Update 2/25/2016: The new UI has changed the way this process would look (putting the users & roles under the “More” menu on the Deployment page), but the idea is the same. Feel free to open a ticket or chat us with any questions you may have about this.
A question we are asked a lot is how to create a user that can tail the oplog using Cloud Manager Automation. This is a feature needed by Meteor users if they want to use MongoDB authentication to protect their database servers. Here’s how:
- Head to your Authorization & Roles page
- Create a new role (I called mine “oplogger”) that has permissions to read the local database
- Once you save this role, you can go to your “Authentication & Users” tab:
- Then you can create a user with the “oplogger” role (and any other roles you may want) and save it with a password you know
- Push your changes via “Review & Deploy” and then “Confirm & Deploy”
Once you configure your Meteor installation (
MONGO_OPLOG_URL) to connect with the new credentials, your app should work as expected, providing you live tracking of changes.
Securing MongoDB Part 3: Database Auditing and Encryption
Welcome back to our 4-part blog series presenting the best practices and controls available in MongoDB to help you create a secure, compliant database platform. In this installment, we’ll be discussing database auditing and encryption. As a quick recap, in part 1 , we took a look at the general requirements for data security and regulatory compliance, and then in part 2 , reviewed MongoDB access control enforcing authentication and authorization. In part 4 , we’ll wrap up with environmental control and management. If you want to get a head-start and learn about all of these topics in one installment, just go ahead and download the MongoDB Security Architecture guide . MongoDB Auditing The auditing framework provided as part of MongoDB Enterprise Advanced logs all access and actions executed against the database. The auditing framework captures administrative actions (DDL) such as schema operations as well as authentication and authorization activities, along with read and write (DML) operations to the database. Administrators can construct and filter audit trails for any operation against MongoDB, whether DML, DCL or DDL without having to rely on third party tools. For example, it is possible to log and audit the identities of users who retrieved specific documents, and any changes made to the database during their session. **Figure 1**: MongoDB Maintains an Audit Trail of Administrative Actions Against the Database Administrators can configure MongoDB to log all actions or apply filters to capture only specific events, users or roles. The audit log can be written to multiple destinations in a variety of formats including to the console and syslog (in JSON format), and to a file (JSON or BSON), which can then be loaded to MongoDB and analyzed to identify relevant events. MongoDB Enterprise Advanced also supports role-based auditing. It is possible to log and report activities by specific role, such as userAdmin or dbAdmin – coupled with any inherited roles each user has – rather than having to extract activity for each individual administrator. Auditing adds performance overhead to a MongoDB system. The amount is dependent on several factors including which events are logged and where the audit log is maintained, such as on an external storage device and the audit log format. Users should consider the specific needs of their application for auditing and their performance goals in order to determine their optimal configuration. Learn more from the MongoDB auditing documentation . MongoDB Encryption Administrators can encrypt MongoDB data in motion over the network and at rest in permanent storage. Network Encryption Support for SSL/TLS allows clients to connect to MongoDB over an encrypted channel. Clients are defined as any entity capable of connecting to the MongoDB server, including: Users and administrators Applications MongoDB tools (e.g., mongodump, mongorestore, mongotop) Nodes that make up a MongoDB cluster, such as replica set members, query routers and config servers. It is possible to mix SSL/TLS with non-SSL/TLS connections on the same port, which can be useful when applying finer grained encryption controls for internal and external traffic, as well as avoiding downtime when upgrading a MongoDB cluster to support SSL. The TLS protocol is also supported with x.509 certificates. MongoDB Enterprise Advanced supports FIPS 140-2 encryption if run in FIPS Mode with a FIPS validated Cryptographic module. The mongod and mongos processes should be configured with the "sslFIPSMode" setting In addition, these processes should be deployed on systems with an OpenSSL library configured with the FIPS 140-2 module. The MongoDB documentation includes a tutorial for configuring TLS/SSL connections . Disk Encryption There are multiple ways to encrypt data at rest with MongoDB. Encryption can implemented at the application level, or via external filesystem and disk encryption solutions. By introducing additional technology into the stack, both of these approaches can add cost and complexity. With the introduction of the Encrypted storage engine in MongoDB 3.2 , protection of data at-rest becomes an integral feature of the database. By natively encrypting database files on disk, administrators eliminate both the management and performance overhead of external encryption mechanisms. This new storage engine provides an additional level of defense, allowing only those staff with the appropriate database credentials access to encrypted data. **Figure 2:** End to End Encryption – Data In-Flight and Data At-Rest Using the Encrypted storage engine, the raw database content, referred to as plaintext, is encrypted using an algorithm that takes a random encryption key as input and generates ciphertext that can only be read if decrypted with the decryption key. The process is entirely transparent to the application. MongoDB supports a variety of encryption schema, with AES-256 (256 bit encryption) in CBC mode being the default. AES-256 in GCM mode is also supported. The encryption schema can be configured for FIPS 140-2 compliance. The storage engine encrypts each database with a separate key. The key-wrapping scheme in MongoDB wraps all of the individual internal database keys with one external master key for each server. The Encrypted storage engine supports two key management options – in both cases, the only key being managed outside of MongoDB is the master key: Local key management via a keyfile. Integration with a third party key management appliance via the KMIP protocol (recommended). Most regulatory requirements mandate that the encryption keys must be rotated and replaced with a new key at least once annually. MongoDB can achieve key rotation without incurring downtime by performing rolling restarts of the replica set. When using a KMIP appliance, the database files themselves do not need to be re-encrypted, thereby avoiding the significant performance overhead imposed by key rotation in other databases. Only the master key is rotated, and the internal database keystore is re-encrypted. The Encrypted storage engine is designed for operational efficiency and performance: Compatible with WiredTiger’s document level concurrency control and compression. Support for Intel’s AES-NI equipped CPUs for acceleration of the encryption/decryption process. As documents are modified, only updated storage blocks need to be encrypted, rather than the entire database. Based on user testing, the Encrypted storage engine minimizes performance overhead to around 15% (this can vary, based on data types being encrypted), which can be much less than the observed overhead imposed by some filesystem encryption solutions. The Encrypted storage engine is based on WiredTiger and available as part of MongoDB Enterprise Advanced. Refer to the documentation to learn more, and see a tutorial on how to configure the storage engine. MongoDB Atlas Encryption As discussed in Part 2 of the Securing MongoDB blog series, MongoDB Atlas is a database as a service for MongoDB, providing all of the features of the database, without the operational heavy lifting required for any application. MongoDB Atlas has been engineered to deliver robust encryption controls. Data managed by the MongoDB Atlas service can be encrypted on the network and on disk. Support for TLS/SSL allows clients to connect to MongoDB over an encrypted channel. All data transfers across the cluster are also encrypted. Data at rest can be protected using encrypted data volumes. Note that this uses the cloud provider’s native volume encryption solution, rather than the MongoDB encrypted storage engine. Review the MongoDB Atlas documentation for more information on configuring the in-built security controls. Getting Started with MongoDB Security With comprehensive controls for user rights management, auditing and encryption, coupled with management controls, MongoDB can meet the best practice and requirements discussed in this blog series. MongoDB Enterprise Advanced is the certified and supported production release of MongoDB, with advanced security features, including Kerberos and LDAP authentication, encryption of data at-rest, FIPS-compliance, and maintenance of audit logs. These capabilities extend MongoDB’s security framework, which includes Role-Based Access Control, PKI certificates, Field-Level Redaction, and SSL/TLS data transport encryption. In the final part of this blog post series, we will dive into environmental control and database management. You can learn about all of these capabilities now by reading the MongoDB Security Architecture guide. If you want to try them for yourself, [download MongoDB Enterprise](https://www.mongodb.com/download-center?#enterprise), free of charge for evaluation and development. MongoDB security architecture About the Author - Mat Keep Mat is a director within the MongoDB product marketing team, responsible for building the vision, positioning and content for MongoDB’s products and services, including the analysis of market trends and customer requirements. Prior to MongoDB, Mat was director of product management at Oracle Corp. with responsibility for the MySQL database in web, telecoms, cloud and big data workloads. This followed a series of sales, business development and analyst / programmer positions with both technology vendors and end-user companies.
Being Latine in Tech: Two MongoDB Employees Share Their Advice on Building Careers in Engineering
Ashley Naranjo and Martin Bajana, members of MongoDB’s employee resource group QueLatine, share their career journeys and offer insight into how other members of the Latine community can build careers in tech. Jackie Denner: How did you make your way into the tech industry? Ashley Naranjo: I am a first-generation Latina with a passion for Information Technology and a knack for problem-solving. After graduating early from high school, I embarked on a career in Nursing. I chose Nursing initially because I wanted to make a difference and help others, but my path took an unexpected turn when COVID-19 reshaped our world. In light of the circumstances, I reevaluated my options and decided to seize an opportunity with a program called Year Up . During the intensive six-month training and deployment phase, I not only completed rigorous coursework but also obtained IT Google Coursera certifications and actively pursued CompTIA certifications. This experience allowed me to secure an internship at Meta (Facebook) as an Enterprise Operation IT Support Tech, where my love for technology blossomed. During my time at Meta, I had the privilege of assisting diverse Meta users worldwide with a wide range of technical issues, including troubleshooting, software and hardware support, internal access permissions, and more. The exposure to a global tech environment further fueled my passion for the field. When my internship concluded, I was offered a 1-year contract role with Meta to continue my work as a support tech for the same team. Throughout that year, I immersed myself in all aspects of technology, maximizing my learning opportunities and applying my networking skills. As time went on, I knew I needed a new challenge. This led me to embark on a search for an exciting role, which eventually brought me to MongoDB. I am passionate about driving technological innovation, and MongoDB is a place where I can make an impact. Martin Bajana: My interest in technology stems from a variety of sources. From a young age, I developed a strong passion for video games and exploring new technologies. Whether it was experimenting with the latest gaming consoles or delving into computer hardware, I relished the opportunity to learn and understand the inner workings of these technologies. In school, I discovered my affinity for mathematics, which further solidified my decision to pursue a career in the tech industry. Choosing to study computer science in college was a natural progression for me, as it allowed me to combine my love for technology with my aptitude for problem-solving. After completing my education, I was recruited by Verizon, where I worked on front-end applications and Android development. Although the transition was initially challenging, I persevered and regained my confidence. It was during this period that I realized a career in technology was my long-term aspiration. Throughout my tenure at Verizon, I embraced opportunities to work across various teams, acquiring valuable experience and honing my skills. Eventually, I made the decision to join MongoDB, which has provided me with an enriching journey and the chance to shape my career in the tech industry. JD: Have there been any challenges you've faced throughout your career? AN: Imposter syndrome has been a significant challenge for me throughout my career, and it's something I still deal with to this day. When surrounded by my talented colleagues, I would often compare myself to them and focus on my perceived weaknesses and flaws, leading to a lack of self-confidence. However, I tackled this issue by addressing my feelings with my manager. Her support and guidance helped me realize my own potential and acknowledge my accomplishments. Maintaining a positive mindset has enabled me to view myself as a competent engineer and recognize the value I bring to my team. I have learned to take ownership of my successes and embrace opportunities for growth. Stepping out of my comfort zone has become a regular practice, as personal and professional development often stems from embracing challenges and discomfort. By giving myself permission to take up space and be confident in my abilities, I have been able to overcome imposter syndrome and continue to thrive in my role. MB: I have been fortunate enough to work for companies and teams that value and respect me for the work I deliver. Being in the tech industry and growing up in a culturally diverse region of the country, I have had exposure to individuals from various backgrounds and identities, which has made me more comfortable as a Latinx individual in the industry. My personal goal is to promote a work environment where everyone is judged based on the contributions they bring to the team, rather than their identity. I believe in supporting and respecting the identities of my peers and coworkers while fostering a culture of inclusivity and equality. JD: How has MongoDB supported your career growth and development? AN: In my time working at MongoDB, I have experienced exceptional support that has greatly contributed to my professional development and growth. As an engineer at MongoDB, I have been provided with numerous opportunities to expand my knowledge and skills through participation in tech talks, hackathons, and continuous learning about emerging technologies. I am grateful for the proactive approach taken by my manager and team leaders in fostering my growth as an engineer. Additionally, MongoDB's commitment to diversity and inclusion is evident through the company's DEI initiatives. Platforms like our employee resource group “QueLatine” have made me feel a stronger sense of connection and belonging, particularly among my Latinx peers. By recognizing the power of our diverse backgrounds and experiences, MongoDB empowers us to have a meaningful impact in the industry. MB: I have experienced full support from my leader since day one. They have proactively sought to understand my career goals and have helped me create a clear career path to achieve those goals. This level of support has enabled me to take on challenging projects and initiatives within the company, allowing me to grow and develop in my career. Furthermore, MongoDB offers a wealth of learning and development resources to its employees, which I have fully utilized to continue learning and growing my skill set. JD: What is your advice for other Latines who want to begin careers in tech? AN: Having made a significant career change myself, I can empathize with the challenges that come with exploring new paths, particularly in the tech industry. As a Latina in tech, I feel a strong desire to encourage and raise awareness within our community about the incredible resources and opportunities that are available to us. My advice to others who may be considering a similar journey is to prioritize the continuous development of your technical skills, actively seek out mentoring opportunities, push yourself beyond your comfort zone by honing your networking abilities, and most importantly, believe in yourself and your ability to achieve great things! MB: Navigating the vast world of technology can certainly be overwhelming, but it's important not to fear feeling lost. Even after 12 years in this career, there are still days where I come across something I've never heard of before. Fortunately, we live in a world abundant with resources for continuous learning. My advice is to take the time to explore and ask questions. Seek out open-source projects that you can contribute to, and connect with other professionals in the tech industry who can share their experiences and provide guidance. Additionally, taking advantage of hackathons and other tech events can expose you to new technologies and ideas. Don't be afraid to make mistakes, and most importantly, don't give up! Join us in transforming the way developers work with data. Build your tech career at MongoDB .