-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A wikipage on "Who uses Netdata" ? #2168
Comments
Of course. Nice idea. That page will be empty though initially. So, it will be missleading... |
awesome. Anyways, after creating the blank page, its Twitter account can issue a public collaboration "notice" to add users' respective use-cases in production. You, and other contributors (+ followers) can propagate ("re-tweet") the "cause". That, I think, it will gather some user companies, at least. Then, at least the page won't be empty. :) Do I hope best that someday the list grows enormously. |
This idea is really great but... I'm using it also and I love it and yes it is really great. But the reason why I'm not going public with NetData is due to a lack of authentication. I know it will be there in the future but as long as it is not there, I'm not going to show my NetData to the world. And I think this is the case for most of the companies. |
@GPegel your concern is real. Highly appreciate your feedback. |
@kmonsoor I know, you are right but that is indeed a ultra basic line of defense. And in my case, our security officer won't be happy until authentication will be available. But in the mean time, I keep getting my colleagues jealous with those nice metrics ;-) |
Well, basic authentication in netdata will not solve the problem. A lot more are needed. But, let me ask this: you need to use netdata privately, for your sysadmins/devops only. Why is that a problem for you? I mean, there are so many alternatives:
So, yes, netdata should support authentication, but there are so many alternatives... Could someone explain why is the lack of embedded authentication such a problem? In general, I follow these rules when I run public servers:
I am a security freak myself, but I really don't understand why the lack of embedded authentication is a security concern. So, please help me understand. If you have valid points, I may re-arrange my to-do list to bring authentication at the top... |
At first, company policy. Second, we are working with private customer data over different physical company locations. That's why ;-) |
With all the respect, this is not good enough.
The most basic rule is that you need 2 of the following 3 to get access to customer private data:
I am not trying to play it smart here. Plain username/password authentication over the internet is just not secure. So, your policy is probably incomplete if it requires just this to accept a solution as secure. Think it like that: let's assume we have authentication to netdata and you expose it to the internet. What will limit brute force attacks against it? What will limit customer A of yours find your username and password and use it on customer B netdata? If you had a certificate based VPN in place, or even SSH certificates, netdata without authentication but restricted to be used over these channels, is pretty secure (since netdata does not expose any customer sensitive data) and a lot more secure compared to username/password authentication over the internet... |
even after fulfilling all points discussed here your netdata ui possibly leaks information about you and your setup to thirdparty if you do not run one node as your own private registry. so add another rule to your list:
is correct, but netdata-ui leaks data about you and possibly your netdata urls (if you do not run your own registry) |
The registry is not something netdata talks to. Only your browser talks to it. It is all documented at the my-netdata "What is this?" menu entry. We provide a default registry so that alarm notifications links will work, integration between netdata servers will work, etc. All users can configure their own. We have discussed this extensively at #3937 and #2760 since you had concerns that the registry is leaking personal data. As I told you there, the registry is not maintaining any personal data, the data are not sensitive, and there is no reason to opt-in. Users can opt-out by installing their own registry. |
there are environments where you dont want your internal/private admin-tools/web-uis submit your browsers ip nor the urls where you have those web-uis hosted, to a thirdparty server. this might be sensitive data and this declaration is not done by you, but the internal policies. i don't understand why you refuse to accept this. and i see nothing stated here at all about this communication between your browser and the registry: https://github.com/firehol/netdata/wiki/netdata-security . its not stated there that you send your browsers IP and all the urls you run your netdata web-uis to a thirdpartyserver (independent of what the operator of this does with those data) if you do not run your own registry. in my opinion you cut out an important fact. |
@ktsaou I'm inclined to agree with @toastbrotch about the netdata-swcurity wiki page. It should absolutely document that you need to configure a private registry if you don't want to send anything outside your network. Companies where things like internal hostnames are considered sensitive data do exist (I work for one currently). |
ok, folks, just edit that page. I work for such a company too and we use our own registry. |
Discussion went highly off topic here. I am against creating such page, but I am in favor of having something like "User testimonials" on some sort of a blog. |
Closing issue due to inactivity. Please reopen if this is still relevant. |
Can we have a page that will show the organizations or companies who are using
Netdata
in their production environment ?For example:
A similar page for Netdata would definitely help the newcomers to be convinced, and also help them to convince non-tech management to authorize its deployment in production.
The text was updated successfully, but these errors were encountered: