Senior Solutions Architect, MongoDB

James Kerr

Security Features PreviewField Level Access Control

Key Security Considerations

Reference Architecture

Clients

Storage

Administrators

Authentication Authorization Auditing Encryption

Authentication

Clients

Storage

Administrators

Authentication Authorization Auditing Encryption

Which users/apps

are accessing

the DB

Which nodes

are joining

the cluster

Which users are accessing

the DB

Authorization

Clients

Storage

Administrators

Authentication Authorization Auditing Encryption

What permissions does an App have?

What permissions does an

Admin have?

What data can a user

see?

What data can an admin see?

Auditing

Clients

Storage

Administrators

Authentication Authorization Auditing Encryption

Who made which

changes and when?

Who made which

changes and when?

Encryption

Clients

Storage

Administrators

Authentication Authorization Auditing Encryption

SSL Encryptio

n

SSL Encryptio

n

File system

Encryption

Today - Authorization

Clients

Authorization

What permissions does an App have?

What data can a user

see?

Authorization

Authorization Features

• Database Level Access Control (2.4)– Admin roles – DB, user, cluster– Application roles – reader, reader/writer

• Collection Level Access Control (coming soon)– User defined roles– Privileges granted to roles for actions on

resources– Database, collection and system resource types

• Field Level Access Control (2.5 nightly)– Redact documents and/or fields based on security

labels

Field Level Access Control Goals

• Restrict access to certain documents within a collection

• Restrict access to certain fields within documents

• Provide a generic capability to handle different marking schemes

• Describe policies in terms of existing MongoDB query languages, or extensions thereof

FLAC Features and Functionality

• New $redact aggregation framework phase– Performs a pre-order traversal of the document

tree– For each node, the expression conditionally

returns one of• "$$KEEP” , "$$PRUNE” or "$$DESCEND”

• New query language operators– Sets (⊆, =, ∖, ∩, ∪)– Arrays (any true, all true)– Variables (let, map)

FLAC Features and Functionality (cont.)

• Aggregation can return a cursor– Have to use "aggregate" command until 2.5 is

feature-complete– Can use the the temporary mongo shell helper

db.collection.aggregateCursor()

• Aggregation can write directly to another collection– $out phase

Redaction Logic

• Expression is evaluated as the nodes in the document are traversed

• $$KEEP – inserts the node and the node's children into the output

• $$PRUNE – puts no node in the output document, and continues the traversal of the sibling nodes

• $$DESCEND – inserts a corresponding node in the output document and continues the traversals of the node's children

Set Operators

• $setIsSubset

• $setEquals

• $setDifference

• $setIntersection

• $setUnion

Array Operators

• $allElementsTrue

• $anyElementTrue

Variable Operators

• $let – Binds variables for use in sub-expressions

• $map– Applies a sub-expression to each item in an array and

returns an array with the result of the sub-expression

• Available the in $project, $group, and $redact pipeline stages

{ $project: { remaining: { $let : {

vars: { tally: 75, count: 50 } ,

in: { $subtract: [ "$$tally", "$$count" ] }

} } } }

{ remaining: 25 }

$let Example

Bind the "tally" and "count" variables

Evaluate the subexpression defined by the "in" field with the bound variables

{ skews: [ 1, 2, 3 ] }

{ $project: { adjusted: {

$map: {

input: "$skews",

as: "adj",

in: { $add: [ "$$adj", 12 ] }

}

} } }

{ adjusted : [ 13, 14, 15 ] }

$map Example

Use the "skews" field as the input to the $map operationAssign each element in the input array to the "adj" variableExecute expression for each element in the input array

{ $redact:

{ $cond: [{ $anyElementTrue:

{ $map: { input: "$sl",

as: "setNeeded",

in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] }

}

}

},

"$$DESCEND", "$$PRUNE"]

}

}

$redact Example

Input labels. IE, these would come from the user's attributes

Field security labels are in the "sl" field

FLAC Pipeline – Basic

$redact

Query

$match

Redaction Expression

User Attribute

s

FLAC Pipeline – Optimized

$match

Query

$redact

$match

Redaction Expression

User Attribute

s

To make the pipeline more selective, parts of the $match may be promoted by the execution engine or manually.* Don't promote negative queryterms ($ne, $nin, $nor, etc)

FLAC Pipeline – Document Level Filters

$match

Query

$redact

$match

Redaction Expression

User Attribute

s

Security Match

Expression

Document level accessmay be selective and benefit from index usein the first $match phase

Markings Reference Implementation

• Field visibility is controlled by the "sl" field

• Top level "sl" applies to the whole document

• Restrictive markings on a parent field removes it and any children

Markings Reference Implementation{

_id: 1,

sl: [ ["A", "B"], ["C"] ],

field1 : { sl : [ ["A", "B"] ], data : “field1 value” },

field2 : { sl : [ ["C"] ], data : “field2 value” },

field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” }

}

User needs A&B|C to see the documentUser needs A&B to see field1User needs C to see field2User needs A&C|B&D to see field3

Markings Reference Implementation{

_id: 2,

sl: [ ["A", "B", "C"], ["A", "B", "D"] ],

field1 : { sl : [ ["A", "B"] ],

field2 : { sl : [ ["C"] ], data : "field2 value" },

field3 : { sl : [ ["D"] ], data : "field3 value" }

}

}

User needs A&B&C|A&B&D to see the documentUser needs A&B to see field1User needs A&B&C to see field1.field2User needs A&B&D to see field1.field3

{ $redact:

{ $cond: [{ $anyElementTrue:

{ $map: { input: "$sl",

as: "setNeeded",

in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] }

}

}

},

"$$DESCEND", "$$PRUNE"]

}

}

$redact Reference Example

User has labels "A" , "B" and "D"

Field security labels are in the "sl" field

{

_id: 1,

sl: [ ["A", "B"], ["C"] ],

field1 : { sl : [ ["A", "B"] ], data : “field1 value” },

field2 : { sl : [ ["C"] ], data : “field2 value” },

field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” }

}

{

_id: 1,

sl: [ ["A", "B"], ["C"] ],

field1 : { sl : [ ["A", "B"] ], data : “field1 value” },

field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” }

}

$redact Output

User labels = ["A", "B", "D"]

{

_id: 2,

sl: [ ["A", "B", "C"], ["A", "B", "D"] ],

field1 : { sl : [ ["A", "B"] ],

field2 : { sl : [ ["C"] ], data : “field2 value” },

field3 : { sl : [ [“D"] ], data : “field3 value” }

}

}

{

_id: 2,

sl: [ ["A", "B", "C"], ["A", "B", "D"] ],

field1 : { sl : [ ["A", "B"] ],

field3 : { sl : [ [“D"] ], data : “field3 value” }

}

}

$redact Output

User labels = ["A", "B", "D"]

FLAC Design – Trusted Middleware

TrustedMiddleware/Application

Identity Managemen

t

Driver

1. Authenticate Untrusted User2. Retrieve User Attributes3. Create query and $redact Expression

1. Authenticate Trusted User2. Run Query3. Apply $redact Expression

Query + $redactTrusted user

UntrustedUser/

Application

Collection

Disclaimer

Statements about future releases, availability dates, and feature content reflect plans only, and MongoDB is under no obligation to include, develop or make available, commercially or otherwise, specific features discussed in a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of MongoDB in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.

Integrated FLAC (Conceptual)*

• Collection Views

• Read-only Views

• Parameterized Views– Configurable redaction expression– Document content based on the user attributes

and field markings

* See Disclaimer

FLAC Design – Views*

TrustedMiddleware/Application

Identity Management

Driver

1. Authenticate Untrusted User2. Retrieve User Attributes

1. Authenticate Trusted User2. Run Query3. Create/Apply $redact Expression

Query + attributesTrusted user

UntrustedUser/

Application

CollectionView

($redact)

* See Disclaimer

FLAC Design – Fully Integrated*

UntrustedMiddleware/Application

Identity Managemen

t

Driver

1. Authenticate Untrusted User 1. Authenticate Untrusted User2. Retrieve User Attributes3. Run Query4. Create/Apply $redact Expression

QueryUntrusted user

UntrustedUser/

Application

CollectionView

($redact)

* See Disclaimer

{ $redact:

{ $cond: [{ $anyElementTrue:

{ $map: { input: "$sl",

as: "setNeeded",

in: { $setIsSubset: ["$$setNeeded", "$$USER.security.tags"] }

}

}

},

"$$DESCEND", "$$PRUNE"]

}

}

Parameterized View Concept*

* See Disclaimer

User labels retrieved from security "context"

Other Features*

• LDAP Authentication

• x.509 Authentication

• Keyfile alternative

• Auditing (admin functions – DDL, DCL)

• User defined roles

• Collection level access control

* See Disclaimer

Next Steps

• Looking for customers to evaluate

• Trusted middleware example code

References

• http://docs.mongodb.org/manual/release-notes/2.6/

• http://docs.mongodb.org/manual/security/

james.kerr@mongodb.com

James Kerr

Thank You