Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
110 lines (90 sloc) 3.94 KB
---
title: "Security model"
---
<p>
This document details Vespa Cloud's security model.
</p>
<h2 id="control-plane">Control plane</h2>
<p>
The following explains how access to management features in Vespa is controlled.
</p>
<h3 id="vespa-console-access">Vespa console access</h3>
<p>
Console access is available to authenticated users only.
This is bootstrapped by creating a <em>tenant</em> with an <em>owner</em>.
From this, additional users, as well as <em>applications</em> can be created under the tenant.
Access is granted based membership in the following roles:
<table class="table">
<tr><td>administrator</td><td>Can manages users and tenant information inside the tenant</td></tr>
<tr><td>developer</td><td>Can manage applications and their deployments</td></tr>
</table>
</p>
<h3 id="application-deployment">Application deployment</h3>
<p>
There are two kinds of application deployments:
<ul>
<li><a href="reference/zones">manual deployments</a> to dev/perf zones,
for application development testing, and</li>
<li><a href="automated-deployments">automated deployments</a> to production zones</li>
</ul>
Likewise, there are two kinds of keys that can be used for API authentication:
<ul>
<li>developer keys, which identify a member of the _developer_ role,
and allows, e.g., manual deployments and system tests, and</li>
<li>headless keys, which identify a build service which submits application packages
for automated deployment</li>
</ul>
Developer keys are personal, and are managed on the tenant level, in the Vespa Cloud console.
Each developer may have a single key at any time,
and both administrators and developers may revoke the key of another developer,
if it has been compromised.
</p><p>
Headless keys are managed on the application level, in the Vespa Cloud console.
Each application may have several headless keys.
</p><p>
For both kinds of key, the public key is uploaded through the console.
The private key is kept secret,
but must be made available to the Maven Vespa plugin which deploys applications,
and to test code for system tests against dev/perf deployments.
In both cases, this is done by setting <code>apiKeyFile</code> in <code>pom.xml</code>,
or by specifying this system property on the command line (<code>-DapiKeyFile=/path/to/key</code>).
</p>
<h2 id="data-plane">Data plane</h2>
<p>
All application endpoints are secured with mutual TLS.
</p>
<h3 id="server-certificate">Server certificate</h3>
<p>
On first time deployment, a server certificate identifying the application is provisioned.
This certificate will be automatically set up on all application endpoints.
The certificate is signed by DigiCert or Globalsign.
</p>
<h3 id="client-certificate">Client certificate</h3>
<p>
To enable TLS client side authentication:
<ol>
<li>Add trusted certificates (or issuer certificates) to the file <code>[application-package]/security/clients.pem</code></li>
</ol>
With this, only clients presenting a valid certificate will be able to access the application endpoints.
In order to test application deployments,
another trusted client certificate is added by Vespa Cloud for deployment
to the test and staging zones <em>only</em>.
This does not affect production deployments.
</p>
To run system tests against a development endpoint,
specify the <code>dataPlaneCertificateFile</code> and <code>dataPlaneKeyFile</code> properties,
in the same manner as the <code>apiKeyFile</code> used for API access.
<h2 id="application-isolation">Application isolation</h2>
<p>
All application nodes run as separate isolated Docker containers.
</p><p>
All internal communication between nodes in an application is secured in two layers:
<ul>
<li>Network ACLs (iptables) allowing only local communication within the application</li>
<li>Mutual TLS with authorization only allowing nodes from the same application</li>
</ul>
</p>
<h2 id="data-at-rest">Data at rest</h2>
<p>
All content written to Vespa is encrypted at rest.
</p>
You can’t perform that action at this time.