Mongo DB Sharding and its Threats By Anam
Mongo. DB Sharding and its Threats By: Anam Zahid MS(IT)-13
Agenda • • • Sharding Components Sharding mechanics Mongo. DB Sharding Security Weaknesses Identified Threats 2
Main components • Shard – A Shard is a node of the cluster – Each Shard can be a single mongod or a replica set • Config Server (meta data storage) – Stores cluster chunk ranges and locations – Can have only 1 or 3 (production must have 3) – Not a replica set • Mongos – Acts as a router / balancer – No local data (persists to config database) – Can have 1 or many 3
Chunk Partitioning Chunk is a section of the entire range
Chunk splitting • A chunk is split once it exceeds the maximum size • There is no split point if all documents have the same shard key • Chunk split is a logical operation (no data is moved) Chunk is a section of the entire range
Balancing • Balancer is running on mongos • Once the difference in chunks between the most dense shard and the least dense shard is above the migration threshold, a balancing round starts
Acquiring the Balancer Lock • The balancer on mongos takes out a “balancer lock” • To see the status of these locks: use config db. locks. find({ _id: “balancer” })
Moving the chunk • The mongos sends a move. Chunk command to source shard • The source shard then notifies destination shard • Destination shard starts pulling documents from source shard
Committing Migration • When complete, destination shard updates config server - Provides new locations of the chunks
Cleanup • Source shard deletes moved data - Must wait for open cursors to either close or time out No. Timeout cursors may prevent the release of the lock • The mongos releases the balancer lock after old chunks are deleted
Sharding Mechanics 11
Sharding Security - Authentication • Password Authentication or Mongo. DB-CR • External Authentication 1) PLAIN SASL (Simple Authentication and Security Layer) 2) Kerberos Authentication using GSSAPI 3) X. 509 Certificate based authentication 12
Mongo. DB-CR • Intra-Cluster authentication still use Mongo. DB -CR by using keyfile option • Keyfile act as a shared password • Same keyfile for all members of a cluster (including mongod and mongos) • A Keyfile contains random characters in base 64 set • Not supported in windows Systems 13
SSL with X 509 Certificate based Authentication • The MONGODB-X 509 mechanism authenticates a username derived from the distinguished subject name of the X. 509 certificate presented by the driver during SSL negotiation. This authentication method requires the use of SSL connections with certificate validation and is available in Mongo. DB 2. 5. 1 and newer. 14
Kerberos Authentication { user: ”username@EXAMPLE. COM", roles: ["read. Write"], user. Source: "$external" } 1. I am “username@EXAMPLE. COM”, help me prove it to mongod Key (UDP: 88) 2. Here is a Service Ticket 3. TCP: 27017 Here is a Kerberos Service Ticket Distribution Center 5. Welcome, here is Service 4. Keytab Mongod 15
PLAIN SASL • Proposed in RFC 4616 • New in version 2. 6. • Mongo. DB Enterprise Edition versions 2. 5. 0 and newer support the SASL PLAIN authentication mechanism, initially intended for delegating authentication to an LDAP (Lightweight Directory Access Protocol) server. 16
Sharding Security - Authorization • Mongo. DB System defined Access Control Roles – – – – – read. Write db. Admin (clean, create, drop database etc) user. Admin (for a single database) read. Any. Database read. Write. Any. Database db. Admin. Any. Database user. Admin. Any. Database (for all databases) cluster. Admin (no access to config. database but have only access to admin database) 17
Transmission Security • SSL encryption (with CA validation) used for inter- server (between servers) data transmission security 18
Data-at-rest Security • 3 rd Party Security Provider Gazzang’s Zn. Crypt • File system Encryption Gazzang Key management OS Gazzang File System – All contents encrypted 19
Security Weaknesses • No Field level Access control • No Strong internal security (e. g. Mongo. DB-CR is still used for intra-cluster authentication) • No data integrity check • Need firewall for egress and ingress filtering of incoming connections within a sharded cluster Other Weaknesses • No separate Audit log • Database level locking support only • Mongod audit logs only contains write operations and no mapping of operations against user_id is done as they are unaware of the user. 20
Threats • Malicious insider threat – A malicious person injects its own shard in sharded cluster – All Credentials for databases other than the admin database reside in the mongod instance that is the primary shard for that database. – Readwrite access on config database is needed to add shards, once permitted a malicious user may access all collections in config database • Man in the middle attack – Can occur due to sending of plain data during transmission as SSL is not enabled by default in mongo. DB. – PLAIN SASL mechanism send passwords in PLAIN text format to the LDAP server – Intra-cluster authentication still uses Key. File and does not support Kerberos authentication 21
Threats • Additionally, Weak Auditing facilities in Mongo. DB may also cause – Repudiation Attack • Default Open ports e. g 28017, 27017 etc can cause – Port scan attack – Dos Attack • Weak validation of input in Mongo. DB REST API can cause – Cross Site Request Forgery (CSRF) • Weak validation of input in PHP driver can results in – No. SQL Injection • Flaws in Rest API allows – Stored Cross Side Scripting (XSS) Attack 22
References • http: //docs. mongodb. org/manual/core/interprocess-authentication/ • http: //api. mongodb. org/python/2. 6. 2/examples/ authentication. html • https: //securosis. com/assets/library/reports/Sec uring. Big. Data_FINAL. pdf • http: //docs. mongodb. org/manual/reference/user -privileges/ • http: //www. slideshare. net/Defcon. Russia/firstovattacking-mongo-db 23
24
- Slides: 24