Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jaeger In-depth security #1718

Open
6 of 10 tasks
yurishkuro opened this issue Aug 7, 2019 · 6 comments
Open
6 of 10 tasks

Jaeger In-depth security #1718

yurishkuro opened this issue Aug 7, 2019 · 6 comments
Labels
documentation meta-issue security

Comments

@yurishkuro
Copy link
Member

@yurishkuro yurishkuro commented Aug 7, 2019

In the 2019-05-04 Jaeger security audit, the auditors wrote:

no actual security threats have been identified and only a handful of miscellaneous issues could be spotted.

However, the auditors were concerned with the lack of the actual security mechanisms:

Everywhere in the codebase and in terms of key properties, a correct and complete configuration of the deployment and execution environment is a precondition and main approach. Such a complete reliance on perimeter-security calls the generally accepted industry practice of defense-in-depth into question.

This issue is a checklist of the existing security mechanisms in Jaeger, and any remaining gaps. It is broken into pairwise connections between Jaeger components.

Please refer to Security page in Jaeger documentation for instructions on securing Jaeger installation.

Client to Agent

  • UDP channels - no TLS/authentication
  • HTTP config channel - no TLS/authentication - #2249

Client to Collector

Agent to Collector

Collector/Query to Storage

  • Cassandra - TLS with client cert authentication supported; bearer token propagation
  • Elasticsearch - TLS with client cert authentication supported; bearer token propagation
  • Kafka - Kerberos authentication supported

Browser to UI

Consumers to Query Service

  • HTTP - no TLS/authentication - #2249
  • gRPC - no TLS/authentication - #2248
@j771
Copy link

@j771 j771 commented Sep 30, 2019

Cassandra - TLS with client cert authentication supported; bearer token propagation

Is there any documentation/tutorials on this?
I am trying to secure connection between the Collector and Cassandra storage but have have not been able to successfully implement it.

@jpkrohling
Copy link
Contributor

@jpkrohling jpkrohling commented Oct 1, 2019

@rubenvp8510 is the bearer token propagation working already? I thought it hasn't been merged yet.

@rubenvp8510
Copy link
Contributor

@rubenvp8510 rubenvp8510 commented Oct 1, 2019

@jpkrohling it is already working and I added tests here. but not on operator side, which is the current task I'm working on.

note that at this moment, token propagation only works on ES, as far as I know there is no plans for support it on cassandra.

@jpkrohling
Copy link
Contributor

@jpkrohling jpkrohling commented Oct 2, 2019

Thanks for the info, @rubenvp8510. I changed the description to strike through the "bearer token propagation" in the Cassandra item (cc @j771).

@maestr0
Copy link

@maestr0 maestr0 commented Dec 2, 2019

How to configure the Agent container to use TLS with client cert authentication? I'm running the Collector with mTLS. How do I tell the agent to use the client certs?

@yurishkuro
Copy link
Member Author

@yurishkuro yurishkuro commented Dec 2, 2019

Aren't these flags what you need?

$ go run ./cmd/agent help | grep tls
      --reporter.grpc.tls                                         Enable TLS when talking to the remote server(s)
      --reporter.grpc.tls.ca string                               Path to a TLS CA (Certification Authority) file used to verify the remote server(s) (by default will use the system truststore)
      --reporter.grpc.tls.cert string                             Path to a TLS Certificate file, used to identify this process to the remote server(s)
      --reporter.grpc.tls.key string                              Path to a TLS Private Key file, used to identify this process to the remote server(s)
      --reporter.grpc.tls.server-name string                      Override the TLS server name we expect in the certificate of the remove server(s)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation meta-issue security
Projects
None yet
Development

No branches or pull requests

5 participants