vector icon indicating copy to clipboard operation
vector copied to clipboard
verified publisher icon vectordotdev

Auth between Vectors

Open afoninsky opened this issue 5 years ago • 7 comments

Problem: We expose vector instances to our clients or untrusted environments. Currently, any client is able to push data using GRPC.

Current solution: create mutual TLS or private communication networks. This is good in terms of security but complicates the infrastructure and sometimes it's not possible / not required.

Suggestions:

  1. Create a secret token (shared secret) which can be injected via config and/or env variable. Can be done as a quick solution for "vector" source-sink and will solve our problem.
  2. Implement global authorization schema which can be exposed to various sources-sinks (vector, http, etc.).
  3. other options ?

afoninsky avatar Mar 10 '20 11:03 afoninsky

is this being worked on ?

ahsandar avatar Nov 09 '21 07:11 ahsandar

Hi @ahsandar ! We are not actively on it right now, but we are aware of the need for it. It is possible to use mutual TLS for this today, but we do want to add an easier to use mechanism.

jszwedko avatar Nov 09 '21 15:11 jszwedko

i can give mTLS try but do you have docs or guide on how to set this up using self signed cert ? I couldn't find anything and searching for "vector" is too generic to get results anywhere

ahsandar avatar Nov 10 '21 06:11 ahsandar

Hi @ahsandar !

We should definitely get some docs up around this. The simplest thing you could do is:

  1. For the Vector with a vector source, generate a self-signed certificate. Say we call this server.crt with server.pem.
  2. For the Vector with a vector sink, generate a self-signed certificate. Say we call this client.crt with client.pem.
  3. Configure the vector sink with client.crt as tls.crt_file and client.pem as tls.key_file.
  4. Configure the vector source with server.crt as the tls.crt_file, server.pem as the tls.key_file, and client.crt as the tls.ca_file (this would have Vector validate that the incoming connections match client.crt).

I haven't actually tried to set this up myself, but that should work. Let me know how it goes for you!

Generating a self-signed certificate can be down with openssl via:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.crt -sha256 -days 365

jszwedko avatar Nov 10 '21 15:11 jszwedko

i updated the source with tls config and one of the two sink boxes with tls. only the sink with tls should be able to send data ? but i can see data incoming from the box with no tls config as well O_o. Even though I have added tls.verify_certificate on source it still accepts traffic from non tls configured sinks

ahsandar avatar Nov 11 '21 05:11 ahsandar

Just noting that we discussed this in Discord and I neglected to include that tls.enabled has to be set to true.

jszwedko avatar Nov 11 '21 18:11 jszwedko

By the way, here there are some examples for implementing token-based authentication mechanism for gRPC, based on tonic: https://github.com/hyperium/tonic/tree/master/examples/src/authentication

zamazan4ik avatar Sep 18 '22 03:09 zamazan4ik

I've just verified that this mTLS works. The description by @jszwedko omits the need to set tls.verify_certificate: true. Without this on the receiving server, anyone can write to it as long as they present any certificate. The default for that value is false.

I've got an example that people can play with here:

https://gist.github.com/godber/5d0ec63c69dac00e99b1b5da2db9ef9a

The participants are:

  • Alice - Client (with vector sink) who writes JSON records to Bob
  • Bob - Server (with vector source) who logs
  • Mallory - Malicious client who is trying to write syslog records to Bob but is getting TLS errors since his cert is not trusted by Bob.

godber avatar Jan 27 '23 21:01 godber