AdminSalman
(Admin, MongoDB)
My feedback
14 results found
-
5 votes
An error occurred while saving the comment -
9 votes
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
Thanks, Matt. We are looking into SCIM but don't have a timeline at the moment.
-
1 vote
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
Hi Martin, thanks for your suggestion. I was wondering what is the use case that requires this capability?
-
3 votes
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
Hi Fulton,
Thanks for your ideas and suggestions. There are various ways of addressing this issue, including
1) the last access date as you noted
2) use of short-lived credentials (https://www.mongodb.com/docs/atlas/security-add-mongodb-users/#optional-save-as-temporary-user) - possible today
3) use of LDAPS as the authentication mechanism - possible todayHave you considered (2) and (3)?
Salman
-
14 votes
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
100% agreed. Since our last conversation, we have a roadmap to provide modern authentication mechanisms for MongoDB databases in Atlas. We will be happy to discuss this in more detail with you.
-
7 votes
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
Hi Kyle,
You can reach out to support for enabling this feature. However, enabling this feature effectively disables the Performance Advisor and Query Profiler, so that is a tradeoff you may need to consider.
Salman
-
5 votes
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
MongoDB audit guarantees require that audit entry is written before a document is written to the database. The concern with writing audit entries to a remote endpoint such as Kafka is that network latency and availability can cause unpredictability in the completion of database operations. Therefore, we recommend shipping out audit logs to a remote endpoint such as Kafka or a SIEM using log forwarding tools.
-
17 votes
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
Thanks for the feature request. For folks looking to implement password policies for the SCRAM method, we recommend using Hashicorp. Vault provides comprehensive life cycle management for passwords, as well as certificates.
Vault has a secrets engine for MongoDB.
https://www.vaultproject.io/docs/secrets/databases/mongodb -
1 vote
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
Hi Ray, if you are running MongoDB database on-prem and looking for a security checklist, it can be found here:
https://docs.mongodb.com/manual/administration/security-checklist/Hope this helps.
-
3 votes
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
Thanks, Calvin. We are looking into this.
-
30 votes
This is currently a roadmap item which will be addressed in 2023.
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
similar request here
https://feedback.mongodb.com/forums/924145/suggestions/42163234 -
7 votes
An error occurred while saving the comment AdminSalman (Admin, MongoDB) commented
Hi Geoffrey,
Thank you for sharing the suggestion. Could you share here or in an email (product.security@mongodb.com) the scenario under which deleting a user is not feasible when a certificate is compromised?
Salman
-
1 vote
AdminSalman (Admin, MongoDB) shared this idea ·
-
30 votes
AdminSalman (Admin, MongoDB) shared this idea ·
Thanks, Shanjeef for your idea.
If there was a way to define a database role which forces application to pass an application-specific specific tenant ID in every query, could that meet your needs?
Example:
1 Create a database read-only role for the application database user. This role requires a mandatory query parameter (appSpecificTenantId) which must be supplied on every query. The value of appSpecificTenantId parameter will need to be provided by the application on each query.
db.createRole(
{
role: "appSpecificDBRole",
privileges: [{
resource: {
db: "mydb",
collection: "mycol" },
actions: [ "find"],
mandatory_query_parameters: [ "appSpecificTenantId" ] //<-- does not exist today
}],
},
{ w: "majority" , wtimeout: 5000 }
)
Then, application issues a query such as the following where it always supply a value for "appSpecificTenantId" . Application may also add other filter parameters (cityName in this case)
2. db.users.find({ appSpecificTenantId: '1234', cityName: 'foo' })