390 likes | 504 Views
Security Features Preview Field Level Access Control. James Kerr. Senior Solutions Architect, MongoDB. Key Security Considerations. Reference Architecture. Authentication. Authorization. Auditing. Encryption. Clients. Administrators. Storage. Authentication. Authentication.
E N D
Security Features PreviewField Level Access Control James Kerr Senior Solutions Architect, MongoDB
Reference Architecture Authentication Authorization Auditing Encryption Clients Administrators Storage
Authentication Authentication Authorization Auditing Encryption Clients Administrators Which nodes are joining the cluster Which users/apps are accessing the DB Which users are accessing the DB Storage
Authorization Authentication Authorization Auditing Encryption Clients Administrators What permissions does an App have? What permissions does an Admin have? What data can an admin see? What data can a user see? Storage
Auditing Authentication Authorization Auditing Encryption Clients Administrators Who made which changes and when? Who made which changes and when? Storage
Encryption Authentication Authorization Auditing Encryption Clients Administrators SSL Encryption SSL Encryption File system Encryption Storage
Today - Authorization Authorization Clients What permissions does an App have? What data can a user see?
Authorization Features • Database Level Access Control (2.4) • Admin roles – DB, user, cluster • Application roles – reader, reader/writer • Collection Level Access Control (coming soon) • User defined roles • Privileges granted to roles for actions on resources • Database, collection and system resource types • Field Level Access Control (2.5 nightly) • Redact documents and/or fields based on security labels
Field Level Access Control Goals • Restrict access to certain documents within a collection • Restrict access to certain fields within documents • Provide a generic capability to handle different marking schemes • Describe policies in terms of existing MongoDB query languages, or extensions thereof
FLAC Features and Functionality • New $redact aggregation framework phase • Performs a pre-order traversal of the document tree • For each node, the expression conditionally returns one of • "$$KEEP” , "$$PRUNE” or "$$DESCEND” • New query language operators • Sets (⊆, =, ∖, ∩, ∪) • Arrays (any true, all true) • Variables (let, map)
FLAC Features and Functionality (cont.) • Aggregation can return a cursor • Have to use "aggregate" command until 2.5 is feature-complete • Can use the the temporary mongo shell helper db.collection.aggregateCursor() • Aggregation can write directly to another collection • $out phase
Redaction Logic • Expression is evaluated as the nodes in the document are traversed • $$KEEP – inserts the node and the node's children into the output • $$PRUNE – puts no node in the output document, and continues the traversal of the sibling nodes • $$DESCEND – inserts a corresponding node in the output document and continues the traversals of the node's children
Set Operators • $setIsSubset • $setEquals • $setDifference • $setIntersection • $setUnion
Array Operators • $allElementsTrue • $anyElementTrue
Variable Operators • $let • Binds variables for use in sub-expressions • $map • Applies a sub-expression to each item in an array and returns an array with the result of the sub-expression • Available the in $project, $group, and $redact pipeline stages
$let Example { $project: { remaining: { $let : { vars: { tally: 75, count: 50 } , in: { $subtract: [ "$$tally", "$$count" ] } } } } } { remaining: 25 } Bind the "tally" and "count" variables Evaluate the subexpression defined by the "in" field with the bound variables
$map Example { skews: [ 1, 2, 3 ] } { $project: { adjusted: { $map: { input: "$skews", as: "adj", in: { $add: [ "$$adj", 12 ] } } } } } { adjusted : [ 13, 14, 15 ] } Use the "skews" field as the input to the $map operation Assign each element in the input array to the "adj" variable Execute expression for each element in the input array
$redact Example { $redact: { $cond: [{ $anyElementTrue: { $map: { input: "$sl", as: "setNeeded", in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] } } } }, "$$DESCEND", "$$PRUNE"] } } Field security labels are in the "sl" field Input labels. IE, these would come from the user's attributes
FLAC Pipeline – Basic Query $redact $match Redaction Expression User Attributes
FLAC Pipeline – Optimized Query $match $redact $match Redaction Expression To make the pipeline more selective, parts of the $match may be promoted by the execution engineor manually.* Don't promote negative queryterms ($ne, $nin, $nor, etc) User Attributes
FLAC Pipeline – Document Level Filters Query $match $redact $match Security Match Expression Redaction Expression Document level accessmay be selective and benefit from index usein the first $match phase User Attributes
Markings Reference Implementation • Field visibility is controlled by the "sl" field • Top level "sl"applies to the whole document • Restrictive markings on a parent field removes it and any children
Markings Reference Implementation { _id: 1, sl: [ ["A", "B"], ["C"] ], field1 : { sl : [ ["A", "B"] ], data : “field1 value” }, field2 : { sl: [ ["C"] ], data : “field2 value” }, field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” } } User needs A&B|Cto see the document User needs A&B to see field1 User needs C to see field2 User needs A&C|B&D to see field3
Markings Reference Implementation { _id: 2, sl: [ ["A", "B", "C"], ["A", "B", "D"] ], field1 : { sl : [ ["A", "B"] ], field2 : { sl : [ ["C"] ], data : "field2 value" }, field3 : { sl : [ ["D"] ], data : "field3 value" } } } User needs A&B&C|A&B&D to see the document User needs A&B to see field1 User needs A&B&C to see field1.field2 User needs A&B&D to see field1.field3
$redact Reference Example { $redact: { $cond: [{ $anyElementTrue: { $map: { input: "$sl", as: "setNeeded", in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] } } } }, "$$DESCEND", "$$PRUNE"] } } Field security labels are in the "sl" field User has labels "A" , "B" and "D"
$redact Output { _id: 1, sl: [ ["A", "B"], ["C"] ], field1 : { sl : [ ["A", "B"] ], data : “field1 value” }, field2 : { sl : [ ["C"] ], data : “field2 value” }, field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” } } { _id: 1, sl: [ ["A", "B"], ["C"] ], field1 : { sl : [ ["A", "B"] ], data : “field1 value” }, field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” } } User labels = ["A", "B", "D"]
$redact Output { _id: 2, sl: [ ["A", "B", "C"], ["A", "B", "D"] ], field1 : { sl : [ ["A", "B"] ], field2 : { sl : [ ["C"] ], data : “field2 value” }, field3 : { sl : [ [“D"] ], data : “field3 value” } } } { _id: 2, sl: [ ["A", "B", "C"], ["A", "B", "D"] ], field1 : { sl : [ ["A", "B"] ], field3 : { sl : [ [“D"] ], data : “field3 value” } } } User labels = ["A", "B", "D"]
FLAC Design – Trusted Middleware Untrusted User/Application Identity Management Trusted Middleware/ Application Collection Query + $redact Trusted user Driver Authenticate Untrusted User Retrieve User Attributes Create query and $redact Expression Authenticate Trusted User Run Query Apply $redact Expression
Disclaimer Statements about future releases, availability dates, and feature content reflect plans only, and MongoDBis under no obligation to include, develop or make available, commercially or otherwise, specific features discussed in a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of MongoDBin response to changing market conditions, delivery schedules, customer requirements, and/or other factors.
Integrated FLAC (Conceptual)* • Collection Views • Read-only Views • Parameterized Views • Configurable redaction expression • Document content based on the user attributes and field markings * See Disclaimer
FLAC Design – Views* Untrusted User/Application Identity Management Trusted Middleware/ Application Collection View ($redact) Query + attributes Trusted user Driver Authenticate Untrusted User Retrieve User Attributes Authenticate Trusted User Run Query Create/Apply $redact Expression * See Disclaimer
FLAC Design – Fully Integrated* Untrusted User/Application Identity Management Untrusted Middleware/ Application Collection View ($redact) Query Untrusted user Driver Authenticate Untrusted User Authenticate Untrusted User Retrieve User Attributes Run Query Create/Apply $redact Expression * See Disclaimer
Parameterized View Concept* { $redact: { $cond: [{ $anyElementTrue: { $map: { input: "$sl", as: "setNeeded", in: { $setIsSubset: ["$$setNeeded", "$$USER.security.tags"] } } } }, "$$DESCEND", "$$PRUNE"] } } User labels retrieved from security "context" * See Disclaimer
Other Features* • LDAP Authentication • x.509 Authentication • Keyfile alternative • Auditing (admin functions – DDL, DCL) • User defined roles • Collectionlevel access control * See Disclaimer
Next Steps • Looking for customers to evaluate • Trusted middleware example code
References • http://docs.mongodb.org/manual/release-notes/2.6/ • http://docs.mongodb.org/manual/security/
Thank You James Kerr james.kerr@mongodb.com