Open afoninsky opened 4 years ago
is this being worked on ?
Hi @ahsandar ! We are not actively on it right now, but we are aware of the need for it. It is possible to use mutual TLS for this today, but we do want to add an easier to use mechanism.
i can give mTLS try but do you have docs or guide on how to set this up using self signed cert ? I couldn't find anything and searching for "vector" is too generic to get results anywhere
Hi @ahsandar !
We should definitely get some docs up around this. The simplest thing you could do is:
vector
source, generate a self-signed certificate. Say we call this server.crt
with server.pem
.vector
sink, generate a self-signed certificate. Say we call this client.crt
with client.pem
.vector
sink with client.crt
as tls.crt_file
and client.pem
as tls.key_file
.vector
source with server.crt
as the tls.crt_file
, server.pem
as the tls.key_file
, and client.crt
as the tls.ca_file
(this would have Vector validate that the incoming connections match client.crt
).I haven't actually tried to set this up myself, but that should work. Let me know how it goes for you!
Generating a self-signed certificate can be down with openssl via:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.crt -sha256 -days 365
i updated the source with tls config and one of the two sink boxes with tls. only the sink with tls should be able to send data ? but i can see data incoming from the box with no tls config as well O_o. Even though I have added tls.verify_certificate
on source it still accepts traffic from non tls configured sinks
Just noting that we discussed this in Discord and I neglected to include that tls.enabled
has to be set to true
.
By the way, here there are some examples for implementing token-based authentication mechanism for gRPC, based on tonic
: https://github.com/hyperium/tonic/tree/master/examples/src/authentication
I've just verified that this mTLS works. The description by @jszwedko omits the need to set tls.verify_certificate: true
. Without this on the receiving server, anyone can write to it as long as they present any certificate. The default for that value is false
.
I've got an example that people can play with here:
https://gist.github.com/godber/5d0ec63c69dac00e99b1b5da2db9ef9a
The participants are:
vector
sink) who writes JSON records to Bobvector
source) who logs
Problem: We expose vector instances to our clients or untrusted environments. Currently, any client is able to push data using GRPC.
Current solution: create mutual TLS or private communication networks. This is good in terms of security but complicates the infrastructure and sometimes it's not possible / not required.
Suggestions: 1) Create a secret token (shared secret) which can be injected via config and/or env variable. Can be done as a quick solution for "vector" source-sink and will solve our problem. 2) Implement global authorization schema which can be exposed to various sources-sinks (vector, http, etc.). 3) other options ?