search

census-instrumentation / opencensus-service

OpenCensus service allows OpenCensus libraries to export to an exporter service rather than having to link vendor-specific exports.
Apache License 2.0
153 stars 63 forks source link

Allow specifying an address for all receivers #639

Closed dmathieu closed 4 years ago

dmathieu commented 4 years ago

Listening on all network interfaces is a security risk on our platform, as we can't easily restrict which ports are available to other components within the cluster. In order to setup an authentication reverse proxy and have it really be enforced, we therefore need to be able to start the endpoints on the loopback network interface only.

flands commented 4 years ago

@dmathieu sure, but you can always change the config. If you deploy as a collector you need to expose anyway. In addition, the receivers can support authentication if needed.

codecov[bot] commented 4 years ago

Codecov Report

Merging #639 into master will increase coverage by <.01%. The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #639      +/-   ##
==========================================
+ Coverage   69.34%   69.35%   +<.01%     
==========================================
  Files          93       93              
  Lines        6158     6160       +2     
==========================================
+ Hits         4270     4272       +2     
  Misses       1661     1661              
  Partials      227      227
Impacted Files Coverage Δ
cmd/occollector/app/builder/builder.go 66.17% <ø> (ø) :arrow_up:
receiver/jaegerreceiver/trace_receiver.go 79.51% <100%> (ø) :arrow_up:
internal/collector/opencensus/receiver.go 85.96% <100%> (+0.51%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 57e037c...b06eae8. Read the comment docs.

dmathieu commented 4 years ago

I know the collector needs exposing anyway. But by limiting the network interface here, I can setup a reverse proxy on top of it, which handles authentication. I can then make sure only the reverse proxy is available, not the collector running without authentication.

As for the receivers supporting authentication, I'm not sure what you mean. I've not seen any documentation or hints in the code about setting that up.

dmathieu commented 4 years ago

Let me try to give additional context. This is a simplified diagram of our architecture:

heroku-occollector

Because our platform makes all ports open on the public network interface to any other container in the same cluster, a compromised process could bypass authentication in our reverse proxy and send any traces to the collector.

Specifying the network interface on which the collector needs to listen will allow us to prevent connections from outside the container itself, and remove that security concern.

dmathieu commented 4 years ago

Closing as stale.