-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security features (basic auth and hidden credentiales) #889
Security features (basic auth and hidden credentiales) #889
Conversation
… prevent showing credentailes in ps output
Thanks for the PR! I think you can use env variables to prevent issues with surfacing sensitive information via The basic auth support can be done by e.g. nginx but adding it to the exporter seems rather minimal so I'm ok with that. Can you please split out the basic auth stuff into its own PR so it can be reviewed/discussed independently from the config file stuff? Thanks! |
Hi @oliver006, The command "ps auxewww" displays all environment variables, which is why loading configuration from a file is considered more secure. Regarding the basic authentication function, setting up an additional nginx instance appears redundant and offers no benefits, only expenses—namely, additional configuration, automation, and packages to maintain. Please note that other exporters, such as mongodb-percona, also provide administrators with the option to enable basic authentication. |
Interesting, I didn't know that. That certainly opens a vector to retrieving secrets but it also requires the right user permissions, no? And if e.g. root is compromised (to read all env variables) then the attacker can also read the file with secrets? I'm asking to make sure that this actually adds addtl protections.
The counter-argument is that adding a nginx sidecar with basic auth is light-weight, and one of the most robust, battle-tested web servers that I would trust to robustly handle malicious input from internet. |
No, root access is not needed in certain cases - that allows an attacker to escalate its permissions. Confident data must not be provided to process by flags/arguments nor envs. That's why lots of processes like web servers databases etc hide its envs ex:
You can always choose the nginx or other software, this should be an option. As I wrote earlier, lots of exporters give You such option so that approach will be more consistent with the prometheus ecosystem. |
|
Closing - please re-open with reduced/more focused scope as per discussion in this PR if there's interest by the author |
Allow load configuration from the config file with the lowest priority to prevent showing credentials in ps output for security reasons and also a critical feature by @AirTrioa - basic auth on exporter endpoint.