Senior Solutions Architect, MongoDB James Kerr Security Features Preview Field Level Access Control

Key Security Considerations

Reference Architecture Clients Storage Administrators Authentication Authorization Auditing Encryption

Authentication Clients Storage Administrators Authentication Authorization Auditing Encryption Which users/apps are accessing the DB Which nodes are joining the cluster Which users are accessing the DB

Authorization Clients Storage Administrators Authentication Authorization Auditing Encryption What permissions does an App have? What permissions does an Admin have? What data can a user see? What data can an admin see?

Auditing Clients Storage Administrators Authentication Authorization Auditing Encryption Who made which changes and when?

Encryption Clients Storage Administrators Authentication Authorization Auditing Encryption SSL Encryption File system Encryption

Today - Authorization Clients Authorization What permissions does an App have? What data can a user see?

Authorization

Authorization Features Database Level Access Control (2.4) – Admin roles – DB, user, cluster – Application roles – reader, reader/writer Collection Level Access Control (coming soon) – User defined roles – Privileges granted to roles for actions on resources – Database, collection and system resource types Field Level Access Control (2.5 nightly) – Redact documents and/or fields based on security labels

Field Level Access Control Goals Restrict access to certain documents within a collection Restrict access to certain fields within documents Provide a generic capability to handle different marking schemes Describe policies in terms of existing MongoDB query languages, or extensions thereof

FLAC Features and Functionality New $redact aggregation framework phase – Performs a pre-order traversal of the document tree – For each node, the expression conditionally returns one of "$$KEEP”, "$$PRUNE” or "$$DESCEND” New query language operators – Sets ( ⊆, =, ∖, ∩, ∪ ) – Arrays (any true, all true) – Variables (let, map)

FLAC Features and Functionality (cont.) Aggregation can return a cursor – Have to use "aggregate" command until 2.5 is feature- complete – Can use the the temporary mongo shell helper db.collection.aggregateCursor() Aggregation can write directly to another collection – $out phase

Redaction Logic Expression is evaluated as the nodes in the document are traversed $$KEEP – inserts the node and the node's children into the output $$PRUNE – puts no node in the output document, and continues the traversal of the sibling nodes $$DESCEND – inserts a corresponding node in the output document and continues the traversals of the node's children

Set Operators $setIsSubset $setEquals $setDifference $setIntersection $setUnion

Array Operators $allElementsTrue $anyElementTrue

Variable Operators $let – Binds variables for use in sub-expressions $map – Applies a sub-expression to each item in an array and returns an array with the result of the sub-expression Available the in $project, $group, and $redact pipeline stages

{ $project: { remaining: { $let : { vars: { tally: 75, count: 50 }, in: { $subtract: [ "$$tally", "$$count" ] } } }  { remaining: 25 } $let Example Bind the "tally" and "count" variables Evaluate the subexpression defined by the "in" field with the bound variables

{ skews: [ 1, 2, 3 ] } { $project: { adjusted: { $map: { input: "$skews", as: "adj", in: { $add: [ "$$adj", 12 ] } } } } }  { adjusted : [ 13, 14, 15 ] } $map Example Use the "skews" field as the input to the $map operation Assign each element in the input array to the "adj" variable Execute expression for each element in the input array

{ $redact: { $cond: [{ $anyElementTrue: { $map: { input: "$sl", as: "setNeeded", in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] } } }, "$$DESCEND", "$$PRUNE"] } $redact Example Input labels. IE, these would come from the user's attributes Field security labels are in the "sl" field

FLAC Pipeline – Basic $redact Query $match Redaction Expression User Attributes

FLAC Pipeline – Optimized $match Query $redact $match Redaction Expression User Attributes To make the pipeline more selective, parts of the $match may be promoted by the execution engine or manually. * Don't promote negative query terms ($ne, $nin, $nor, etc)

FLAC Pipeline – Document Level Filters $match Query $redact $match Redaction Expression User Attributes Security Match Expression Document level access may be selective and benefit from index use in the first $match phase

Markings Reference Implementation Field visibility is controlled by the "sl" field Top level "sl" applies to the whole document Restrictive markings on a parent field removes it and any children

Markings Reference Implementation { _id: 1, sl: [ ["A", "B"], ["C"] ], field1 : { sl : [ ["A", "B"] ], data : “field1 value” }, field2 : { sl : [ ["C"] ], data : “field2 value” }, field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” } } User needs A&B|C to see the document User needs A&B to see field1 User needs C to see field2 User needs A&C|B&D to see field3

Markings Reference Implementation { _id: 2, sl: [ ["A", "B", "C"], ["A", "B", "D"] ], field1 : { sl : [ ["A", "B"] ], field2 : { sl : [ ["C"] ], data : "field2 value" }, field3 : { sl : [ ["D"] ], data : "field3 value" } } User needs A&B&C|A&B&D to see the document User needs A&B to see field1 User needs A&B&C to see field1.field2 User needs A&B&D to see field1.field3

{ $redact: { $cond: [{ $anyElementTrue: { $map: { input: "$sl", as: "setNeeded", in: { $setIsSubset: ["$$setNeeded", ["A", "B", "D"]] } } }, "$$DESCEND", "$$PRUNE"] } $redact Reference Example User has labels "A", "B" and "D" Field security labels are in the "sl" field

{ _id: 1, sl: [ ["A", "B"], ["C"] ], field1 : { sl : [ ["A", "B"] ], data : “field1 value” }, field2 : { sl : [ ["C"] ], data : “field2 value” }, field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” } } { _id: 1, sl: [ ["A", "B"], ["C"] ], field1 : { sl : [ ["A", "B"] ], data : “field1 value” }, field3 : { sl : [ ["A", "C"], ["B", "D"] ], data : “field3 value” } } $redact Output User labels = ["A", "B", "D"]

{ _id: 2, sl: [ ["A", "B", "C"], ["A", "B", "D"] ], field1 : { sl : [ ["A", "B"] ], field2 : { sl : [ ["C"] ], data : “field2 value” }, field3 : { sl : [ [“D"] ], data : “field3 value” } } } { _id: 2, sl: [ ["A", "B", "C"], ["A", "B", "D"] ], field1 : { sl : [ ["A", "B"] ], field3 : { sl : [ [“D"] ], data : “field3 value” } } } $redact Output User labels = ["A", "B", "D"]

FLAC Design – Trusted Middleware Trusted Middleware/ Application Trusted Middleware/ Application Identity Management Driver 1.Authenticate Untrusted User 2.Retrieve User Attributes 3.Create query and $redact Expression 1.Authenticate Trusted User 2.Run Query 3.Apply $redact Expression Query + $redact Trusted user Untrusted User/Application Untrusted User/Application Collection

Disclaimer Statements about future releases, availability dates, and feature content reflect plans only, and MongoDB is under no obligation to include, develop or make available, commercially or otherwise, specific features discussed in a future MongoDB build. Information is provided for general understanding only, and is subject to change at the sole discretion of MongoDB in response to changing market conditions, delivery schedules, customer requirements, and/or other factors.

Integrated FLAC (Conceptual)* Collection Views Read-only Views Parameterized Views – Configurable redaction expression – Document content based on the user attributes and field markings * See Disclaimer

FLAC Design – Views* Trusted Middleware/ Application Trusted Middleware/ Application Identity Management Driver 1.Authenticate Untrusted User 2.Retrieve User Attributes 1.Authenticate Trusted User 2.Run Query 3.Create/Apply $redact Expression Query + attributes Trusted user Untrusted User/Application Untrusted User/Application Collection View ($redact) View ($redact) * See Disclaimer

FLAC Design – Fully Integrated* Untrusted Middleware/ Application Untrusted Middleware/ Application Identity Management Driver 1.Authenticate Untrusted User 2.Retrieve User Attributes 3.Run Query 4.Create/Apply $redact Expression Query Untrusted user Untrusted User/Application Untrusted User/Application Collection View ($redact) View ($redact) * See Disclaimer

{ $redact: { $cond: [{ $anyElementTrue: { $map: { input: "$sl", as: "setNeeded", in: { $setIsSubset: ["$$setNeeded", "$$USER.security.tags"] } } }, "$$DESCEND", "$$PRUNE"] } Parameterized View Concept* * See Disclaimer User labels retrieved from security "context"

Other Features* LDAP Authentication x.509 Authentication Keyfile alternative Auditing (admin functions – DDL, DCL) User defined roles Collection level access control * See Disclaimer

Next Steps Looking for customers to evaluate Trusted middleware example code

References

James Kerr Thank You