Im using sql server 2012 and transactional replication. For replication security, I created a user on subscriber, publisher and gave db_owner permissions to that user. I also gave db_owner permission to that user to distribution database. It also includes adding this user to PAL (Publication Access List).
But as per this link, giving db_owner permission will give the complete control on the database, also includes permission to delete the database. How can we overcome this problem, are there any alternatives to this.
Any other ways to implement replicaiton security.
Please help.
Replication requires db_owner level access to most all databases involved. Checkout my article series here: http://www.sqlservercentral.com/stairway/72401/
In short, there is no alternative. Use separate accounts with strong passwords for replication and do not reuse those accounts elsewhere to minimise the probability for misuse.
Related
I'm creating a micro services for example one for user management i.e (roles, credentials, rights, menus etc) related and one for bank account-details, now i have a scenario to getting user roles detail and rights detail from db, is it a good practice to repeat columns of database user management db i.e.(roles, rights) in bank-account db as per requirement or duplicate data in bank-account db ?
Or no need to duplicate data in bank-account db and send a separate call to get user data first from user management db ?
please suggest a best possibility
Waqas,
You're in microservices environment. There is a well-known Domain Driven Design (DDD) with one of a key pattern of Bounded Contexts. That means you should try to avoid mixing the contexts and duplicate the user information in bank-account db (it might be inevitable some time, but I suppose not in your case).
Therefore, it's fine that you have to call user management service in order to gain the required information about your users.
I agree with #Stepan Tsybulski. Also, I suggest you reduce the need for a bounded context to depend on the other to the minimum possible. So, duplication of data is the best option here. However, you do not have to have roles and rights in the Bank Account context / DB. I'd put in the Bank Account context only what's necessary in that context: User details (such as names, birthdates, etc.) + user id.
You get the roles and rights from the session. You manage roles in the User Management context only. It's good for security and consistency, plus it's the reason for using Contexts.
There are many ways to approach a problem, but that's how I'm doing it.
In the systems, there may be data that is restricted in nature.
Sometimes access to specific entities should be easily restricted or granted based on user or group membership.
What is the best way to implement this in the microservice architecture?
#1
Should access control, managing permissions etc. be the responsibility of the microserive itself? Developers will have to implement access control, store, and update permissions for every service. Seems like not very robust and error-prone approach.
#2
Create dedicated microservice handling permission management? This service will be called by other microserives to check access permissions for each entity and filtering entities before returning results. Centralized permissions storage and management is an advantage but microservice will have to make a call to "Permission Service" for each entity to check access rights what may have a negative influence on performance. And developers still have to integrate access checks into their services what leaves space for an error.
#3
Make access control responsibility of the API Gateway or Service Mesh. It is possible to think of an implementation that will automatically filter responses of all services. But in the case when the microservice returns list of entities permissions should be checked for each entity. Still a potential performance problem.
Example
Consider the following synthetic example.
Healthcare system dealing with test results, X-Ray images etc. Health information is very sensitive and should not be disclosed.
Test results should be available only to:
patient
doctor
laboratory
Attending doctor may send the patient to another specialist. A new doctor should have access to test results too. So access can be granted dynamically.
So each entity (e.g. test results, X-Ray image) has a set of rules what users and groups are allowed to access it.
Imagine there is a microservice called "Test Results Service" dealing with test results. Should it be responsible for access control, manage permissions etc.? Or permissions management should be extracted to separate microservice?
Healthcare system may also handle visits to a doctor. Information about patient's visit to the doctor should be available to:
patient
doctor
clinic receptionist
This is the example of a different entity type that requires entity level access restriction based on user or group membership.
It is easy to imagine even more examples when entity level access control is required.
I came to the following generic solution.
ACL security model is used. Each object in the system has associated set of permissions. Permissions defines who and what actions can perform on the object.
Microservices are responsible for entity-level authorization and filter objects in responses based on permissions of the objects.
Central Access Control Service is responsible for the creation, update, and deletion of permissions for all objects in the system. Access Control Service database is the primary store of objects' permissions.
Permissions stored in microservices databases are synchronized with Access Control Service database using event-carried state transfer. Every time, permissions are changed an event is sent to the message broker. Microservices can subscribe to these events to synchronize permissions.
API Gateway can be used as the additional protection layer. API Gateway can call Access Control Service directly (RPC) to check response objects' permissions or load recently revoked permissions.
Design features:
A way to uniquely identify each object in the system is required (e.g. UUID).
Permissions synchronization in microservices are eventual consistent. In case of partitioning between message broker and microservice permissions will not be synchronized. It may be a problem with revocation of the permissions. The solution to this problem is a separate topic.
Looks like security is a part of business logic here. In both examples.
Then security could be a part of data scheme.
For example,
Patient can see his tests:
select * from test_result where patient_id=*patient_id*
Doctor can see all test from his medical department:
select * from test_result where branch_id=*doctor_branch*
I believe that to have separate MS for access control is a really bad idea and could lead serious performance problems. Just imagine situation that somebody with zero entity access tries to fetch all entities each time :) You will always need to handle larger result sets than actually needed.
Firstly, this is very bad idea to have a separate (per microservice) security model. It should be single always cross-cutting all application, because it can lead to a hell with access management, permissions granting and mapping between entities in different microservices.
In second, I assume that you are wrong with understanding how to organize microservices..? You should dedicate the principle of splitting functionality into microservices: by features, by domain, etc. Look at Single Responsibility, DDD and other approaches which helps you to achieve clear behavior of your MS.
So, in best case, you should have to:
Choose right security model ABAC or RBAC - there are a lot of other options, but looking at your example I guess the ABAC is the best one
Create separate MS for access management - the main responsibility of this MS is a CRUD and assignment of groups/roles/permissions/attributes to the people accounts.
Create separate MS for providing only permitted health information.
In third, how it works?:
With ABAC you can setup hierarchical roles/permissions (based on groups/attributes) - it helps you to resolve a delegation path of who is permitted to the data
Setup authorization (via auth-MS) and store the list of permissions (in session, cookies, etc)
Check access for a given user for a needed data in health-info-MS. Here we have several options how to do this:
If you use memory-grids (hazelcast, coherence), you can easily create filters with predicates based on security attributes.
If you're using SQL (hibernate, plain SQL, etc.) you should generate queries to return only permitted data - add security specific criteria to the where clause
Few more details about SQL queries with security check in where: before the SQL execution (if hibernate & spring is easy to do with spring-method-auth hook) you should resolve all permissions assigned to a user - you can do this with call to auth-MS.
Example
We created CRUD permissions for TestResult entity - VIEW, EDIT, DELETE.
The role DOCTOR can see any TestResults - so, it has VIEW permission
The role PATIENT can see only his/her TestResults
So, you create a business rules which provide the correct where clause for each business role (DOCTOR, PATIENT, LAB, etc.) and at the end the SQL request would be like:
For patient who has assigned VIEW permission:
select * from test_result where id=*patient_id* and 1=1
For patient who hasn't assigned VIEW permission:
select * from test_result where id=*patient_id* and 1!=1
NOTE: In business rules we can add 1=1 or 1!=1 to permit/restrict query result
I setup some security on a database called test.
The user with the name "user_test" is not a system Admin. Therefore, he has the admin permissions and member permissions on the test database.
As stated :
Creating design documents is restricted to admins, and if the replication is triggered without admin credentials, writing the design documents during replication will fail and be recorded as doc_write_failures. If you have admins, be sure to include the credentials in the replication request:
Since they are referring to the design docs, I was thinking about the database admin.
Therefore, when I try to setup a replication document in the _replicator database, the connection "hang" with the "user_text" credentials.
If I use my system admin, the replication get triggered instantly.
So my question :
In the target or source property, do I need to put the system admin credential or the database admin credentials?
Update
Setting up a replication using a system admin gets triggered automatically (good).
If I use a database admin, nothing occurs. Not even an error. Wich is kind of weird because it works on other pcs...
For you information, after testing and fixing some errors, I figured out that you can use non-system admin for replication.
Even tough, I had some problems with my replications that were having errors. I ended up clearing the corrupted documents in the _replicator and restarting each instance and everything got fixed.
We have c# web app connecting MongoDb deployed on Linux server. The idea is to use single designated Linux account for our web application to login and connect into MongoDb. As I understand from what I read, MongoDb does not support integrated security at all by default, it supposed to have its own user database with passwords, and no roles too, right? If so, I wonder if there is any separate third-party framework/tool or something that helps me use desired approach?
Other than that, if you know good online article regarding best practices to implement Security for Mongo in web applications, like where and how to store users and encrypted passwords etc., please give me a link.
please give me a link.
I did some security documentation a few months ago for MongoDB and it can be found here, this should be your starting point.
As I understand from what I read, MongoDb does not support integrated security at all by default, it supposed to have its own user database with passwords, and no roles too, right?
Up until MongoDB 2.2, authentication and authorisation is all local.In 2.2, there is limited RBAC (Role Based Access), i.e. two roles "read" and "write", with "write" being able to do everything on that database, i.e. admin.
Things will change in 2.4 with new roles:
name description of privilege
read ability to query data in any collection in the database, other than 'system.users', and also ability to run any command without an A or W attribute
readWrite everything permitted by 'read' privilege, and also the ability to insert, update,
or remove documents or indexes in any collection other than 'system.users', and also the ability to run any command without an A attribute
userAdmin ability to read and write the 'system.users' collection
dbAdmin ability to run admin commands affecting a single database; see list below
serverAdmin ability to run admin commands affecting the entire database server; Can only be set on admin database; see discussion
clusterAdmin admin commands for a cluster of shards or a replica set; Can only be set on admin database
as documented here. This enhanced RBAC will be available in all versions of MongoDB from 2.3.2 (development build) and the next production release, 2.4.0.
With MongoDB 2.4, there will also be the ability to use Kerberos for authentication, however, this delegated authentication will only be available in the Enterprise builds, which require a Commercial Support contract for us.
There is currently nothing within MongoDB that enforces password complexity but obviously in 2.4 with Kerberos, the KDC can do this. You will manually have to ensure (through your internal password policy etc) that users realise the issues of using non-complex passwords and re-using the same passwords on multiple devices. Assuming you are running 2.2, all logins, passwords and permissions for MongoDB access are stored in the system.users collection under each database. Here is the exact link to the documentation that you should read.
I developed a business application at essentially the same time I learned to do non-trivial anything with SQL Server. I give data entry people db_owner and viewers db_datareader.
Now I'm trying to harden things up and the logical thing to my mind is give db_datareader and db_datawriter instread of db_owner, but I'm curious about (a) is this the right thing to do? and (b) what kinds of things can db_owner do that data_writer can't? (i.e. will anything not work after I switch).
Members of the db_owner fixed database role can perform all configuration and maintenance activities on the database. db_datawriter can perform DELETE, INSERT, UPDATE while db_datareader can only perform SELECT operations.
You should always try to grant only the minimum level of permissions needed to accomplish tasks. Most users don't need access to configuration or management features. In the case of data entry users, db_datawriter is probably appropriate.