Jaeger In-depth security

[yurishkuro]

In the 2019-05-04 Jaeger security audit, the auditors wrote:

no actual security threats have been identified and only a handful of miscellaneous issues could be spotted.

However, the auditors were concerned with the lack of the actual security mechanisms:

Everywhere in the codebase and in terms of key properties, a correct and complete configuration of the deployment and execution environment is a precondition and main approach. Such a complete reliance on perimeter-security calls the generally accepted industry practice of defense-in-depth into question.

This issue is a checklist of the existing security mechanisms in Jaeger, and any remaining gaps. It is broken into pairwise connections between Jaeger components.

Please refer to Security page in Jaeger documentation for instructions on securing Jaeger installation.

Client to Agent

Agent is deprecated (#1718).

• UDP channels - no TLS/authentication
• HTTP config channel - Support TLS and mTLS in collector and query HTTP servers #2249

Client to Collector

• HTTP - Support TLS and mTLS in collector and query HTTP servers #2249
  • Note: some clients support passing auth-tokens or basic auth, that can be used if a reverse proxy is placed in front of collectors.
  • Blog post: Secure architecture for Jaeger with Apache httpd reverse proxy on OpenShift

Agent to Collector

Agent is deprecated (#1718).

• gRPC - TLS with client cert authentication supported
  • Blog post: Protecting the collection of spans (using Keycloak)

Collector/Query to Storage

• Cassandra - TLS with client cert authentication supported; bearer token propagation
• Elasticsearch - TLS with client cert authentication supported; bearer token propagation
• Kafka - Kerberos authentication supported

Browser to UI

• HTTP - TLS (Support TLS and mTLS in collector and query HTTP servers #2249)
• HTTP - authentication ([Feature]: Authentication support for Jaeger UI #4840)
  • Blog post: Protecting Jaeger UI with an OAuth sidecar Proxy

Consumers to Query Service

• HTTP - Support TLS and mTLS in collector and query HTTP servers #2249
• gRPC - Support mTLS on query-service gRPC endpoints #2248

[j771]

Cassandra - TLS with client cert authentication supported; bearer token propagation

Is there any documentation/tutorials on this?
I am trying to secure connection between the Collector and Cassandra storage but have have not been able to successfully implement it.

[jpkrohling]

@rubenvp8510 is the bearer token propagation working already? I thought it hasn't been merged yet.

[rubenvp8510]

@jpkrohling it is already working and I added tests here. but not on operator side, which is the current task I'm working on.

note that at this moment, token propagation only works on ES, as far as I know there is no plans for support it on cassandra.

[jpkrohling]

Thanks for the info, @rubenvp8510. I changed the description to strike through the "bearer token propagation" in the Cassandra item (cc @j771).

[maestr0]

How to configure the Agent container to use TLS with client cert authentication? I'm running the Collector with mTLS. How do I tell the agent to use the client certs?

[yurishkuro]

Aren't these flags what you need?

$ go run ./cmd/agent help | grep tls
      --reporter.grpc.tls                                         Enable TLS when talking to the remote server(s)
      --reporter.grpc.tls.ca string                               Path to a TLS CA (Certification Authority) file used to verify the remote server(s) (by default will use the system truststore)
      --reporter.grpc.tls.cert string                             Path to a TLS Certificate file, used to identify this process to the remote server(s)
      --reporter.grpc.tls.key string                              Path to a TLS Private Key file, used to identify this process to the remote server(s)
      --reporter.grpc.tls.server-name string                      Override the TLS server name we expect in the certificate of the remove server(s)