These Cisco Terms of Use (this “Agreement”) between You and Cisco cover Your use of the Software and Cloud Services (“Cisco Technology”) obtained through this site. The Cisco Technology is intended for use by business users. Definitions of capitalized terms are in Section 11.
You agree to be bound by the terms of this Agreement through (a) Your download, installation, or use of the Cisco Technology; or (b) Your express agreement to this Agreement. If You do not have authority to enter into this Agreement or You do not agree with its terms, do not use the Cisco Technology.
Section 2. Using Cisco Technology
2.1 License and Right to Use. Cisco grants You, for Your direct benefit during the Usage Term and for the full scope of Your Entitlement under this Agreement, a non-exclusive, non-transferable (except with respect to Software as permitted under the Cisco Software Transfer and Re-Use Policy) (a) license to use the Software; and (b) right to use the Cloud Services (collectively, the “Usage Rights”).
2.2 Use by Third Parties. You may permit Authorized Third Parties to exercise the Usage Rights on Your behalf, provided that You are responsible for (a) ensuring that such Authorized Third Parties comply with this Agreement; and (b) any breach of this Agreement by such Authorized Third Parties.
2.3 Free Service. Cisco is making this Cisco Technology available to You without charge, up to certain capacity limits as described in Section 10 below, and subject to the terms of this Agreement. You agree that Cisco, in its sole discretion and for any or no reason, may terminate Your Usage Rights (or any part thereof) and that any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your Usage Rights if (i) Cisco has reason to believe that You engaged in any fraudulent behaviour as it relates to the Cloud Services, or (ii) You use Cisco Technology beyond Your Entitlement. You are solely responsible for exporting Your customer data from the Cisco Technology prior to termination, and, except as required by law, Cisco will provide You a reasonable opportunity to retrieve such data.
2.4 Upgrades or Additional Copies of Software. You may only use Upgrades or additional copies of the Software beyond Your Entitlement if You have (a) acquired those rights under a support agreement covering the applicable Software; or (b) You have purchased the right to use Upgrades or additional copies separately.
2.5 Interoperability of Software. If required by law and upon Your request, Cisco will provide You with the information needed to achieve interoperability between the Software and another independently created program, provided You agree to any additional terms reasonably required by Cisco. You will treat such information as Confidential Information.
Section 3. Additional Conditions of Use
3.1 Cisco Technology Generally. Unless expressly agreed by Cisco, You may not (a) transfer, sell, sublicense, monetize, or make the functionality of any Cisco Technology available to any third party; (b) use the Software on second hand or refurbished Cisco equipment not authorized by Cisco, or use Software that is licensed for a specific device on a different device (except as permitted under Cisco’s Software License Portability Policy); (c) remove, modify, or conceal any product identification, copyright, proprietary, intellectual property notices or other marks; (d) reverse engineer, decompile, decrypt, disassemble, modify, or make derivative works of the Cisco Technology; or (e) use Cisco Content other than as part of Your permitted use of the Cisco Technology.
3.2 Cloud Services. You will not intentionally (a) interfere with other users’ access to, or use of, the Cloud Service, or with its security; (b) facilitate the attack or disruption of the Cloud Service, including a denial of service attack, unauthorized access, penetration testing, crawling, or distribution of malware (including viruses, trojan horses, worms, time bombs, spyware, adware, and cancelbots); (c) cause an unusual spike or increase in Your use of the Cloud Service that negatively impacts the Cloud Service’s operation; or (d) submit any information that is not contemplated in the applicable Documentation.
3.3 Evolving Cisco Technology. Cisco may: (a) enhance or modify the features, functionality, and capacity limits of this Cisco Technology at any time, in its sole discretion, without liability; and (b) perform scheduled maintenance of the infrastructure and software used to provide the Cloud Service, during which time You may experience some disruption to that Cloud Service. Whenever reasonably practicable, Cisco will provide You with advance notice of such maintenance. You acknowledge that, from time to time, Cisco may need to perform emergency maintenance without providing You advance notice, during which time Cisco may temporarily suspend Your access to, and use of, the Cloud Service.
Cisco reserves the right (a) to end the life of this Cisco Technology, including component functionality, (“EOL”), and/or (b) to incorporate all or some of the features and functionality of this Cisco Technology into a Cisco paid offer at any time, in its sole discretion, and without liability (“Cisco Offering”). Any new Cisco Offering will be subject to its own terms and conditions.
3.4 Protecting Account Access. You will keep all account information up to date, use reasonable means to protect Your account information, passwords and other login credentials, and promptly notify Cisco of any known or suspected unauthorized use of or access to Your account.
3.5 Use with Third-Party Products. If You use the Cisco Technology together with third-party products, such use is at Your risk. You are responsible for complying with any third-party provider terms, including its privacy policy. Cisco does not provide support or guarantee ongoing integration support for products that are not a native part of the Cisco Technology.
3.6 Open Source Software. Open source software not owned by Cisco is subject to separate license terms as set out at www.cisco.com/go/opensource. The applicable open source software licences will not materially or adversely affect Your ability to exercise Usage Rights in applicable Cisco Technology.
Section 4. Confidential Information and Use of Data
4.1 Confidentiality. Recipient will hold in confidence and use no less than reasonable care to avoid disclosure of any Confidential Information to any third party, except for its employees, affiliates, and contractors who have a need to know (“Permitted Recipients”). Recipient: (a) must ensure that its Permitted Recipients are subject to written confidentiality obligations no less restrictive than the Recipient’s obligations under this Agreement, and (b) is liable for any breach of this Section by its Permitted Recipients. Such nondisclosure obligations will not apply to information that: (i) is known by Recipient without confidentiality obligations; (ii) is or has become public knowledge through no fault of Recipient; or (iii) is independently developed by Recipient. Recipient may disclose Discloser’s Confidential Information if required under a regulation, law or court order provided that Recipient provides prior notice to Discloser (to the extent legally permissible) and reasonably cooperates, at Discloser’s expense, regarding protective actions pursued by Discloser. Upon the reasonable request of Discloser, Recipient will either return, delete or destroy all Confidential Information of Discloser and certify the same.
4.2 How We Use Data. Cisco will access, process and use data in connection with Your use of the Cisco Technology in accordance with applicable privacy and data protection laws. For further detail, please visit Cisco’s Security and Trust Center.
4.3 Notice and Consent. To the extent Your use of the Cisco Technology requires it, You are responsible for providing notice to, and obtaining consents from, individuals regarding the collection, processing, transfer and storage of their data through Your use of the Cisco Technology.
Section 5. Ownership
Except where agreed in writing, nothing in this Agreement transfers ownership in, or grants any license to, any intellectual property rights. You retain any ownership of Your content and Cisco retains ownership of the Cisco Technology and Cisco Content. You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about this Cisco Technology provided by You to Cisco (“Feedback”) are non-confidential and Cisco may use any Feedback You provide in connection with Your use of the Cisco Technology as part of its business operations without acknowledgment or compensation to You.
Section 6. Warranties and Representations
To the extent allowed by applicable law, Cisco expressly disclaims all warranties and conditions of any kind, express or implied, including without limitation any warranty, condition or other implied term as to merchantability, fitness for a particular purpose or non-infringement, or that the Cisco Technology will be secure, uninterrupted or error free. If You are a consumer, You may have legal rights in Your country of residence that prohibit the limitations set out in this Section from applying to You, and, where prohibited, they will not apply
Section 7. Liability
Neither party will be liable for indirect, incidental, exemplary, special, or consequential damages; loss or corruption of data or interruption or loss of business; or loss of revenues, profits, goodwill, or anticipated sales or savings. The maximum aggregate liability of each party under this Agreement is limited to $5,000 USD. These limitations of liability do NOT apply to liability arising from (a) Your breach of Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export). These limitations of liability apply whether the claims are in warranty, contract, tort (including negligence), infringement, or otherwise, even if either party has been advised of the possibility of such damages. Nothing in this Agreement limits or excludes any liability that cannot be limited or excluded under applicable law. These limitations of liability are cumulative and not per incident.
Section 8. Termination and Suspension
8.1 Suspension. Cisco may immediately suspend Your Usage Rights if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export).
8.2 Termination. Cisco, in its sole discretion and for any or no reason, may terminate Your access to this Cisco Technology or any part thereof and any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your access immediately if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services), or 9.7 (Export). Upon termination of this Agreement, You must stop using the Cisco Technology and destroy any copies of Software and Confidential Information within Your control.
Section 9. General Provisions
9.1 Survival. Sections 4 (Confidential Information and Use of Data), 5 (Ownership), 7 (Liability), 8 (Termination and Suspension), and 9 (General Provisions) survive termination or expiration of this Agreement.
9.2 Third-Party Beneficiaries. This Agreement does not grant any right or cause of action to any third party.
9.3 Assignment and Subcontracting. Except as set out below, neither party may assign or novate this Agreement in whole or in part without the other party’s express written consent. Cisco may (a) by written notice to You, assign or novate this Agreement in whole or in part to an Affiliate of Cisco, or otherwise as part of a sale or transfer of any part of its business; or (b) subcontract any performance associated with the Cisco Technology to third parties, provided that such subcontract does not relieve Cisco of any of its obligations under this Agreement.
9.4 U.S. Government End Users. The Software, Cloud Services and Documentation are deemed to be “commercial computer software” and “commercial computer software documentation” pursuant to FAR 12.212 and DFARS 227.7202. All U.S. Government end users acquire the Cisco Technology and Documentation with only those rights set forth in this Agreement. Any provisions that are inconsistent with federal procurement regulations are not enforceable against the U.S. Government
9.5 Modifications to this Agreement. Cisco may change this Agreement or any of its components by updating it on Cisco.com and/or the Documentation page, which can be found at https://community.cisco.com/. Cisco will exercise commercially reasonable efforts to provide notice of any material changes to this Agreement, and within three (3) business days of posting changes to this Agreement, they will be binding. If you do not agree with the changes, you must discontinue using the Cisco Technology at that time. If you continue using the Cisco Technology after that time, you will be deemed to have accepted the changes to this Agreement.
9.6 Compliance with Laws. Each party will comply with all laws and regulations applicable to their respective obligations under this Agreement. Cisco may restrict the availability of the Cisco Technology in any particular location or modify or discontinue features to comply with applicable laws and regulations.
If You use the Cisco Technology in a location with local laws requiring a designated entity to be responsible for collection of data about individual end users and transfer of data outside of that jurisdiction (e.g., Russia and China), You acknowledge that You are the entity responsible for complying with such laws.
9.7 Export. Cisco’s Software, Cloud Services, products, technology, and services (collectively the “Cisco Products”) are subject to U.S. and local export control and sanctions laws. You acknowledge and agree to the applicability of and Your compliance with those laws, and You will not receive, use, transfer, export, or re-export any Cisco Products in a way that would cause Cisco to violate those laws. You also agree to obtain any required licenses or authorizations
9.8 Governing Law and Venue. This Agreement, and any disputes arising from it, will be governed exclusively by the applicable governing law below, based on Your primary place of business (or primary residence, if you are not a business) and without regard to conflicts of laws rules or the United Nations Convention on the International Sale of Goods. The courts located in the applicable venue below will have exclusive jurisdiction to adjudicate any dispute arising out of or relating to the Agreement or its formation, interpretation or enforcement. Each party hereby consents and submits to the exclusive jurisdiction of such courts. Regardless of the below governing law, either party may seek interim injunctive relief in any court of appropriate jurisdiction with respect to any alleged breach of Cisco’s intellectual property or proprietary rights
Your Primary Place of Business Governing Law Jurisdiction and Venue
Any location not specified below
| State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California
| Australia | Laws of the State of New South Wales, Australia | State and Federal Courts of New South Wales |
| Canada | Province of Ontario, Canada | Courts of the Province of Ontario |
| China | Laws of the People’s Republic of China | Hong Kong International Arbitration Center |
| Europe (excluding Italy), Middle East, Africa, Asia (excluding Japan and China), Oceania (excluding Australia) | Laws of England | English Courts |
| Italy | Laws of Italy | Court of Milan |
| Japan | Laws of Japan | Tokyo District Court of Japan |
| United States, Latin America or the Caribbean | State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California |
If You are a United States public sector agency or government institution located in the United States, the laws of the primary jurisdiction in which You are located will govern this Agreement and any disputes arising from it. For U.S. Federal Government users, this Agreement will be controlled and construed under the laws of the United States of America.
9.9 Notice. Any notice delivered by Cisco to You under this Agreement will be delivered on Cisco.com. Notices to Cisco should be sent to Cisco Systems, Inc., Office of General Counsel, 170 West Tasman Drive, San Jose, CA 95134.
9.10 Force Majeure. Neither party will be responsible for failure to perform its obligations due to an event or circumstances beyond its reasonable control.
9.11 No Waiver. Failure by either party to enforce any right under this Agreement will not waive that right.
9.12 Severability. If any portion of this Agreement is not enforceable, it will not affect any other terms.
9.13 Entire agreement. This Agreement is the complete agreement between the parties with respect to the subject matter of this Agreement and supersedes all prior or contemporaneous communications, understandings or agreements (whether written or oral).
9.14 Translations. Cisco may provide local language translations of this Agreement in some locations. You agree that those translations are provided for informational purposes only and if there is any inconsistency, the English version of this Agreement will prevail.
9.15 Order of Precedence. If there is any conflict between this Agreement and any Cisco policies expressly referenced in this Agreement, the order of precedence is: (a) this Agreement; then (b) any applicable Cisco policy expressly referenced in this Agreement.
9.16 Language Election for Purchasers in Quebec. You confirm Your Agreement that this Cisco Technology is currently provided in English only.
Section 10. Additional Terms
10.1 Restrictions on Use by Minor Children. This Cisco Technology is not intended for use by persons younger than the age of consent in their relevant jurisdiction (e.g.,13 years old in the United States under the US Children’s Online Privacy Protection Act of 1998, or 16 or 13 years old in the European Union as per Member State law) (“Minor Children”). Minor Children are not permitted to create an account and You will not authorize Minor Children to access the Cisco Technology.
10.2 Capacity Restrictions. Your right to access and use this Cisco Technology is currently limited to five (5) nodes dedicated to applications/microservices.
10.3 Limited Community Support. This Cisco Technology is provided on a free-of-charge basis, as-is, and without support. Cisco has no obligation to maintain, repair, or upgrade this Cloud Service and Cisco will not provide user support services in connection with this Cisco Technology. User can refer to self-service help materials that cover a range of topics or reach out to our community forum to engage in community support discussions on our Documentation page at https://community.cisco.com/. Cisco makes no representations about and has no liability for these community support resources. All use of these resources, and the advice and guidance therein, is at Your own risk.
10.4 No Competitive Analysis. By agreeing to these terms, You represent and warrant that you will not use this Cisco Technology or its Documentation to (a) copy ideas, features, functions, or graphics; (b) develop competing products or services; or (c) perform competitive analyses.
10.5 Beta Functionality. User acknowledges and agrees that all or some components or functionality of the Cisco Technology may be in beta stage and may not have been (and may not become) productized or commercialized. You acknowledge that Your use and evaluation of this Cisco Technology is at Your own risk.
Section 11. Definitions
“Affiliate” means any corporation or company that directly or indirectly controls, or is controlled by, or is under common control with the relevant party, where “control” means to: (a) own more than 50% of the relevant party; or (b) be able to direct the affairs of the relevant party through any lawful means (e.g., a contract that allows control).
“Authorized Third Parties” means Your Users, Your Affiliates, Your third-party service providers, and each of their respective Users, permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“Cisco” “we” “our” or “us” means Cisco Systems, Inc. or its applicable Affiliate(s).
“Cisco Content” means any (a) content or data provided by Cisco to You as part of Your use of the Cisco Technology and (b) content or data that the Cisco Technology generates or derives in connection with Your use. Cisco Content includes geographic and domain information, rules, signatures, threat intelligence, and data feeds, and Cisco’s compilation of suspicious URLs.
“Cloud Service” means the Cisco hosted software-as-a-service offering or other Cisco cloud-enabled feature described in this Agreement. Cloud Services include applicable Documentation and may also include Software.
“Confidential Information” means non-public proprietary information of the disclosing party (“Discloser”) obtained by the receiving party (“Recipient”) in connection with this Agreement, which is (a) conspicuously marked as confidential or, if verbally disclosed, is summarized in writing to the Recipient within a reasonable time period after disclosure and marked as confidential; or (b) is information which by its nature should reasonably be considered confidential whether disclosed in writing or verbally.
“Delivery Date” means the date on which the Cloud Service is made available for Your use or, when Usage Rights in Software and Cloud Services are granted together, the earlier of the date Software is made available for download, or the date on which the Cloud Service is made available for Your use.
“Documentation” means the technical specifications and usage materials officially published by Cisco or available on https://community.cisco.com/ specifying the functionalities and capabilities of the applicable Cisco Technology.
“Entitlement” means the specific metrics, duration, and quantity of Cisco Technology that You acquire from Cisco under this Agreement.
“Software” means the Cisco computer programs including Upgrades, firmware and applicable Documentation.
“Upgrades” means all updates, upgrades, bug fixes, error corrections, enhancements and other modifications to the Software.
“Usage Term” means the period commencing on the Delivery Date and continuing until expiration or termination of the Entitlement, during which period You have the right to use the applicable Cisco Technology.
“User” means the individuals (including contractors or employees) permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“You” means the individual or legal entity using the Cisco Technology.
NEW Cloud Security Academy Level up your skills with hands-on lessons. Get started
Unlocking the Cosmos: A Guide to Azure Cosmos DB Access Control
Maya Parizer
Tuesday, Jan 30th, 2024
Azure Cosmos DB is a globally distributed, multi-model database service provided by Microsoft. It is designed to allow developers to build highly responsive and scalable applications with low-latency data access around the world. It offers extensive support for various database engines, including NoSQL, MongoDB, Cassandra, Gremlin, Table, and PostgreSQL.
When creating an account, it defines the type of database to be used within it. Inside an account, one can virtually manage an unlimited amount of data and provisioned throughput. Each account type consists of different ways to logically organize data models. For example, in NoSQL data is organized in items that reside in containers that reside inside databases.
In this article, we will compare the different ways to authenticate and access an Azure Cosmos DB account, its data, and the network access options that are available.
Regarding accessing a Cosmos DB account, we will deepen our understanding of different types of operations that can be made regarding the data and management of an account. Afterwards we will observe each way to access an account with its specific security considerations. Regarding the network access, we will observe the differences between the options of network access and how they are represented in Azure Cosmos DB API Json objects, so we have a better understanding of the properties in the Cosmos DB account.
Cosmos DB Account Elements
When choosing an account to create, one must choose between NoSQL, Cassandra, MongoDB, Gremlin, Table, and PostgreSQL. It defines the type of database used in the account. The account type cannot be changed after the account creation.
After choosing an account type, the next is the database entity. You can choose between one or many databases.
In PostgreSQL there is only one database – its default name is ‘citus’ but can be changed at the time of configuration. In each DB account, they appear under a different name:
Azure Cosmos DB entity
NoSQL
Apache Cassandra
MongoDB
Apache Gremlin
Table
PostgreSQL
Azure Cosmos DB Database
Database
Keyspace
Database
Database
NA
Database
Note that Cosmos DB Table has no databases at all. In Table DB, data is saved in tables and is created and managed at account level to maintain compatibility.
Next are containers, they are entities inside a database. There can be one or more containers in each database entity. When a container is created, one needs to supply a partition key. The partition key is a property selected from one’s items to help Azure Cosmos DB distribute the data efficiently across partitions. In each DB account, the container entity appears under a different name:
Azure Cosmos DB entity
NoSQL
Apache Cassandra
MongoDB
Apache Gremlin
Table
PostgreSQL
Azure Cosmos DB Container
Container
Table
Collection
Graph
Table
Table
Next are items. In most Database Engines (except PostgreSQL and Cassandra), items within a container can have arbitrary schemas, meaning each item within the container can have its own set of fields or properties. A container can also have different entities, meaning items can represent different types of data with varying structures, if they share the same partition key. In each DB account, they appear under a different name:
Azure Cosmos DB entity
NoSQL
Apache Cassandra
MongoDB
Apache Gremlin
Table
PostgreSQL
Azure Cosmos DB Item
Item
Row
Document
Node or edge
Entity
Item
So far, we have learned of the hierarchical structure of a Cosmos DB account—account, databases, containers, and items.
Authentication Methods for Cosmos DB
Let us clarify the different ways to connect to your Cosmos DB account for each engine
Azure Cosmos DB Ways to Authenticate
NoSQL
Apache Cassandra
MongoDB
Apache Gremlin
Table
PostgreSQL
Connection Strings
V
V
V
V
V
V
Azure Cosmos RBAC
V
X
V
X
X
X
Resource Token
V
X
X
X
X
X
We will deepen our knowledge of each way to connect your Cosmos DB account later in the article.
In this next section, we will focus on the Azure Cosmos RBAC. We will learn what it is, and the differences betweenAzure Cosmos RBAC and Azure RBAC .
Data & Management Operations in Cosmos DB
In Azure Cosmos DB, there are 2 types of operations:
Management operations – Using Azure RBAC (Role Based Access Control).
Data plane operations – UsingAzure Cosmos RBAC.
With Azure RBAC, you can control who can create, modify, or delete Azure Cosmos DB accounts, databases, containers, and manage settings like throughput levels.
WithAzure Cosmos RBAC, however, you can control access to read or modify the actual data stored within your containers.
Both operations use apermission model which grants different permissions to different users or identities. The permission model enables more security as it keeps the ‘least privilege’ principle, where the admin decides the amount of access each identity can have.
The following are the built-in roles for Azure RBAC (management operations):
Can submit a restore request in the Azure portal for a periodic backup enabled database or a container. Can modify the backup interval and retention in the Azure portal. Cannot access any data or use Data Explorer.
Can provision Azure Cosmos DB accounts, databases, and containers. Cannot access any data or use Data Explorer.
In addition to the built-in roles, users are also able to create custom roles and apply these roles to service principals across all subscriptions within their AD tenant. The list of all possible actions for the custom roles for Azure RBAC is here.
As to data operations,Azure Cosmos RBACcurrently supports NoSQL and MongoDB only. Let us dive deep to get familiar with each database RBAC specifications.
MongoDB
In MongoDB, Azure Cosmos RBAC shares similarities with Azure RBAC, both relying on a permission model to control access to data operations by allowing or denying specific actions. However, MongoDB uses the term 'Privileges' for actions, and these privileges are grouped within 'Roles,' which represent sets of permissions.
These roles are defined within a single database inside a MongoDB account. Since MongoDB allows the creation of multiple databases, when defining a role, it is essential to specify the database to which the role pertains.
Moreover, MongoDB introduces the concept of users, representing identities identified by a username and password. Each user is associated with specific roles, dictating the set of actions they are permitted to perform within the defined database. This approach allows for precise control over access and operations in a MongoDB environment. Each user is associated with specific roles, defining the actions they are authorized to perform within the designated database.
MongoDB uses Capabilities as well. Capabilities are features that can be added or removed to your API for MongoDB account. Many of these features affect account behavior, so it's important to be fully aware of the effect a capability has before you enable or disable it. For more information click here.
Note: In MongoDB, the permission model for data operations can include some management operations (like createCollection, dropCollection, dropDatabase), as well as reading and writing data.
In addition to the built-in roles, users can also create custom roles and apply them.
One way to connect via Azure Cosmos RBAC for MongoDB using Pymongo: (there are other ways such as Node.js, Java, Mongosh)
Add the capability “EnableMongoRoleBasedAccessControl” to the cosmos DB account. It enables support for creating users and roles for native MongoDB role-based access control.
Add a role definition to the account, if you desire to give the user that custom role.
Create a user and assign a role (built in or custom) and a database name.
Test the connection with ‘pymongo’.
NoSQL
In NoSQL, Azure Cosmos RBAC is like Azure RBAC as per the following criteria:
They both use role definitions containing a list of allowed actions.
In both the role definitions get assigned through role assignments – that define the scopes that the role definition applies to:
Azure Cosmos DB account (/)
Azure Cosmos DB database (/dbs/<database-name>)
Azure Cosmos DB container (/dbs/<database-name>/colls/<container-name>)
Note: The permission model for data operations in NoSQL covers only database operations that involve reading and writing data. It does not cover any kind of management operations on management resources, unlike MongoDB that allows some management operations.
In NoSQL there are 2 bulit-roles:
Cosmos DB Built-in Data Reader
Cosmos DB Built-in Data Contributer
In addition to the built-in roles, users can also create custom roles and apply them. Below are all actions possible for Azure Cosmos RBAC:
Authenticate clients: create custom role with actions above or assign a built-in role of Azure Cosmos RBACand get your azure user account or service principal’s id, then assign the role to your azure user account or service principal. Next, authenticate using DefaultAzureCredential imported from @azure/identity. Now you have a CosmosClient instance.
Test the connection by adding items to the container.
Accessing Azure Cosmos DB Account
Azure Cosmos DB offers three methods for managing access to your database account:
Fine grained permission model based on native Azure Cosmos DB users and permissions.
Connection Strings:
In most data engines (except for PostgreSQL) in Cosmos DB, the connection strings are by primary/ secondary keys and an account endpoint. In PostgreSQL however, the connection string is by a username and password, with a secure connection (require ssl mode).
We will explain the concept of the primary and secondary keys that are used for all other data engines.
Primary / Secondary Keys:
Primary/secondary keys provide access to all the administrative resources for the database account. They provide access to accounts, databases, users, and permissions. Every account is equipped with 4 keys: 2 primary keys and 2 secondary keys. The dual-key structure (primary-secondary key) enables key regeneration or rolling, which ensures continuous access to your account and its associated data.
There are 2 types of keys: read-only and read-write.
When it comes to the permissions for primary and secondary keys, they cannot be utilized to grant granular access, meaning they cannot provide access to specific users or groups at different levels, such as account-level (full access to all databases and containers), database-level, or container-level access. Therefore, a user with a possession of a primary key can access the entire account. In terms of access, one can access the Cosmos account by using a connection string that is a combination of the primary key and the account endpoint.
One security concern related to this access control type is the absence of permission scope. Granting access to a user through a connection string enables them to operate on the entire account's data, including all databases, containers, and items. Furthermore, as the primary and secondary keys are universal, any decision to revoke a user's account access requires rotating and regenerating the keys. This process involves distributing the new keys to all relevant users who still require access to the account.
If you still desire to use primary/secondary keys as access for all, consider disabling the ‘Read-write keys’, which will prevent connections using these keys. In such cases, the only option to connect will be with the ‘Read-only keys’. To disable the ‘Read-write keys’ you need to set the `disableKeyBasedMetadataWriteAccess` property to true. After you set this property, changes to any resource can happen from a user with the proper Azure role and credentials.
Role-Based Access Control:
As previously mentioned, Role-based access control is available via NoSQL and MongoDB only.
Written above is the description of Azure Cosmos RBAC in NoSQL and mongo DB and the differences between them. Managing the access to the account via Azure Cosmos RBAC consists of:
Authenticating data requests with Azure AD identity.
Authorizing data requests with a role-based permission model.
In terms of security, Azure Cosmos RBAC offers robust security advantages by enabling precise control over access to resources. With RBAC, you can assign specific roles and permissions tailored to user responsibilities, ensuring that each user or application has only the necessary access privileges. This adheres to the principle of least privilege, mitigating the risk of unauthorized data access or modifications. By segregating duties through role assignments, conflicts of interest and insider threats are minimized. To enhance security when choosing to access via Azure Cosmos RBAC, consider disabling local authentication, which disables the use of accessing via a connection string.
Resource Tokens:
Azure Cosmos DB resource tokens are available via NoSQL only. They are dynamically generated security credentials that grant fine-grained and temporary access to specific resources within the database. These tokens enhance security by allowing controlled access without exposing primary or secondary keys, and they are suitable for scenarios where you need to provide specific privileges to users or applications for a limited time or for a restricted scope of containers, databases, or operations.
Resource tokens must be generated by an intermediate server. The server serves as the master-key guardian and generates time-constrained tokens for untrusted clients, such as web browsers.
This server performs the following steps:
Handles incoming client requests for new tokens.
Verifies client identity in an application-specific way.
If the client authenticates successfully, it uses the Cosmos DB interfaces (SDK or REST) to generate a new time-limited token and returns it to the client.
In terms of security, Azure Cosmos DB resource tokens serve as a crucial method for retrieving data tailored to individual users. This approach aligns with the principle of granting the least amount of privilege necessary, which boosts security by avoiding extensive administrative powers, as seen with the primary key. Instead, it emphasizes limited, temporary access and considers the aspect of not being able to reauthenticate.
As to the difference between Resource Tokens and Azure Cosmos RBAC, it is important to note that while the RBAC approach regenerates access tokens as long as the role assignment remains valid for the resource, the utilization of resource tokens will not trigger automatic regeneration.
To enhance security when choosing to access via resource tokens, consider disabling local authentication, which disables the use of accessing via a connection string.
Network Access
In this part of the article, we will discuss the different network access options provided by Azure Cosmos DB:
All networks
Selected networks
Disabled
All networks:
All networks, including the internet, can access this Azure Cosmos DB account.
By default, Azure Cosmos DB account is accessible from the internet, if the request is accompanied by a valid authorization token. This option raises a security concern, as it allows access to the account for all.
Selected Networks:
Limiting public access can be achieved through several methods: configuring IP firewall rules and/or establishing a virtual network. The optimal recommendation is to employ both approaches. By using both, access can be restricted to sources with public IPs and/or from specific subnets within the VNET.
By configuring firewalls, your Azure Cosmos DB account can be set up to be accessible solely from an authorized array of machines and/or cloud services.
When incorporating one or more subnets within VNets, only requests originating from those designated subnets will receive valid responses.
Requests emanating from any other sources will result in a 403 (Forbidden) response.
Disabled:
No public traffic will be able to access this resource. To access Azure Cosmos DB account, one needs to create a private endpoint.
Requests emanating from all sources will result in a 403 (Forbidden) response.
Note: When looking at the properties that describe the Cosmos DB Account, one can observe there is not a specific property indicating “All networks” or “Selected network”. The property is “public_network_access” with 2 options available: ‘Enabled’ / ‘Disabled’.
As one can infer, ‘Enabled’ does not differ which is ‘All network’ and which is ‘Selected network’. The way to determine based on the JSON describing the account is by looking at other components, as shown in the diagram below:
As we can see, to determine based on the properties which network option is used at the account, we must look at ‘public_network_access’ property:
If ‘Disabled’ - we are at ‘Disabled’ option, which means no public access whatsoever. The way to connect to the account is by using a private endpoint.
If ‘Enabled’- we need to check the ‘is_virtual_filter_network_enabled’ property:
If ‘True’- we are at ‘Selected Networks’, which means the public network access is limited.
If ‘False’- we need to check the ‘ipRules’ property:
If ‘Empty’ - we are at ‘All networks’ which means full public access.
Else, we are at ‘Selected Networks’, which means the public network access is limited.
Conclusion
In this post, we have become more familiar with Cosmos DB permissions and network access variations. Today, it is quite common to use default properties when they are not necessary for your specific requirements. While sometimes the default is a secure option, from time to time, the default is not necessarily the more secure one. It is important to know whom to provide the connection string based on primary keys, as they grant full administrative actions and remain accessible until rotation or regeneration. Meanwhile, there are more secure options, such as using Azure Cosmos RBAC or granting resource tokens, depending on your preference. When working with NoSQL databases, consider employing resource tokens if you need to grant access for a limited duration or to a temporary user. Alternatively, for permanent user access, you may opt for Azure Cosmos RBAC.
Regarding network access, try to avoid providing full public access. Depending on your requirements, choose between limiting access or disabling it.
By providing this knowledge, our hope is to assist you in keeping your product as secure as possible.
SIGN UP FREE
