probably there will be a safer approach before merge when we finish with redis changes
Not sure what you mean by this; what do you consider unsafe here? The fact that there's no password setup?
I think it saves us an illusion of safety, without proper threat modelling and audits I am not sure if setting a password increases safety. And if we do, perhaps we need to think about upping the security system-wide, for example also for OpenSearch. We would probably want to build in checks for specific escalations and maybe use something like Hashicorp's Vault to manage secrets.
It might make sense to define several attack scenarios (e.g. remote arbitrary code execution for unprivileged users) and set policies based on these. Then we could decide what's the best way to address them with minimal complexity overhead (opaqueness being the enemy of security). What would you reckon'?
Not sure what you mean by this; what do you consider unsafe here? The fact that there's no password setup?
I think it saves us an illusion of safety, without proper threat modelling and audits I am not sure if setting a password increases safety. And if we do, perhaps we need to think about upping the security system-wide, for example also for OpenSearch. We would probably want to build in checks for specific escalations and maybe use something like Hashicorp's Vault to manage secrets.
It might make sense to define several attack scenarios (e.g. remote arbitrary code execution for unprivileged users) and set policies based on these. Then we could decide what's the best way to address them with minimal complexity overhead (opaqueness being the enemy of security). What would you reckon'?