Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jaeger In-depth security #1718

Open
9 of 11 tasks
yurishkuro opened this issue Aug 7, 2019 · 6 comments
Open
9 of 11 tasks

Jaeger In-depth security #1718

yurishkuro opened this issue Aug 7, 2019 · 6 comments
Labels
documentation meta-issue An tracking issue that requires work in other repos security

Comments

@yurishkuro
Copy link
Member

yurishkuro commented Aug 7, 2019
edited

In the 2019-05-04 Jaeger security audit, the auditors wrote:

no actual security threats have been identified and only a handful of miscellaneous issues could be spotted.

However, the auditors were concerned with the lack of the actual security mechanisms:

Everywhere in the codebase and in terms of key properties, a correct and complete configuration of the deployment and execution environment is a precondition and main approach. Such a complete reliance on perimeter-security calls the generally accepted industry practice of defense-in-depth into question.

This issue is a checklist of the existing security mechanisms in Jaeger, and any remaining gaps. It is broken into pairwise connections between Jaeger components.

Please refer to Security page in Jaeger documentation for instructions on securing Jaeger installation.

Client to Agent

Agent is deprecated (#1718).

Client to Collector

Agent to Collector

Agent is deprecated (#1718).

Collector/Query to Storage

  • Cassandra - TLS with client cert authentication supported; bearer token propagation
  • Elasticsearch - TLS with client cert authentication supported; bearer token propagation
  • Kafka - Kerberos authentication supported

Browser to UI

Consumers to Query Service
@yurishkuro yurishkuro added documentation meta-issue An tracking issue that requires work in other repos security labels Aug 7, 2019
@fmhwong fmhwong mentioned this issue Sep 9, 2019
Closed
@jpkrohling jpkrohling mentioned this issue Sep 20, 2019
Closed
7 tasks
@yurishkuro yurishkuro mentioned this issue Sep 20, 2019
Closed
@j771
Copy link

j771 commented Sep 30, 2019
edited

Cassandra - TLS with client cert authentication supported; bearer token propagation

Is there any documentation/tutorials on this?
I am trying to secure connection between the Collector and Cassandra storage but have have not been able to successfully implement it.

@jpkrohling
Copy link
Contributor

@rubenvp8510 is the bearer token propagation working already? I thought it hasn't been merged yet.

@rubenvp8510
Copy link
Contributor

rubenvp8510 commented Oct 1, 2019
edited

@jpkrohling it is already working and I added tests here. but not on operator side, which is the current task I'm working on.

note that at this moment, token propagation only works on ES, as far as I know there is no plans for support it on cassandra.

@jpkrohling
Copy link
Contributor

Thanks for the info, @rubenvp8510. I changed the description to strike through the "bearer token propagation" in the Cassandra item (cc @j771).

@yurishkuro yurishkuro mentioned this issue Oct 3, 2019
Closed
@maestr0
Copy link

maestr0 commented Dec 2, 2019

How to configure the Agent container to use TLS with client cert authentication? I'm running the Collector with mTLS. How do I tell the agent to use the client certs?

@yurishkuro
Copy link
Member Author

Aren't these flags what you need?

$ go run ./cmd/agent help | grep tls
      --reporter.grpc.tls                                         Enable TLS when talking to the remote server(s)
      --reporter.grpc.tls.ca string                               Path to a TLS CA (Certification Authority) file used to verify the remote server(s) (by default will use the system truststore)
      --reporter.grpc.tls.cert string                             Path to a TLS Certificate file, used to identify this process to the remote server(s)
      --reporter.grpc.tls.key string                              Path to a TLS Private Key file, used to identify this process to the remote server(s)
      --reporter.grpc.tls.server-name string                      Override the TLS server name we expect in the certificate of the remove server(s)

@objectiser objectiser mentioned this issue Apr 6, 2020
Closed
@jaredallmond jaredallmond mentioned this issue Sep 24, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation meta-issue An tracking issue that requires work in other repos security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jpkrohling @maestr0 @yurishkuro @rubenvp8510 @j771