senior solutions architect, mongodb james kerr security features preview field level access control
TRANSCRIPT
![Page 1: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/1.jpg)
Senior Solutions Architect, MongoDB
James Kerr
Security Features PreviewField Level Access Control
![Page 2: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/2.jpg)
Key Security Considerations
![Page 3: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/3.jpg)
Reference Architecture
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
![Page 4: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/4.jpg)
Authentication
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
Which users/apps
are accessing
the DB
Which nodes
are joining
the cluster
Which users are accessing
the DB
![Page 5: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/5.jpg)
Authorization
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
What permissions does an App have?
What permissions does an
Admin have?
What data can a user
see?
What data can an admin see?
![Page 6: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/6.jpg)
Auditing
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
Who made which
changes and when?
Who made which
changes and when?
![Page 7: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/7.jpg)
Encryption
Clients
Storage
Administrators
Authentication Authorization Auditing Encryption
SSL Encryptio
n
SSL Encryptio
n
File system
Encryption
![Page 8: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/8.jpg)
Today - Authorization
Clients
Authorization
What permissions does an App have?
What data can a user
see?
![Page 9: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/9.jpg)
Authorization
![Page 10: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/10.jpg)
Authorization Features
• Database Level Access Control (2.4)– Admin roles – DB, user, cluster– Application roles – reader, reader/writer
• Collection Level Access Control (coming soon)– User defined roles– Privileges granted to roles for actions on
resources– Database, collection and system resource types
• Field Level Access Control (2.5 nightly)– Redact documents and/or fields based on security
labels
![Page 11: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/11.jpg)
Field Level Access Control Goals
• Restrict access to certain documents within a collection
• Restrict access to certain fields within documents
• Provide a generic capability to handle different marking schemes
• Describe policies in terms of existing MongoDB query languages, or extensions thereof
![Page 12: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/12.jpg)
FLAC Features and Functionality
• New $redact aggregation framework phase– Performs a pre-order traversal of the document
tree– For each node, the expression conditionally
returns one of• "$$KEEP” , "$$PRUNE” or "$$DESCEND”
• New query language operators– Sets (⊆, =, ∖, ∩, ∪)– Arrays (any true, all true)– Variables (let, map)
![Page 13: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/13.jpg)
FLAC Features and Functionality (cont.)
• Aggregation can return a cursor– Have to use "aggregate" command until 2.5 is
feature-complete– Can use the the temporary mongo shell helper
db.collection.aggregateCursor()
• Aggregation can write directly to another collection– $out phase
![Page 14: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/14.jpg)
Redaction Logic
• Expression is evaluated as the nodes in the document are traversed
• $$KEEP – inserts the node and the node's children into the output
• $$PRUNE – puts no node in the output document, and continues the traversal of the sibling nodes
• $$DESCEND – inserts a corresponding node in the output document and continues the traversals of the node's children
![Page 15: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/15.jpg)
Set Operators
• $setIsSubset
• $setEquals
• $setDifference
• $setIntersection
• $setUnion
![Page 16: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/16.jpg)
Array Operators
• $allElementsTrue
• $anyElementTrue
![Page 17: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/17.jpg)
Variable Operators
• $let – Binds variables for use in sub-expressions
• $map– Applies a sub-expression to each item in an array and
returns an array with the result of the sub-expression
• Available the in $project, $group, and $redact pipeline stages
![Page 18: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/18.jpg)
{ $project: { remaining: { $let : {
vars: { tally: 75, count: 50 } ,
in: { $subtract: [ "$$tally", "$$count" ] }
} } } }
{ remaining: 25 }
$let Example
Bind the "tally" and "count" variables
Evaluate the subexpression defined by the "in" field with the bound variables
![Page 19: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/19.jpg)
{ skews: [ 1, 2, 3 ] }
{ $project: { adjusted: {
$map: {
input: "$skews",
as: "adj",
in: { $add: [ "$$adj", 12 ] }
}
} } }
{ adjusted : [ 13, 14, 15 ] }
$map Example
Use the "skews" field as the input to the $map operationAssign each element in the input array to the "adj" variableExecute expression for each element in the input array
![Page 20: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/20.jpg)
{ $redact:
{ $cond: [{ $anyElementTrue:
{ $map: { input: "$sl",
as: "setNeeded",
in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] }
}
}
},
"$$DESCEND", "$$PRUNE"]
}
}
$redact Example
Input labels. IE, these would come from the user's attributes
Field security labels are in the "sl" field
![Page 21: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/21.jpg)
FLAC Pipeline – Basic
$redact
Query
$match
Redaction Expression
User Attribute
s
![Page 22: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/22.jpg)
FLAC Pipeline – Optimized
$match
Query
$redact
$match
Redaction Expression
User Attribute
s
To make the pipeline more selective, parts of the $match may be promoted by the execution engine or manually.* Don't promote negative queryterms ($ne, $nin, $nor, etc)
![Page 23: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/23.jpg)
FLAC Pipeline – Document Level Filters
$match
Query
$redact
$match
Redaction Expression
User Attribute
s
Security Match
Expression
Document level accessmay be selective and benefit from index usein the first $match phase
![Page 24: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/24.jpg)
Markings Reference Implementation
• Field visibility is controlled by the "sl" field
• Top level "sl" applies to the whole document
• Restrictive markings on a parent field removes it and any children
![Page 25: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/25.jpg)
Markings Reference Implementation{
_id: 1,
sl: [ ["A", "B"], ["C"] ],
field1 : { sl : [ ["A", "B"] ], data : “field1 value” },
field2 : { sl : [ ["C"] ], data : “field2 value” },
field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” }
}
User needs A&B|C to see the documentUser needs A&B to see field1User needs C to see field2User needs A&C|B&D to see field3
![Page 26: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/26.jpg)
Markings Reference Implementation{
_id: 2,
sl: [ ["A", "B", "C"], ["A", "B", "D"] ],
field1 : { sl : [ ["A", "B"] ],
field2 : { sl : [ ["C"] ], data : "field2 value" },
field3 : { sl : [ ["D"] ], data : "field3 value" }
}
}
User needs A&B&C|A&B&D to see the documentUser needs A&B to see field1User needs A&B&C to see field1.field2User needs A&B&D to see field1.field3
![Page 27: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/27.jpg)
{ $redact:
{ $cond: [{ $anyElementTrue:
{ $map: { input: "$sl",
as: "setNeeded",
in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] }
}
}
},
"$$DESCEND", "$$PRUNE"]
}
}
$redact Reference Example
User has labels "A" , "B" and "D"
Field security labels are in the "sl" field
![Page 28: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/28.jpg)
{
_id: 1,
sl: [ ["A", "B"], ["C"] ],
field1 : { sl : [ ["A", "B"] ], data : “field1 value” },
field2 : { sl : [ ["C"] ], data : “field2 value” },
field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” }
}
{
_id: 1,
sl: [ ["A", "B"], ["C"] ],
field1 : { sl : [ ["A", "B"] ], data : “field1 value” },
field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” }
}
$redact Output
User labels = ["A", "B", "D"]
![Page 29: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/29.jpg)
{
_id: 2,
sl: [ ["A", "B", "C"], ["A", "B", "D"] ],
field1 : { sl : [ ["A", "B"] ],
field2 : { sl : [ ["C"] ], data : “field2 value” },
field3 : { sl : [ [“D"] ], data : “field3 value” }
}
}
{
_id: 2,
sl: [ ["A", "B", "C"], ["A", "B", "D"] ],
field1 : { sl : [ ["A", "B"] ],
field3 : { sl : [ [“D"] ], data : “field3 value” }
}
}
$redact Output
User labels = ["A", "B", "D"]
![Page 30: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/30.jpg)
FLAC Design – Trusted Middleware
TrustedMiddleware/Application
Identity Managemen
t
Driver
1. Authenticate Untrusted User2. Retrieve User Attributes3. Create query and $redact Expression
1. Authenticate Trusted User2. Run Query3. Apply $redact Expression
Query + $redactTrusted user
UntrustedUser/
Application
Collection
![Page 31: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/31.jpg)
Disclaimer
Statements about future releases, availability dates, and feature content reflect plans only, and MongoDB is under no obligation to include, develop or make available, commercially or otherwise, specific features discussed in a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of MongoDB in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.
![Page 32: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/32.jpg)
Integrated FLAC (Conceptual)*
• Collection Views
• Read-only Views
• Parameterized Views– Configurable redaction expression– Document content based on the user attributes
and field markings
* See Disclaimer
![Page 33: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/33.jpg)
FLAC Design – Views*
TrustedMiddleware/Application
Identity Management
Driver
1. Authenticate Untrusted User2. Retrieve User Attributes
1. Authenticate Trusted User2. Run Query3. Create/Apply $redact Expression
Query + attributesTrusted user
UntrustedUser/
Application
CollectionView
($redact)
* See Disclaimer
![Page 34: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/34.jpg)
FLAC Design – Fully Integrated*
UntrustedMiddleware/Application
Identity Managemen
t
Driver
1. Authenticate Untrusted User 1. Authenticate Untrusted User2. Retrieve User Attributes3. Run Query4. Create/Apply $redact Expression
QueryUntrusted user
UntrustedUser/
Application
CollectionView
($redact)
* See Disclaimer
![Page 35: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/35.jpg)
{ $redact:
{ $cond: [{ $anyElementTrue:
{ $map: { input: "$sl",
as: "setNeeded",
in: { $setIsSubset: ["$$setNeeded", "$$USER.security.tags"] }
}
}
},
"$$DESCEND", "$$PRUNE"]
}
}
Parameterized View Concept*
* See Disclaimer
User labels retrieved from security "context"
![Page 36: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/36.jpg)
Other Features*
• LDAP Authentication
• x.509 Authentication
• Keyfile alternative
• Auditing (admin functions – DDL, DCL)
• User defined roles
• Collection level access control
* See Disclaimer
![Page 37: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/37.jpg)
Next Steps
• Looking for customers to evaluate
• Trusted middleware example code
![Page 38: Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control](https://reader031.vdocuments.mx/reader031/viewer/2022020714/551b7e7d550346a6148b564c/html5/thumbnails/38.jpg)
References
• http://docs.mongodb.org/manual/release-notes/2.6/
• http://docs.mongodb.org/manual/security/