Last Database User Access
My team has found ourselves in the position of needing to iterate through the Database Access History Logs in order to discover whether or not a database user is still being used for the past t time periods.
We need to have this functionality in order to guarantee a seamless credential rotation.
With the current API this operation will require iterating over each cluster's access logs for the past t time periods. If I have "n" clusters and "t" time periods this is an O(n * t) runtime. I'm not really great at O() notation, but if t is greater than n I think it's worse than O(n^2) runtime.
What I would recommend is adding an index on username and if I want to know if that user has been used in the past t time periods on a cluster I just use the username in the filter and if it hasn't I receive 0 results for access.
To be frank, the database access log is fairly unusable without a username index because I can't filter by a useful criteria. An attacker will likely not know the correct username to use or access the DB with an unauthenticated session. I can't efficiently find instances of these access with the current API.
The IP index is also fairly useless unless it can support CIDR so I can identify if requests are coming from my network or outside.
I think it would also be important to support a NOT query on username so I can look for accesses that are NOT using my known usernames.
API I'm referencing: https://docs.atlas.mongodb.com/reference/api/access-tracking-get-database-history-clustername/
Fulton
shared this idea
-
AdminSalman
(Admin, MongoDB)
commented
Hi Fulton,
Thanks for your ideas and suggestions. There are various ways of addressing this issue, including
1) the last access date as you noted
2) use of short-lived credentials (https://www.mongodb.com/docs/atlas/security-add-mongodb-users/#optional-save-as-temporary-user) - possible today
3) use of LDAPS as the authentication mechanism - possible todayHave you considered (2) and (3)?
Salman
-
Fulton
commented
Another approach is to just tack a last access date onto a user document but access happens so frequently that might not perform well.