Jaeger In-depth security
yurishkuro opened this issue · 6 comments
In the 2019-05-04 Jaeger security audit, the auditors wrote:
no actual security threats have been identified and only a handful of miscellaneous issues could be spotted.
However, the auditors were concerned with the lack of the actual security mechanisms:
Everywhere in the codebase and in terms of key properties, a correct and complete configuration of the deployment and execution environment is a precondition and main approach. Such a complete reliance on perimeter-security calls the generally accepted industry practice of defense-in-depth into question.
This issue is a checklist of the existing security mechanisms in Jaeger, and any remaining gaps. It is broken into pairwise connections between Jaeger components.
Please refer to Security page in Jaeger documentation for instructions on securing Jaeger installation.
Client to Agent
Agent is deprecated (#1718).
-
UDP channels - no TLS/authentication - HTTP config channel - #2249
Client to Collector
- HTTP - #2249
- Note: some clients support passing auth-tokens or basic auth, that can be used if a reverse proxy is placed in front of collectors.
- Blog post: Secure architecture for Jaeger with Apache httpd reverse proxy on OpenShift
Agent to Collector
Agent is deprecated (#1718).
- gRPC - TLS with client cert authentication supported
Collector/Query to Storage
- Cassandra - TLS with client cert authentication supported;
bearer token propagation - Elasticsearch - TLS with client cert authentication supported; bearer token propagation
- Kafka - Kerberos authentication supported
Browser to UI
Consumers to Query Service
Cassandra - TLS with client cert authentication supported; bearer token propagation
Is there any documentation/tutorials on this?
I am trying to secure connection between the Collector and Cassandra storage but have have not been able to successfully implement it.
@rubenvp8510 is the bearer token propagation working already? I thought it hasn't been merged yet.
@jpkrohling it is already working and I added tests here. but not on operator side, which is the current task I'm working on.
note that at this moment, token propagation only works on ES, as far as I know there is no plans for support it on cassandra.
Thanks for the info, @rubenvp8510. I changed the description to strike through the "bearer token propagation" in the Cassandra item (cc @j771).
How to configure the Agent container to use TLS with client cert authentication? I'm running the Collector with mTLS. How do I tell the agent to use the client certs?
Aren't these flags what you need?
$ go run ./cmd/agent help | grep tls
--reporter.grpc.tls Enable TLS when talking to the remote server(s)
--reporter.grpc.tls.ca string Path to a TLS CA (Certification Authority) file used to verify the remote server(s) (by default will use the system truststore)
--reporter.grpc.tls.cert string Path to a TLS Certificate file, used to identify this process to the remote server(s)
--reporter.grpc.tls.key string Path to a TLS Private Key file, used to identify this process to the remote server(s)
--reporter.grpc.tls.server-name string Override the TLS server name we expect in the certificate of the remove server(s)