MongoDb Security Authentication and Authorization
Posted By Tarun Singhal | 30-Apr-2019
Today, we will learn how to secure our MongoDB deployment. Here we will learn MongoDB authentication mechanism, also MongoDB enterprise to integrate with security standard authentication systems, like LDAP and Kerberos.
How to build authorization and how to build a successful role-based security policy.
we will also learn securing data on disk with encryption at rest and also how to encrypt data at transit. We will also learn how to do proper auditing so that you can comply with common enterprise security standards like PCI and FERPA.
First, clear the difference between authentication and authorization.
AuthenticationAuthorizationverfies the identity of a user verifies the privilege of a user
Client/User AuthInternal AuthSCRAM-SHA-1Keyfile(SCRAM-SHA-1)MongoDB-CRX.509X.509LDAPKERBEROS
SCRAM-SHA-1, MongoDB-CR, and X.509 are available in community edition and the rest of them are in Enterprise Edition.
SCRAM-SHA-1, MongoDB-CR is a challenge/response mechanism and X.509 is certification based authentication.
- It is based on challenge/Response authentication mechanism it means it will authenticate with username and password.
- It is an Internet Engineering Task Force Standards.
- It secures the DB from eavesdropping. This is where an attacker can read all the traffic between client and server. to protect against this client never send a password in plain text.
- It secures us with REPLAY also. this is where a client can resend the client’s valid responses to the server. This is mitigated because each authentication session made up of unique, random notices so that each protocol message are only valid for a single session.
- It secures using from Database compromise. This is where an attacker can read the contents of the server’s persistent memory. SCRAM-SHA-1 mitigates this by salting and iteratively hashing the passwords before storing them.
- With SCRAM-SHA-1, an attacker is unable to pose as a server without the knowledge of a client’s credentials, therefore, completely mitigating the malicious server attack.
MongoDB-CR is another challenge/response authentication mechanism, it is also another username and password authentication mechanism. With the release of 3.0, SCRAM-SHA-1 has effectively replaced MongoDB-CR. This means that, as of 3.0, MongoDB-CR has been deprecated. You will only encounter MongoDB-CR on versions of MongoDB older than 3.0 or on servers that are upgraded from a previous version to 3.0 or above.
- It is a certificate-based authentication.
- It is introduced in MongoDB 2.6.
- TLS support included.
- Lightwieght directory access protocol.
- Only avaialble in Enterprise edition of MongoDb.
- LDAP provides a mechanism for accessing and maintaining distributed directory information over a network.
- Like LDAP, it is also available in Enterprise Edition only.
- It is developed at MIT.
- Designed for secure authentication.
- It is an External Authentication Mechanism.
It is also important that the nodes in replica set or shared cluster are able to communicate securely.
If MongoDB replica set or sharded cluster spans multiple data centers, or touches the internet in any way, it’s very important that you enable internal authentication. However, even while most internal networks are considered to be secure, enabling internal authentication is still highly recommended in closed networks to prevent attacks where a network becomes compromised
Internal Authentication Mechanism.
- It has two authentication mechanism. First is keyfile(SCRAM-SHA-1) and another is X.509.
- Keyfile(SCRAM-SHA-1) is work with shared password. keyfile’s copy exists in each and every node. must have 6-1024 base64 character.
- Another is X.509 it is certificate based authentication and each node has cert for authentication and also it is recommended to issue different certs for each node member.
Please keep in mind if you enable internal authentication mechansim it will automatically enables the client server authentication.
Rest We Will discuss this on the next part of this blog.