MongoDB in Enterprise Companies - Use Cases Adamo, Dimitri We.. - - PowerPoint PPT Presentation

mongodb in enterprise
SMART_READER_LITE
LIVE PREVIEW

MongoDB in Enterprise Companies - Use Cases Adamo, Dimitri We.. - - PowerPoint PPT Presentation

Jan 13, 2023 262 likes •821 views

MongoDB in Enterprise Companies - Use Cases Adamo, Dimitri We.. Adamo Tonete Dimitri Vanoverbeke Support Engineer Solutions Engineer So Paulo, Brazil Bruges, Belgium @dim0 on twitter Agenda Security Auditing Other

slide-1
SLIDE 1

MongoDB in Enterprise Companies - Use Cases

Adamo, Dimitri

slide-2
SLIDE 2

We..

Adamo Tonete Support Engineer São Paulo, Brazil Dimitri Vanoverbeke Solutions Engineer Bruges, Belgium @dim0 on twitter

slide-3
SLIDE 3

Agenda

  • Security
  • Auditing
  • Other features
  • Support
  • Tools
slide-4
SLIDE 4

Users and Roles

slide-5
SLIDE 5

Use Case

  • Data access processes are essential for compliance

  • Eg. Health care data is not only sensitive but is protected by laws

○ Roles can define which user/group can access the sensitive data

  • Data access roles are essential for security

○ Your organisation has an support team, they need to be able to read the information. But full access might open a new can of worms. ○ Roles can protect you again user errors (PEBKAC situations)

slide-6
SLIDE 6

Default Roles

  • read
  • readWrite
  • dbAdmin
  • dbOwner
  • userAdmin
  • clusterAdmin
  • clusterMonitor
  • clusterManager
  • hostManager
  • backup
  • restore
  • readAnyDatabase
  • readWriteAnyDatabase
  • userAdminAnyDatabase
  • dbAdminAnyDatabase
  • root
  • __system
slide-7
SLIDE 7

Default Roles

use admin db.createUser({user :'admin', pwd: '123', roles : ["root"]})

slide-8
SLIDE 8

use admin db.createUser({user :'intern', pwd: '123', roles : ["readAnyDatabase"]})

Default Roles

slide-9
SLIDE 9

Default Roles

https://docs.mongodb.com/manual/reference/privilege-actions/ db.createRole({ role : 'write_foo2_Collection', privileges : [ {resource : {db : "percona", collection : "foo2"}, actions : ["insert","remove"]} ], roles : ["read"] })

slide-10
SLIDE 10

Personalized Role

https://www.percona.com/blog/2017/05/17/mongodb-authentication-and-roles- creating-your-first-personalized-role/

slide-11
SLIDE 11

LDAP

slide-12
SLIDE 12

Use case

  • Large amount of MongoDB servers, simple authentication would require you

to maintain each servers user/group list

  • Removing access to the infrastructure might be troublesome
  • Compliancy reasons might require you to centralise access credentials
slide-13
SLIDE 13

LDAP

Authorization vs Authentication

While authentication proves who you are, the authorization checks what can be done under a specific account.

slide-14
SLIDE 14

LDAP

  • LDAP stands for Lightweight Directory Access Protocol and it is a open source

protocol to allow applications share users thought the network.

  • Microsoft has their own service called Active Directory, IBM TDS, OpenLDAP,

...

slide-15
SLIDE 15

LDAP

LDAP Tree/Domain

http://www.openldap.org/doc/admin22/intro.html

slide-16
SLIDE 16

Log Redaction

slide-17
SLIDE 17

Use case

Access to the database is not the only venue to steal information Logs can have sensitive data to a company and if this data is not completely protected we can have a data breach

slide-18
SLIDE 18

Log Redaction - Raw

{ name: "MongoDB Internal Client", version: "3.6.7-1.5" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "16.04" } } 2018-10-22T13:06:45.770+0000 I COMMAND [conn1] command percona.foo appName: "MongoDB Shell" command: find { find: "foo", filter: { credit_card: "734310273827328", name: "Adamo" }, $db: "percona" } planSummary: COLLSCAN keysExamined:0 docsExamined:1167744 cursorExhausted:1 numYields:9123 nreturned:0 reslen:84 locks:{ Global: { acquireCount: { r: 18248 } }, Database: { acquireCount: { r: 9124 } }, Collection: { acquireCount: { r: 9124 } } } protocol:op_msg 567ms

slide-19
SLIDE 19

Log Redaction

2018-10-22T13:11:00.023+0000 I COMMAND [conn1] command percona.foo appName: "MongoDB Shell" command: find { find: "###", filter: { credit_card: "###", name: "###" }, $db: "###" } planSummary: ### keysExamined:0 docsExamined:1167744 cursorExhausted:1 numYields:9123 nreturned:0 reslen:84 locks:{ Global: { acquireCount: { r: 18248 } }, Database: { acquireCount: { r: 9124 } }, Collection: { acquireCount: { r: 9124 } } } protocol:op_msg 572ms

slide-20
SLIDE 20

Log Redaction

2018-10-22T13:00:23.530+0000 I COMMAND [conn2] command percona.foo appName: "MongoDB Shell" command: insert { insert: "###", ordered: "###", $db: "###" } ninserted:1 keysInserted:1 numYields:0 reslen:29 locks:{ Global: { acquireCount: { r: 1, w: 1 } }, Database: { acquireCount: { w: 1 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_msg 11ms

slide-21
SLIDE 21

Auditing

slide-22
SLIDE 22

Use Case

Databases are there to be used, however it’s difficult to keep track of actions of the infrastructure.

  • Drop collection/data situations
  • Security and access compliance
  • Analysing application behaviour
slide-23
SLIDE 23

Auditing

  • Percona Server for MongoDB
  • MongoDB enterprise
slide-24
SLIDE 24
  • Auditing allow us to only record certain types of queries and commands.
  • We can choose between saving into a text file, bson file or json.
  • Lately the data can be processed and generate useful information to the

security team.

Auditing

slide-25
SLIDE 25

Auditing

{"atype":"authenticate","ts":{"$date":"2017-02- 14T14:11:29.975+0100"},"local":{"ip":"127.0.1.1","port":27017 },"remote":{"ip":"127.0.0.1","port":42634},"users":[],"roles" :[],"param":{"user":"root","db":"admin","mechanism":"SCRAM- SHA-1"},"result":18}

slide-26
SLIDE 26

TDE - Transparent Data Encryption

slide-27
SLIDE 27

TDE - use cases

A required feature for PCI/HIPAA/GDPR compliance and a good practice in security.

  • Eg. System engineers on your infrastructure do not need access, DBA’s do.

TDE is one of the most demanded featured for enterprise companies.

slide-28
SLIDE 28

TDE

Percona server for MongoDB 3.6.8-2.0 now offers TDE using LOCAL KEY management. This is the first step of us to fully support all the major enterprise features and we are working to have 3rd party key management in future releases. MongoDB enterprise offers TDE with local key or third party vaults.

slide-29
SLIDE 29

TDE

  • Some overhead may be more visible when using LUKS (disk encryption) but

the overwall overhead in wiredTiger can be negligible as we are trading speed per security

slide-30
SLIDE 30

TDE

Consequences

  • Added complexity during DR
  • If encryption key is lost no one can read the files.
slide-31
SLIDE 31

TLS/SSL

slide-32
SLIDE 32

Use cases

Encryption at Rest only protects access on the server. Encryption in transit protects you against breaches on other servers.

  • Eg. One of your monitoring server is in the same subnet as your database

environment, sniffing will give the ability to read the transactions.

slide-33
SLIDE 33

TLS/SSL

By default all the communication between mongod instances and clients are not encrypted which leaves some space to sniff packages. And this is as easy as:

sudo tcpdump dst port 27017 -A -s 1240 -ttt -w tcpdump.tcp -i eth0

slide-34
SLIDE 34

TLS/SSL

I've run an insert in the database with the following values:

> use percona switched to db percona > db.creditcard.insert({number : '123456753443435', code : '123', name : 'Adamo'}) WriteResult({ "nInserted" : 1 }) > exit

slide-35
SLIDE 35

TLS/SSL

slide-36
SLIDE 36

TLS/SSL

slide-37
SLIDE 37

Backups

slide-38
SLIDE 38

Use case

Do we really need to explain?

slide-39
SLIDE 39

MongoDump

Standard utility for making a binary export of MongoDB data Output is: <directory>

  • -----> Mydatabase (folder)
  • ----> Mycollection.bson
  • ----> Mycollection.metadata.json
  • ----> system.indexes.bson
slide-40
SLIDE 40

Consistent Backup

  • Works on repl, sharded servers
  • Creates consistent backups
  • Runs multiple mongodumps
  • Keeps track of changes in oplog
  • (oplogtail)
  • Labs
  • Upload to S3 possible
slide-41
SLIDE 41

Atlas (MongoDB)

  • Fully managed backup solution
  • $$$
  • Continuous backups

○ Consistent backups using marker on shards (mongos)

  • Cloud snapshots (AWS and Azure)
slide-42
SLIDE 42

Hot Backup (PSMDB)

  • Included in Percona server for mongodb
  • Lightweight backup solution
  • Point in time backup
  • Performs wiredtiger snapshots (LVM snapshot comparable but on a database

level)

slide-43
SLIDE 43

Specific use cases Storage Engine

slide-44
SLIDE 44

Use cases

In some cases you have a specific workload:

  • Massive inserts, sporadic data access
  • Significant caching requirements
  • Requiring predictable latency for reads
slide-45
SLIDE 45

Percona Memory Engine

100% open source solution Focuses on delivering:

  • High performance reads with predictable latency
  • Can replace memcached for sessions
  • High speed data manipulation
slide-46
SLIDE 46

Just come to us! Compare on our website if you want!

Support

slide-47
SLIDE 47

Tools

slide-48
SLIDE 48
  • mongostat
  • mongotop
  • mongoreply
  • PMM and QAN
  • $ MongoDB Cloud
  • Compass
  • 3rd party tools (http://mongodb-tools.com)

Tools

slide-49
SLIDE 49

Wrapping up

slide-50
SLIDE 50

It is possible to have almost the same as MongoDB Enterprise features for free using Percona Server for MongoDB. There are some useful tools free and also paid. A safe environment depends on the company policies. A lot of root users means no root user

Wrapping up

slide-51
SLIDE 51

Features comparison

slide-52
SLIDE 52

Features comparison

LDAP does offer authentication but not authorization. Every user must exists in the mongodb database with a role assigned. It is possible to have a script sync’ing users from a ldap to mongodb.

slide-53
SLIDE 53

Questions

slide-54
SLIDE 54

54

Rate My Session

slide-55
SLIDE 55

55

Thank You Sponsors!!