Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need encryption and authentication on websocket of the connecting user #1326

Closed
jondequinor opened this issue Jan 28, 2021 · 5 comments · Fixed by #1577
Closed

Need encryption and authentication on websocket of the connecting user #1326

jondequinor opened this issue Jan 28, 2021 · 5 comments · Fixed by #1577
Assignees
@sondreso
Labels
enhancement payback

Comments

@jondequinor
Copy link
Contributor

No description provided.

@sondreso
Copy link
Collaborator

Talk to the red pandas about their setup

@jondequinor
Copy link
Contributor Author

Questions to be answered before taking on this task:

  • Do we need encryption of the traffic?
  • Is authentication personal or group based?
  • Can we re-use storage auth work?

@pinkwah
Copy link
Contributor

pinkwah commented Jan 28, 2021

  • You can do off-the-shelf encryption via wss (secure websockets). You don't need encryption on the intranet as only those with root user can snoop and at that point they can just access the data on NFS directly.
  • ERT Storage has UNIX file based authentication: Anyone with access to storage_server.json can access the server as this file contains the authentication token. This is okay because those who can access this file can also access all the confidential data on NFS directly.
  • Yes please. Do @ me. I have a few ideas to make it nice ™️ wrt. RGS.

For the authentication, assuming you can edit the headers sent by the initial websocket handshake, is to look for X-Token or w/e. Using Flask, you can add a @app.before_request function. With FastAPI, you can just combine their APIKey security scheme with the Websocket route and it should work with minimal hacking.

@jondequinor
Copy link
Contributor Author

You can do off-the-shelf encryption via wss (secure websockets). You don't need encryption on the intranet as only those with root user can snoop and at that point they can just access the data on NFS directly.

@dotfloat what certs would we use?

Is the storage server using SSL?

@pinkwah
Copy link
Contributor

pinkwah commented Jan 28, 2021
edited

Nope. We also removed SSL from webviz. Don't need encryption on the intranet.

The alternative is to create certs on the fly. We don't do this because it doesn't fly nicely with browsers, which give you full-page scary warnings about not being able to validate the cert. Having an internal SSL key that is in Equinor's internal CA is also not a solution since sharing a private key between users is the same as not having encryption.

We'll be able to use SSL/WSS when we're in the ☁️ quite easily and transparently. Not a concern now nor will it be in the future imo.

@sondreso sondreso self-assigned this Feb 8, 2021
@sondreso sondreso mentioned this issue Feb 9, 2021
Closed
@sondreso sondreso removed their assignment Mar 22, 2021
@sondreso sondreso changed the title Need encryption of websocket traffic as well as authentication of the connecting user Need authentication on websocket of the connecting user Mar 25, 2021
@sondreso sondreso changed the title Need authentication on websocket of the connecting user Need authentication and encryption on websocket of the connecting user Apr 22, 2021
@sondreso sondreso changed the title Need authentication and encryption on websocket of the connecting user Need encryption and authentication on websocket of the connecting user Apr 22, 2021
@sondreso sondreso mentioned this issue Apr 23, 2021
Merged
@sondreso sondreso self-assigned this Apr 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sondreso sondreso

Labels
enhancement payback
Projects
None yet
Milestone
No milestone
4 participants
@markusdregi @pinkwah @sondreso @jondequinor