Secure MongoDB with X.509 Authentication

TJ Tang
March 29, 2016 | Updated: May 2, 2018
#Technical

Disclaimer - the following article is intended for a test environment.

Overview

In this tutorial, I will be describing the detailed process of setting up X.509 based authentication, both for cluster inter-member authentication as well as for client authentication, using a local CA (Certificate Authority).

X.509 is one of the multiple authentication mechanisms supported by MongoDB. An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key, presented by a client or another member of the cluster, belongs to that said client or member. One of the main benefits compared to conventional password based authentication is it’s more secure in a sense that each machine would need a dedicated key to join the cluster. So stealing an existing key from another machine isn't going to be very helpful for those with an evil agenda.

In MongoDB, we need to understand the distinction between member authentication and client authentication. MongoDB is a distributed database and deployments almost always consist of multiple mongod or mongos processes running on multiple machines. Member authentication refers to the fact that these machines need to verify each other to ensure a node attempting to replicate data is indeed part of the current cluster.

On the other hand, client authentication refers to those MongoDB clients, including mongo shell, export/import tools and MongoDB drivers. Below is a deployment of standard 3 node replica set and a client.

To enable X.509 certificate based authentication, essentially you will need the following set of certificates:

  • 3x server certificates, one for each MongoDB member
  • 1x client certificate for one client
  • 1x certificate for Root CA and 1x certificate for Signing CA

All the server certificates and client certificates must be signed by same CA.

The bulk part of the work for setting up X.509 authentication would be to create these certificates. The creation of Root CA and Signing CA and the relevant parts of the signing process is a one time effort, while the creation of the server/client certificates are as needed. For simplicity, I am going to use one machine and I will run multiple mongods on different ports for this exercise. I also put the steps into an executable script if you want to jump to the end. You can download and run the script, and you will have a test setup just like the diagram above in no time. This way you can quickly get things working, boost your confidence, and then come back to study the details.

Preparation

Running the script

The script will setup a test replica set on your machine and configure X.509 authentication mechanism for that replica set.

Before you run the script, double check:

  • OpenSSL is installed (typically comes with most Linux distributions)
  • Make sure mongod/mongo are in the executable path
  • Make sure no mongod is already running on 27017 port, or change the port numbers in the shell script

To run the script, go to the directory that contains the script and execute the following:

   # chmod +x setup-x509.sh
    # ./setup-x509.sh

If everything goes smoothly, you should have a 3 nodes replica set running with X.509 as member auth. Then in the current directory, you may connect to the primary node with a newly generated client certificate client1.pem:

mongo --ssl --sslPEMKeyFile client1.pem --sslCAFile root-ca.pem --sslAllowInvalidHostnames

Note above step just allows you to connect to the MongoDB shell. You will not have any permission at this point. To do anything meaningful, you need to authenticate yourself using following command:

$mongo
...
> db.getSiblingDB("$external").auth(
  {
    mechanism: "MONGODB-X509",
    user: "CN=client1,OU=MyClients,O=MongoDB China,L=Shenzhen,ST=GD,C=CN"
  }
);
> db.test.find()

If you are able to execute the last find statement, congratulations, the X.509 authentication is working!

Now it's time to perform an anatomy of the script to understand what are the key steps involved in setting up the X.509 authentication mechanism.

Main Parts of the Script

  • Initialization
  • Create local CA and signing keys
  • Generate and sign server certificates for member authentication
  • Generate and sign client certificates for client authentication
  • Start MongoDB cluster in non-auth mode
  • Setup replica set and initial users
  • Restart MongoDB replica set in X.509 mode using server certificates

0. Variable initialization

First initialize some variables. Feel free to modify the values as appropriate.

dn_prefix="/C=CN/ST=GD/L=Shenzhen/O=MongoDB China"
ou_member="MyServers"
ou_client="MyClients"
mongodb_server_hosts=( "server1" "server2" "server3" )
mongodb_client_hosts=( "client1" "client2" )
mongodb_port=27017

Here dn_prefix will be used to construct the full DN name for each of the certificate. ou_member is used to have a different OU than the client certificates. Client certificates uses ou_client in its OU name.

mongodb_server_hosts should list the hostname (FQDN) for all the MongoDB servers while mongodb_client_hosts should list the hostnames for all of the client machines.

For a clean start, let’s kill the running mongods and clean up the working directory (note: don’t use -9 to kill mongod per the manual):

kill $(ps -ef | grep mongod | grep set509 | awk '{print $2}')
mkdir -p db

1. Create local root CA

A root CA (Certificate Authority) is at the top of the certificate chain. This is the ultimate source of the trust. Ideally a third party CA should be used. However in the case of an isolated network (very typical in large enterprise environment), or for testing purpose, we need to use local CA to test the functionality.

echo "##### STEP 1: Generate root CA "
openssl genrsa -out root-ca.key 2048
# !!! In production you will want to password protect the keys
# openssl genrsa -aes256 -out root-ca.key 2048
<p>openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -subj "$dn_prefix/CN=ROOTCA"</p>
<p>mkdir -p RootCA/ca.db.certs
echo "01" >> RootCA/ca.db.serial
touch RootCA/ca.db.index
echo $RANDOM >> RootCA/ca.db.rand
mv root-ca* RootCA/

Above we first created a key pair root-ca.key with AES256 encryption and 2048 bits strength. Then using openssl req command to generate a self-signed certificate with a validity of 3650 days. One thing to call out here is the argument -x509 which tells openssl to self sign the certificate instead of generating a signing request (as what we will do below). The output is a crt file, a certificate file that contains the public key of the root CA.

2. Create CA config

A CA config file is used to provide some default settings during the certificate signing process, such as the directories to store the certificates etc. You may change the defaults in root-ca.cfg file after it is generated or simply change them within the script.

echo "##### STEP 2: Create CA config"
cat >> root-ca.cfg <<EOF
[ RootCA ]
dir             = ./RootCA
certs           = \$dir/ca.db.certs
database        = \$dir/ca.db.index
new_certs_dir   = \$dir/ca.db.certs
certificate     = \$dir/root-ca.crt
serial          = \$dir/ca.db.serial
private_key     = \$dir/root-ca.key
RANDFILE        = \$dir/ca.db.rand
default_md      = sha256
default_days    = 365
default_crl_days= 30
email_in_dn     = no
unique_subject  = no
policy          = policy_match
<p>[ SigningCA ]
dir             = ./SigningCA
certs           = $dir/ca.db.certs
database        = $dir/ca.db.index
new_certs_dir   = $dir/ca.db.certs
certificate     = $dir/signing-ca.crt
serial          = $dir/ca.db.serial
private_key     = $dir/signing-ca.key
RANDFILE        = $dir/ca.db.rand
default_md      = sha256
default_days    = 365
default_crl_days= 30
email_in_dn     = no
unique_subject  = no
policy          = policy_match</p>
<p>[ policy_match ]
countryName     = match
stateOrProvinceName = match
localityName            = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional</p>
<p>[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment</p>
<p>[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
EOF

3. Generate the signing key

Root CA created above is typically not used for actual signing. For signing we need to delegate to so-called Subordinate Authority or Signing CA. In essence, a signing CA is just another certificate that is signed by the root CA.

echo "##### STEP 3: Generate signing key"
openssl genrsa -out signing-ca.key 2048
# again you would want to password protect your signing key:
# openssl genrsa -aes256 -out signing-ca.key 2048
<p>openssl req -new -days 1460 -key signing-ca.key -out signing-ca.csr -subj "$dn_prefix/CN=CA-SIGNER"
openssl ca -batch -name RootCA -config root-ca.cfg -extensions v3_ca -out signing-ca.crt -infiles signing-ca.csr</p>
<p>mkdir -p SigningCA/ca.db.certs
echo "01" >> SigningCA/ca.db.serial
touch SigningCA/ca.db.index</p>
<h1>Should use a better source of random here..</h1>
<p>echo $RANDOM >> SigningCA/ca.db.rand
mv signing-ca* SigningCA/

We then concatenate all the signing certificates to form a single pem file, this file will be supplied to our mongod or client process later as the value of sslCAFile parameter.

# Create root-ca.pem
cat RootCA/root-ca.crt SigningCA/signing-ca.crt > root-ca.pem

With the root CA and signing CA setup, now we're ready to sign the certificates used in MongoDB setup.

4. Generate and Sign server certificates

As we mentioned in the beginning, we need to separate the server certs from client certs, for the purpose of permission control.

Server certificates are intended for mongod and mongos processes. They're used for inter-member authentication.

echo "##### STEP 4: Create server certificates" 
# Pay attention to the OU part of the subject in "openssl req" command
for host in "${mongodb_server_hosts[@]}"; do
    echo "Generating key for $host"
    openssl genrsa  -out ${host}.key 2048
    openssl req -new -days 365 -key ${host}.key -out ${host}.csr -subj "$dn_prefix/OU=$ou_member/CN=${host}"
    openssl ca -batch -name SigningCA -config root-ca.cfg -out ${host}.crt -infiles ${host}.csr
    cat ${host}.crt ${host}.key > ${host}.pem   
done

This script is in a for loop to generate multiple certificates. 3 key steps are involved with each certificate:

  • Use openssl genrsa command to create a new key pair
  • Use openssl req command to generate a signing request for the key
  • Use openssl ca command to sign the key and output a certificate, using the Signing CA we created earlier as the signer

Notice the variable $ou_member. This signifies the difference between server certificates and client certificates. Server and client certificates must differ in the organization part of the Distinguished Names, or in another word and must differ at least in one of the O, OU, or DC values.

5. Generate and Sign client certificates

These certificates are used by clients, such as mongo shell, mongodump, and Java/python/C# drivers to connect to a MongoDB cluster.

This step is essentially the same as step 4 except for the use of $ou_client. This will make the combination of the DC/OU/O for these certificates will be different from the server certs above.

echo "##### STEP 5: Create client certificates"
# Pay attention to the OU part of the subject in "openssl req" command
for host in "${mongodb_client_hosts[@]}"; do
    echo "Generating key for $host"
    openssl genrsa  -out ${host}.key 2048
    openssl req -new -days 365 -key ${host}.key -out ${host}.csr -subj "$dn_prefix/OU=$ou_client/CN=${host}"
    openssl ca -batch -name SigningCA -config root-ca.cfg -out ${host}.crt -infiles ${host}.csr
    cat ${host}.crt ${host}.key > ${host}.pem
done

6. Bring up replicaset in non-auth mode

MongoDB does not create a default root/admin user when enabling authentication, and there is no exception with X.509 mode. Instead, the best practice is to create an initial admin user first, then to enable authentication after the admin user has been created.

Here we're starting a replica set in non-auth mode.

echo "##### STEP 6: Start up replicaset in non-auth mode"
mport=$mongodb_port
for host in "${mongodb_server_hosts[@]}"; do
    echo "Starting server $host in non-auth mode"   
    mkdir -p ./db/${host}
    mongod --replSet set509 --port $mport --dbpath ./db/$host \
        --fork --logpath ./db/${host}.log       
    let "mport++"
done 
sleep 3

Now our replica set is up, we need to initialize the replica set and add a user.

7. Initialize replicaset and add initial user

When using X.509 client authentication, each client must have a user created in MongoDB and the user must be granted the necessary permissions. The username must be same as the client's DN (Distinguished Name), which can be obtained by running an openssl command:

# obtain the subject from the client key:
client_subject=`openssl x509 -in client1.pem -inform PEM -subject -nameopt RFC2253 | grep subject | awk '{sub("subject= ",""); print}'`

This would return something like:

CN=client1,OU=MyClients,O=MongoDB China,L=Shenzhen,ST=GD,C=CN

Obviously it's not mandatory to use the openssl command. It's fairly straightforward to deduce the subject string by concatenating the relevant parts of the DN as shown above.

Once we have the DN name, let's initialize the replica set and add a user:

myhostname=`hostname`
cat > setup_auth.js <<EOF
rs.initiate();
mport=$mongodb_port;
mport++;
rs.add("$myhostname:" + mport);
mport++;
rs.add("$myhostname:" + mport);
sleep(5000);
db.getSiblingDB("\$external").runCommand(
    {
        createUser: "$client_subject",
        roles: [
             { role: "readWrite", db: 'test' },
             { role: "userAdminAnyDatabase", db: "admin" },
             { role: "clusterAdmin", db:"admin"}
           ],
        writeConcern: { w: "majority" , wtimeout: 5000 }
    }
);
EOF
mongo localhost:$mongodb_port setup_auth.js

Then stop the non-auth replica set (so that we can restart later):

kill $(ps -ef | grep mongod | grep set509 | awk '{print $2}')
sleep 3

8. Restart replicaset in x.509 mode

In real production, you will need to copy each of the certificate/key files to their corresponding hosts before we can start the cluster in X.509 mode. In this tutorial we are doing everything on localhost to keep thing simple.

Start all 3 nodes, note we added the following arguments:

  • sslMode
  • clusterAuthMode
  • sslCAFile: Root CA file we created in step 2, root-ca.key
  • sslPEMKeyFile: The certificate file for this host/process
  • sslAllowInvalidHostnames: Only used for testing, allows invalid hostnames

Here the sslCAFile is used to establish a trust chain. As you recall the root-ca.key file contains the certificate of the root CA as well as the signing CA. By providing this file to MongoDB process, it basically tells MongoDB process to trust the certificate contained in this file, as well as all other certificates signed by these certificates contained within.

You can refer to MongoDB documentation for the details of other arguments.

echo "##### STEP 8: Restart replicaset in x.509 mode"
mport=$mongodb_port
for host in "${mongodb_server_hosts[@]}"; do
    echo "Starting server $host"    
    mongod --replSet set509 --port $mport --dbpath ./db/$host \
        --sslMode requireSSL --clusterAuthMode x509 --sslCAFile root-ca.pem \
        --sslAllowInvalidHostnames --fork --logpath ./db/${host}.log \
        --sslPEMKeyFile ${host}.pem --sslClusterFile ${host}.pem
    let "mport++"
done

Summary

Here’s what would look like after you run the script in a clean directory:

We walked through the whole process of configuring X.509 authentication for a MongoDB replica set. The same procedure works for sharded cluster as well. A few things to keep in mind:

  • The directories, Root CA and Signing CA, as well as the host itself where you generate and sign certificates for the member machines or clients, should be protected from unauthorized access.
  • For simplicity, the Root CA and Signing CA keys are not password protected in this tutorial. In production it’s highly recommended to use password to protect the key from unauthorized use.
  • The use of sslClusterFile parameter is for member authentication. This is optional. When absent, MongoDB will fall back to sslPEMKeyFile which can be used both for member and client authentication.

To recap the steps of creating a new certificate, either for a MongoDB cluster member host or a client host: 

# substitute variables $host & $subject with actual value before executing
openssl genrsa  -out ${host}.key 2048
openssl req -new -days 365 -key ${host}.key -out ${host}.csr -subj ${subject}
openssl ca -batch -name SigningCA -config root-ca.cfg -out ${host}.crt -infiles ${host}.csr
cat ${host}.crt ${host}.key > ${host}.pem

Additional references

Learn more about keeping MongoDB secure.

Read the MongoDB security architecture guide

About the Author - TJ Tang

TJ is a Senior Solutions Architect at MongoDB Inc. TJ is based in Hong Kong and he is responsible for working with customers from a variety of industries to help them designing and architecting MongoDB enabled solutions. TJ is an experienced developer/architect with more than 15 years experience building enterprise grade software. Prior to MongoDB, he worked at FedEx Singapore as Chief Architect. TJ is an active member of open source community, he is the author of open source project Angoose, a lightweight MEAN stack implementation. When TJ is not fiddling with MongoDB, you can find him kitesurfing in the South China Sea.

← Previous

Building an Async Networking Layer for mongos

Many people run their MongoDB servers in a sharded cluster. In such a setup, a mongos sits between the user’s application and their sharded data. Clients connect to the mongos and send it queries, and mongos routes those queries to one or more shards to be fulfilled. In most cases, mongos can pinpoint a single shard for each given query. However, some queries require “scatter gather” routing; in other words, mongos has to send the query to all shards, wait for their responses, and assemble them into a single master response. We could fan these requests out to shards serially, but then one slow connection would block mongos’ entire system. To do this efficiently, we needed a way to run requests concurrently. Given the structure of the networking code in MongoDB 3.0, the only way to run requests concurrently was to run them in different threads. Some clusters have hundreds of shards—that’s a lot of requests to fan out. You can imagine what might occur in a mongos handling many requests: thread explosion!! Having too many threads can bog down a system, causing contention over hardware resources. In 3.2, we wrote an alternate solution: asynchronous outbound networking for mongos . This new networking layer eliminates our thread explosion problem, but this new implementation brought with it difficult memory management challenges. It took a lot of experimentation, failure, iteration, and above all, obsessive testing to implement a new callback driven, asynchronous system. The lifetime of a network request Let’s break down the problem. Imagine we want to run a find command on another shard. This request goes through several stages over its lifetime. First, we open a connection to the remote host. Then, we authenticate our connection. Next, we send our find command. Once we receive a response we are done, and can return to the calling code. We might close the connection, or we might return it to a connection pool to be recycled. The Lifetime of a Network Request Each of these steps requires at least one network operation. Some, like authentication, require several. The handshake for authentication can require at least two complete host-to-remote-and-back communications, first for the receipt of a nonce, then for the actual authentication request. An authentication conversation If your servers are half a world apart, this could take a while! In a mongos fanning out requests serially, if just one of these exchanges is slow it will block all pending requests. Building an asynchronous networking layer The first thing to realize is that we need a separation of threads. We don’t want mongos threads, one per connection, doing the work of scheduling and waiting for network requests. Instead, we can offload this work to an execution engine with its own thread pool. The execution engine maintains a queue of work items. It uses its thread pool to pop tasks off this queue and run them. The standalone ASIO library provides the execution engine and many other primitives for our new networking layer. We need to package our tasks into bite-sized work items that the execution engine can run. This means that none of the tasks can perform any blocking work, otherwise they’d block the whole engine. So, rather than opening a socket and waiting for it to connect, we want to kick off an asynchronous “open connection” task and return immediately. We can package up the asynchronous “open connection” logic as a task to enqueue on the execution engine. Then, when “open connection” completes, it can enqueue the next asynchronous task, “ask for nonce,” on the engine. Similarly, once we’ve asked for a nonce, we’ll enqueue the “get nonce” task to receive our answer from the remote host. We proceed this way, with each task enqueuing the next one on our execution engine. Because each task is an independent bit of work, the execution engine is not tied to any specific request or connection. It can handle many requests to different hosts concurrently. The execution engine can handle concurrent requests, shown in different colors When the final task in a request cycle is run by the execution engine, it triggers a callback in mongos . This allows a mongos thread to pick up the response and begin to assemble its own master response for the user application. In essence, we are tossing requests back and forth between two thread pools, one for mongos logic and one for network operations. With such a system, we can have a fixed or configurable number of threads instead of having one per connection. Let’s look at some of the technical challenges that we encountered as we implemented this. Technical challenge #1: Vanishing state Before diving right into how state was vanishing from under our noses, let’s look at some features C++ provides to help us implement callback-driven systems. In particular, C++11 lambdas were an important part of this project. Lambdas package tasks A lambda is a callable entity. In C++, it has three parts: a capture list, parameters, and a body. The capture list snapshots existing variables when the lambda is instantiated. Parameters are passed in when the lambda is called. The body of the lambda executes when it is called. auto lambda = [capture list](parameters){ // body }; lambda(); // runs body Let’s take a closer look at the capture list. The following code shows a lambda that captures a variable N from its environment and prints N out when called later in the code. int N = 1; auto print_number = [N](){ std::cout << N << std::endl; }; print_number(); // prints “1” Lambdas can capture variables either by value or by reference. By default, they capture variables by value and make a copy: int N = 1; auto print_number = [N](){ // We have our own copy of N std::cout << N << std::endl; }; N = 123456; print_number(); // still prints “1” When lambdas capture variables by reference, they’ll use the original variable instead of making a copy: int N = 1; auto print_number = [&N](){ // Now, we use the original N std::cout << N << std::endl; }; N = 123456; print_number(); // prints “123456” If we capture by reference, we can avoid making expensive copies of variables. Also, copying some objects doesn’t make any sense; we need the original. Consider a Timer class that tracks the elapsed time since its construction. To get a reliable time, we need a reference to the original timer, not a copy. Timers might not even allow themselves to be copied, because what would a copied Timer do? Should the copy start over from 0:00, or should it begin timing at the original Timer’s elapsed time? One could argue for either behavior. What’s a little lambda to do, off in the world with a reference to a cleaned-up variable? Seg fault, of course. But back to networking. Opening connections is slow, as we discussed, so let’s try writing an asynchronous open_connection() method using a lambda: void open_connection(Command cmd) { tcp::socket sock(_engine); // pass a lambda to async_connect async_connect(sock,[cmd](error_code err) { if (!err) { authenticate(sock, cmd); } }); return; } Here, we call an async_connect() method that takes a socket as its first parameter and a lambda as its second parameter. When called, this lambda checks for network errors and starts the next task, authenticate() . The async_connect() method will call the lambda when the network operation completes: this could be soon if our servers are close to each other, or not-so-soon if they are half a world apart. We can’t know exactly when the lambda will be called. In the meantime, open_connection() returns immediately. This is fine. But what if we want to know exactly how long it takes to run async_connect() ? Let’s use the hypothetical Timer class described above. We can’t copy it, so we’ll capture timer by reference: void open_connection(Command cmd) { tcp::socket sock(_engine) Timer timer; // starts timing now async_connect(sock,[&timer, cmd](error_code err) { std::cout << timer.secs() << “ seconds” << std::endl; if (!err) { authenticate(sock, cmd); } }); return; } This is not fine. In fact, we have a huge problem on our hands. The lambda passed into async_connect() has a reference to timer . We don’t know when the lambda will get called, but we do know that it won’t happen immediately. But open_connection() will return immediately, and when it returns its stack will vanish. We declared timer on the stack! What’s a little lambda to do, off in the world with a reference to a cleaned-up variable? Seg fault, of course. We need to ensure that all necessary state is packaged up with each asynchronous task we run. For things that can’t be neatly copied and packaged, like Timers , we need to ensure that referenced state outlives each task. We have two choices for how to keep such state alive. Solution A: Store state in a persistent structure Our first option is to keep our state somewhere besides the stack. We could maintain a vector of Timer objects, one for each command we begin running. Then, each task involved in completing that command would reference the stored Timer . We can keep objects alive in persistent structures This approach is nice because we have control over the Timers and their lifetimes. They never get cleaned up underneath us because we are in charge of cleaning them up. The downside here is exactly that: we are in charge of cleaning up the Timers . This requires overhead that we may not want to deal with, and that we absolutely have to get right. Solution B: Use C++ shared_ptr to keep state alive Our other option is to use C++ shared_ptrs . A shared_ptr looks and acts like a regular pointer, except it also holds a reference count that tracks the users using the pointer. The shared_ptr keeps the pointed-to object alive until all of its users have released it. Instead of capturing Timers by reference, we can take them by shared_ptr into the lambda. We are guaranteed that the Timer won’t be cleaned up until the lambda is done using it. The Timer then bounces along from task to task, until we finish the command and release it. C++ shared_ptrs keep a referenced object alive Using shared_ptrs also has pros and cons. A major plus is that this implementation is dead-simple: there’s no overhead needed to maintain our own set of persistent Timers . But, because we’ve ceded control over the Timers to C++, we can’t make assumptions about their lifetime. They won’t get cleaned up underneath us, but otherwise we can’t be sure when they’re still around. Overuse of shared_ptrs can lead to some nasty and hard-to-detect bugs. For those interested, suggested reading is this extensive blog post. We would have to proceed with caution down this path. A tale of two solutions For MongoDB’s networking layer, there was no one-size-fits-all-cases solution. For some state, it made sense to use persistent structures. For others, shared_ptr was the cleaner, safer solution. We used a hybrid approach that mixed the two solutions. Technical challenge #2: Vanishing state (again!) The picture I gave you earlier ignored aborts, but there are several ways the “lifetime of a request” can be cut short before completing, and that adds several more opportunities to lose state. Say that while sending our command we experience a network error. In this case, there’s no point in continuing our efforts to communicate with the remote host; it is unreachable, so we exit the state machine early, cleaning up the heap-allocated state we've been passing along (depicted below as an envelope): Network errors can interrupt the state machine This is fine, because network errors occur on what I call the primary path of execution. This path is shown above in the blue dotted lines. The primary path is the code in bodies of the lambdas of each task in the cycle. This is where we would receive network errors and where we would decide whether or not to enqueue the next task in the chain. A network request can also get cut short if a mongos thread decides to cancel it. Say mongos is running a find command with a limit of 5 results. If we’ve already received 5 records from one shard, we might as well cancel any outstanding requests to other shards. A mongos thread might cancel the request during a network operation Our first approach to cancellations was to forcibly cancel the operation from the mongos thread. The mongos thread would clean up some state, mark the op as cancelled, and that was that! Except it wasn’t. The mongos thread runs on a secondary path of execution, shown above in the solid red lines. If the “send command” task, a lambda on the primary path, was already running or enqueued on the engine, it would not know its operation state had been stomped on. When “send command” completes, it will attempt to continue the state machine: The primary path might miss a mongos cancellation This, as you’ve probably guessed, is bad. The memory containing that state might have been reused for another operation by then, for example. One path to rule them all To prevent such mishaps, we enforced a rule: only the primary path can end a task , because only the primary path has complete knowledge of the operation. We first implemented this using a simple cancelled flag that was stored with the operation. // Basic “network operation” class class NetworkOp { bool cancelled; } // Secondary path cancel(NetworkOp *op) { op->cancelled = true; } // Primary path if (op->cancelled) { done(op); } When the mongos thread, on the secondary path, wanted to cancel an operation, it would simply request a cancellation by setting cancelled to true. Upon running, the primary path would check the cancelled flag and cancel itself if requested. This way, the actual cancellation happens on the primary path, not the secondary path. The secondary path requests cancellation on the primary path This implementation is better, but it still has problems. Imagine that the mongos thread waits to cancel an operation until the last possible moment, while the primary path is cleaning itself up. These paths are running on separate threads, so this could be happening concurrently. If the operation completes before the cancellation goes through, the act of cancelling might require state that has been cleaned up! Danger! The primary and secondary paths might race for state It’s clear from looking at the code that we’re headed straight for a segmentation fault: // Secondary path cancel(NetworkOp *op) { // op could be a null pointer! op->cancelled = true; } Keep it locked, keep it safe We need to protect our shared state, which we can do with a mutex. But where should the mutex go? We can’t put it inside our NetworkOp class. Much like the Timer objects from above, the mutex has to be stored somewhere independent of the operation, with a lifetime that we can reason about. First we thought about storing these in a persistent structure, but we had a cascading problem on our hands: who cleans up the thing that manages cleanup? Given the nature of this problem, shared_ptr was the better solution. We designed a structure, called a SafeOp , that stores a mutex and a NetworkOp* : // “network operation” class class NetworkOp { bool cancelled; } // "access control" object class SafeOp { mutex lock; NetworkOp* op; } Instead of handling bare NetworkOp pointers, both paths hold a shared_ptr to a SafeOp object. Both sides also agree on a mutual contract: they will not access or alter the NetworkOp without first locking the SafeOp ’s mutex. // Primary path done(shared_ptr<SafeOp> safe) { // lock before // cleanup safe->lock.lock(); safe->op->done(); safe->op = NULL; safe.unlock(); } // Secondary path cancel(shared_ptr<SafeOp> safe) { // once we lock, can't // change under us safe->lock.lock(); if (safe->op) { safe->op->cancelled = true; } safe->lock.unlock(); } With this solution, we avert our problematic scenario and achieve exactly the semantics we want: Now, cancelling a completed operation is a no-op Implement, test, repeat It took sweat, tears, and hours of head-scratching, and as is usually the case in software, our first attempts were not always the best implementation. We had to iterate, iterate, seg fault, and iterate again. And, test, test, test! When developing something new and complex, like this project, we need to fail fast and often to make the best product possible. We wrote tests at many levels (unit tests, integration tests, stress tests, etc) to test the networking layer up, down, and sideways. So how exactly did we test our new callback-driven, asynchronous networking system? That’s a topic for another time.

March 25, 2016
Next →

Tendencias del 2023: Las Medidas de Modernización en el Sector de los Servicios Financieros

Ante la recesión mundial que se avecina, los bancos se enfrentan a unas condiciones económicas difíciles en 2023. Reducir los costes será vital para que muchas organizaciones sigan siendo competitivas en un entorno con un uso intensivo de datos y altamente regulado. Por ello, es importante que cualquier inversión en IT acelere la transformación digital con tecnologías innovadoras que rompan los silos de datos, aumenten la eficiencia operativa y creen experiencias personalizadas para los clientes. Siga leyendo para conocer las áreas en las que los bancos están buscando modernizarse en 2023 para construir mejores experiencias de cliente con un coste menor y a escala. Diseñando un futuro bancario mejor mediante diseños flexibles En un momento en que los bancos están deseando modernizarse e innovar, las entidades deben alejarse de los sistemas heredados que limitan su capacidad de progresar. Situar a los consumidores en el centro de una experiencia bancaria compuesta por servicios interconectados pero independientes ofrece a los bancos, que apuestan por la tecnología, la oportunidad de remodelar sus modelos de negocio y, en consecuencia, aumentar su cuota de mercado y su rentabilidad. Estas oportunidades han hecho posible un diseño de arquitectura componible que permite una innovación más rápida, una mayor eficiencia operativa y la creación de nuevas fuentes de ingresos mediante la ampliación de la cartera de servicios y productos. De este modo, los bancos pueden adoptar el mejor software de su categoría y el que mejor se adapte a sus necesidades, organizando asociaciones estratégicas con las empresas de tecnología financiera y los proveedores de software pertinentes. Esta nueva generación de proveedores puede ofrecer desde servicios de conocimiento del cliente (KYC, del inglés "Know Your Customer") hasta reservas integradas, servicios de carga o funcionalidades básicas de marketing y gestión de portfolios. Este enfoque es más rentable para las entidades que tener que construir y mantener ellas mismas la infraestructura, y es significativamente más rápido en términos de tiempo de comercialización y tiempo de obtención de ingresos. Los bancos que adoptan este enfoque ven a las fintech menos como competidores y más como parte de un ecosistema con el que colaborar para acelerar la innovación y llegar a los clientes. Eficiencia operativa mediante automatización inteligente Las entidades financieras seguirán centrándose en la eficiencia operativa y el control de costes mediante la automatización de los procesos manuales y basados en papel. Los bancos han hecho algunos progresos en la digitalización y automatización de lo que antes eran procesos manuales basados casi exclusivamente en papel. Sin embargo, el principal motor de esta transformación ha sido el cumplimiento de la normativa local, en lugar de una estrategia global para conocer realmente al cliente y lograr su satisfacción. El mercado demanda mejores decisiones automatizadas y basadas en datos, y los sistemas heredados no pueden seguir el ritmo. Crear las experiencias hiperpersonalizadas que demandan los clientes, como chatbots, portales de autoservicio y análisis forense digital, es difícil para las entidades que utilizan tecnología obsoleta. Además, tener una infraestructura de datos en silos impide cualquier experiencia moderna verdaderamente integrada. Mediante una combinación de automatización robótica de procesos (RPA, del inglés "Robotic Process Automation"), aprendizaje automático (ML, del inglés "Machine Learning") e inteligencia artificial (IA), las entidades financieras pueden agilizar los procesos, liberando así a los empleados para que se centren en tareas que tengan un mayor impacto para el cliente y la empresa. Las entidades no deben digitalizar sin tener en cuenta la interacción humana que será sustituida, ya que los clientes prefieren un enfoque híbrido. La capacidad de actuar sobre los datos en tiempo real es el camino a seguir para impulsar el valor y transformar las experiencias de los clientes, lo que debe ir acompañado de la modernización de la arquitectura de datos subyacente. El prerrequisito para alcanzar este objetivo implica la disociación de los datos y las fuentes en un paisaje de datos holístico. Algunos lo llaman data mesh otros fuentes de datos componibles o datos virtualizados. Resolviendo los retos que plantean los datos ESG (del inglés "Environmental, Social, and Governance") Junto con la elevada inflación, la crisis del coste de la vida, las turbulencias energéticas y la subida de los tipos de interés, los aspectos medioambientales, sociales y de gobernanza (ESG) también están en el punto de mira. Los reguladores presionan cada vez más para que se faciliten datos ESG y los inversores para que los portfolios sean sostenibles. El papel de los datos ESG en la realización de análisis de mercado, el apoyo a la asignación de activos y la gestión de riesgos, y proporcionar información sobre la sostenibilidad a largo plazo de las inversiones sigue creciendo. La naturaleza y variabilidad de muchas métricas ESG es un reto importante al que se enfrentan las empresas hoy en día. A diferencia de los datasets financieros, que son en su mayoría numéricos, las métricas ESG pueden incluir datos cuantitativos y cualitativos para ayudar a los inversores y otras partes interesadas a comprender las acciones e intenciones de una empresa. Esta complejidad, unida a la falta de una norma de información ESG de aplicación universal, significa que las instituciones deben considerar diferentes normas con diferentes requisitos de datos. Para dominar la elaboración de informes ESG, incluida la integración de los KPIs pertinentes, se necesitan datos adecuados y de alta calidad que, además, tengan el nivel de granularidad adecuado y cubran los sectores y la región requeridos. Dado el volumen y la complejidad de los datos, las entidades financieras están construyendo plataformas ESG sustentadas en modernas plataformas de datos capaces de consolidar distintos tipos de datos de varios proveedores, crear vistas personalizadas, modelizar datos y realizar operaciones sin barreras. Pagos digitales - Ofreciendo una experiencia enriquecida Impulsado por las nuevas tecnologías y las tendencias mundiales, el mercado de los pagos digitales está floreciendo en todo el mundo. Con una valoración de más de 68.000 millones de dólares en 2021 y expectativas de crecimiento de dos dígitos en la próxima década, los mercados emergentes lideran la expansión relativa. Este crecimiento se ha visto impulsado por los pagos sin efectivo inducidos por la pandemia, el comercio electrónico, el impulso gubernamental y las fintech. Los pagos digitales están transformando la experiencia de pago. Mientras que antes bastaba con que los proveedores de servicios de pago facilitaran información sobre las cuentas y orquestaran transacciones sencillas, ahora los consumidores exigen una experiencia mucho más completa en la que cada transacción ofrezca nuevas perspectivas y servicios de valor añadido. Satisfacer estas expectativas es difícil, especialmente para las empresas que dependen de tecnologías obsoletas que se crearon mucho antes de que las transacciones se realizaran con unos pocos clicks en un dispositivo móvil. Para satisfacer las necesidades de los clientes, las instituciones financieras están modernizando su infraestructura de datos de pagos para crear experiencias de pago personalizadas, seguras y en tiempo real, todo ello protegiendo a los consumidores del fraude. Esta modernización permite a las entidades financieras ingerir cualquier tipo de datos, poner en marcha servicios más rápidamente, a un coste menor y tener la libertad de ejecutarlos en cualquier entorno, desde el local hasta la multi-nube. Seguridad y gestión de riesgos Los datos son fundamentales para todas las instituciones financieras; se reconocen como un activo esencial para impulsar el crecimiento de los clientes y la innovación. Sin embargo, a medida que aumenta la necesidad de aprovechar los datos de forma eficiente, según el 57% de los responsables de la toma de decisiones , la tecnología heredada que aún sustenta a muchas organizaciones es demasiado cara y no cumple los requisitos de las aplicaciones modernas. Esta infraestructura heredada no sólo es compleja, sino que además es incapaz de cumplir los requisitos de seguridad actuales. Dado el enorme volumen de datos confidenciales de clientes y consumidores que el sector de los servicios financieros maneja a diario -y la estricta normativa que los regula-, la seguridad debe ser la máxima prioridad. El valor percibido de estos datos también convierte a las organizaciones de servicios financieros en el principal objetivo de las filtraciones de datos. La protección contra el fraude, la gestión de riesgos y la lucha contra el blanqueo de dinero son prioridades importantes para cualquier nueva plataforma de datos, según el estudio de Forrester What's Driving Next-Generation Data Platform Adoption in Financial Services . Para hacer frente a estos retos, la adopción de plataformas de datos de nueva generación seguirá creciendo a medida que las instituciones financieras se den cuenta de todo su potencial para gestionar costes, maximizar la seguridad y fomentar la innovación. Descargue el estudio completo de Forrester - What's Driving Next-Generation Data Platform Adoption in Financial Services - para obtener más información.

March 23, 2023