid=%u) ldap_bind_dn: uid=bind,ou=People,dc=data,dc=com ldap_password: <secret> /etc/sasl2/mongodb.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux log_level: 1 mech_list: plain *LDAP Already Configured www.objectrocket.com 8

  9. Authentication db.getSiblingDB("$external").createUser({user : 'jason', roles: [ {role : "readWrite", db: 'prod'} ] }); db.getSiblingDB("$external").auth({mechanism: "PLAIN", "user": "jason", "pwd": ”secret", "digestPassword": false }); HelloWorld.py from pymongo import MongoClient # MongoDB Connection URI and Establish Connection uri = "mongodb://jason:terpko@localhost:27018/prod?authMechanism=PLAIN&authSource=$external” client = MongoClient(uri) … www.objectrocket.com 9

  10. MongoDB Enterprise Kerberos o Authentication o Authorization o Ops Manager o www.objectrocket.com 10

  11. MongoDB Enterprise Advance An enterprise replacement for MongoDB Community Server All MongoDB 3.4 Community Features � Ops Manager � Optional Engines � Enhanced Security � Additional Software www.objectrocket.com 11

  12. Enterprise Authentication and Kerberos Authentication o Authorization LDAP Authorization o www.objectrocket.com 12

  13. Kerberos Authentication TGT request Ticket OK Validate GSSAPI OK Cache www.objectrocket.com 13

  14. Kerberos A session ticket that authenticates a client to Kerberos enabled host and services. User Ticket Cache: # klist krb5cc_12345 Ticket cache: FILE:krb5cc_12345 Default principal: jason@DATA.COM Valid starting Expires Service principal 01/01/2017 05:28:34 01/01/2017 17:28:34 krbtgt/DATA.COM@DATA.COM renew until 01/08/2017 05:28:34 *Active Directory Configured **Client Kerberos Configured www.objectrocket.com 14

  15. Service Principle Starting MongoD with Kerberos env KRB5_KTNAME=<path to keytab file> mongod -f /etc/mongod.conf Service Principle # klist Ticket cache: FILE:krb5cc_0 … Valid starting Expires Service principal 01/01/2017 05:28:34 01/01/2017 17:28:34 mongodb/server1.data.com@DATA.COM renew until 01/08/2017 05:28:34 www.objectrocket.com 15

  16. Mongod Configuration (security.) /etc/mongod.conf security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI www.objectrocket.com 16

  17. Mongod Configuration (security.) /etc/mongod.conf security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI www.objectrocket.com 17

  18. Mongod Configuration (security.) /etc/mongod.conf security: authorization: enabled keyFile: /etc/mongo.key ldap: authz: queryTemplate: DC=DATA,DC=COM??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER})) bind: method: simple queryPassword: <secret> queryUser: bind@data.com servers: ldap.data.com:636 transportSecurity: tls userToDNMapping: '[{match : "(.+)",ldapQuery:"DC=DATA,DC=COM??sub?(userPrincipalName={0})"}]' setParameter: authenticationMechanisms: GSSAPI www.objectrocket.com 18

  19. LDAP Authorization LDAP Query memberOf Authz request Cache Authorized www.objectrocket.com 19

  20. Client Authentication db.getSiblingDB("admin").createRole( { role: "CN=dba,DC=data,DC=com", privileges: [], roles: [ "userAdminAnyDatabase", "readWriteAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin" ] }); db.getSiblingDB("$external").auth({mechanism: "GSSAPI", "user": "jason@DATA.COM" }); HelloWorld.py from pymongo import MongoClient # MongoDB Connection URI and Establish Connection uri="mongodb://jason%40DATA.COM@server1.data.com:27017,.../?replicaSet=rs1&authMechanism=GSSAPI&ssl=true” client=MongoClient(uri) … www.objectrocket.com 20

  21. Ops Manager Alternatively manage your deployment with Ops Manager. www.objectrocket.com 21

  22. Questions? www.objectrocket.com 22

  23. Rate My Session www.objectrocket.com 23

  24. We’re Hiring! Looking to join a dynamic & innovative team? https://www.objectrocket.com/careers/ or email careers@objectrocket.com www.objectrocket.com 24

  25. Thank you! Address: 100 Congress Ave Suite 400 Austin, TX 78701 Support: 1-800-961-4454 Sales: 1-888-440-3242 www.objectrocket.com 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Percona Backup for MongoDB Akira Kurogane Percona 3 - 2 - 1 MongoDB Percona Server for

Percona Backup for MongoDB Akira Kurogane Percona 3 - 2 - 1 MongoDB Percona Server for

Percona Backup for MongoDB Akira Kurogane Percona 3 - 2 - 1 MongoDB Percona Server for MongoDB Community Edition MongoDB Enterprise Edition Replica Set Cluster Percona Backup for MongoDB 2 Elements of MongoDB Backups 3 MongoDB oplog

1.43k views • 38 slides
What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM -

What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM -

What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM - 4:50 PM - Room B About Adamo and Akira Two of the most experienced MongoDB field experts in the world. Adamo w/ MongoDB: 2013 ~ MongoDB: 2009 ~

811 views • 66 slides
Mesosphere and Percona Server for MongoDB Peter Schwaller, Senior Director Server Eng. (Percona)

Mesosphere and Percona Server for MongoDB Peter Schwaller, Senior Director Server Eng. (Percona)

Mesosphere and Percona Server for MongoDB Peter Schwaller, Senior Director Server Eng. (Percona) Taco Scargo, Senior Solution Engineer (Mesosphere) Mesosphere DC/OS MICROSERVICES, CONTAINERS, &amp; DEV TOOLS DATA SERVICES, MACHINE LEARNING,

307 views • 18 slides
Mesosphere and Percona Server for MongoDB Jeff Sandstrom, Product Manager (Percona) Ravi Yadav,

Mesosphere and Percona Server for MongoDB Jeff Sandstrom, Product Manager (Percona) Ravi Yadav,

Mesosphere and Percona Server for MongoDB Jeff Sandstrom, Product Manager (Percona) Ravi Yadav, Tech. Partnerships Lead (Mesosphere) Mesosphere DC/OS MICROSERVICES, CONTAINERS, &amp; DEV TOOLS DATA SERVICES, MACHINE LEARNING, &amp; AI Broad

482 views • 18 slides
Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona

Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona

Open Source Transparent Database Encryption for MongoDB Peter Schwaller Senior Director Server Engineering, Percona Agenda Why encrypt? What gets encrypted? What is supported where? How does it all work? Future of open

227 views • 11 slides
Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server

Percona Server for MySQL 8.0 Laurynas Biveinis Percona First of All, What Is Percona Server for MySQL? a free, fully compatible, enhanced and open source drop-in replacement for any MySQL database 2 First of All, What Is

2.47k views • 28 slides
MongoDB Backups, All Grown up! David Murphy David Murphy MongoDB Practice Manager for Percona

MongoDB Backups, All Grown up! David Murphy David Murphy MongoDB Practice Manager for Percona

MongoDB Backups, All Grown up! David Murphy David Murphy MongoDB Practice Manager for Percona Past highlights MySQL &amp; NoSQL Architect for Electronic Arts Original and Lead DBA for Objectrocket, the performance DBaaS for MongoDB

765 views • 30 slides
External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014 Basic Authentication The only authentication option in 1996 when

393 views • 21 slides
Running MongoDB in Production Tim Vaillancourt Sr Technical Operations Architect, Percona

Running MongoDB in Production Tim Vaillancourt Sr Technical Operations Architect, Percona

Running MongoDB in Production Tim Vaillancourt Sr Technical Operations Architect, Percona `whoami` { name: tim, lastname: vaillancourt, employer: percona, techs: [ mongodb, mysql, cassandra,

1.89k views • 124 slides
Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu

Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu

Building an Enterprise Grade PostgreSQL Using Open Source Tools and Extensions Avinash Vallarapu Percona Enterprise-Grade Support For Any Database Percona Server for MySQL Percona XtraDB Cluster Percona Server for MongoDB

521 views • 16 slides
Time-Series Data in MongoDB on a Budget Peter Schwaller Senior Director Server Engineering,

Time-Series Data in MongoDB on a Budget Peter Schwaller Senior Director Server Engineering,

Time-Series Data in MongoDB on a Budget Peter Schwaller Senior Director Server Engineering, Percona Santa Clara, California | April 23th 25th, 2018 TIME SERIES DATA in MongoDB on a Budget Click to add text What is Time-Series Data?

585 views • 43 slides
MongoDB Analysis with Prometheus and Grafana Akira Kurogane Percona Talk Overview The

MongoDB Analysis with Prometheus and Grafana Akira Kurogane Percona Talk Overview The

MongoDB Analysis with Prometheus and Grafana Akira Kurogane Percona Talk Overview The 'math' in MongoDB metrics MongoDB's counters and 'gauges' mongodb_exporter metrics Prometheus equations PMM's Grafana dashboards

1.06k views • 31 slides
Deploying MySQL and MongoDB in Kubernetes Alexander Rubin Percona About me Working with

Deploying MySQL and MongoDB in Kubernetes Alexander Rubin Percona About me Working with

Deploying MySQL and MongoDB in Kubernetes Alexander Rubin Percona About me Working with MySQL for 10-15 years Started at MySQL AB, Sun Microsystems, Oracle (MySQL Consulting) Joined Percona in 2013 2 What is Kubernetes?

734 views • 60 slides
MongoDB Backup and Recovery Field Guide Tim Vaillancourt Sr Technical Operations Architect,

MongoDB Backup and Recovery Field Guide Tim Vaillancourt Sr Technical Operations Architect,

MongoDB Backup and Recovery Field Guide Tim Vaillancourt Sr Technical Operations Architect, Percona `whoami` { name: tim, lastname: vaillancourt, employer: percona, techs: [ mongodb, mysql, cassandra,

463 views • 24 slides
MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist,

MySQL/Percona Server/MariaDB Server security features overview Colin Charles, Chief Evangelist, Percona Inc. colin.charles@percona.com / byte@bytebot.net http://bytebot.net/blog/ | @bytebot on Twitter Percona Live Santa Clara 2018, Santa Clara,

681 views • 64 slides
In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings General Concept Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

780 views • 47 slides
CS378 - Mobile Computing Audio Android Audio Use the MediaPlayer class Common Audio

CS378 - Mobile Computing Audio Android Audio Use the MediaPlayer class Common Audio

CS378 - Mobile Computing Audio Android Audio Use the MediaPlayer class Common Audio Formats supported: MP3, MIDI (.mid and others), Vorbis (.ogg), WAVE (.wav) and others Sources of audio local resources (part of app)

463 views • 29 slides
How to Publish Linked Data on the Web Tom Heath, Michael Hausenblas, Chris Bizer, Richard

How to Publish Linked Data on the Web Tom Heath, Michael Hausenblas, Chris Bizer, Richard

How to Publish Linked Data on the Web Tom Heath, Michael Hausenblas, Chris Bizer, Richard Cyganiak, Olaf Hartig Half-day Tutorial at ISWC2008 27th October 2008, Karlsruhe, Germany Objectives Introduce the concept of Linked Data

1.68k views • 142 slides
Limitless HTTP in an HTTPS World Inferring the Semantics of the HTTPS Protocol without Decryption

Limitless HTTP in an HTTPS World Inferring the Semantics of the HTTPS Protocol without Decryption

Limitless HTTP in an HTTPS World Inferring the Semantics of the HTTPS Protocol without Decryption Blake Anderson, PhD ; Andrew Chi ; Scott Dunlop ; and David McGrew, PhD Cisco, University of North Carolina contact:

363 views • 22 slides
STORAGE CONTENT PROVIDER Storage File System Linux OS Internal External (Flash Memory) (SD

STORAGE CONTENT PROVIDER Storage File System Linux OS Internal External (Flash Memory) (SD

STORAGE CONTENT PROVIDER Storage File System Linux OS Internal External (Flash Memory) (SD card) ..\AppData\Local\Android\sdk\platform-tools\adb Exploring the file system File System Android allows to persists application data via the

560 views • 31 slides
Caching in with Resolvers Norman Walsh http://www.sun.com/ XML Conference &amp; Exposition 2003

Caching in with Resolvers Norman Walsh http://www.sun.com/ XML Conference &amp; Exposition 2003

Caching in with Resolvers Norman Walsh http://www.sun.com/ XML Conference &amp; Exposition 2003 07-12 December 2003 Version 1.0 Introduction Using URIs The Problem Solutions Catalog-based Resolution Proxy Caches

1.26k views • 47 slides
1 day of crud seen at ICSI (155K times) active-connection- DNS-label-len-gt-pkt

1 day of crud seen at ICSI (155K times) active-connection- DNS-label-len-gt-pkt

1 day of crud seen at ICSI (155K times) active-connection- DNS-label-len-gt-pkt HTTP-chunked- possible-split-routing reuse multipart bad-Ident-reply DNS-label-too-long HTTP-version- SYN-after-close mismatch bad-RPC

486 views • 11 slides
Hands-on with CoAP Embrace the Internet of Things! Matthias Kovatsch Julien Vermillard Follow

Hands-on with CoAP Embrace the Internet of Things! Matthias Kovatsch Julien Vermillard Follow

Hands-on with CoAP Embrace the Internet of Things! Matthias Kovatsch Julien Vermillard Follow the slides http://goo.gl/LLQ03w Your devoted presenters :-) Julien Vermillard / @vrmvrm Software Engineer at Sierra Wireless http://airvantage.net

761 views • 64 slides
Framework Fulvio Corno, Laura Farinetti Politecnico di Torino Dipartimento di Automatica e

Framework Fulvio Corno, Laura Farinetti Politecnico di Torino Dipartimento di Automatica e

RDF Resource Description Framework Fulvio Corno, Laura Farinetti Politecnico di Torino Dipartimento di Automatica e Informatica e-Lite Research Group http://elite.polito.it Outline RDF Design objectives RDF General structure

926 views • 66 slides

More recommend