Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create and review threat model for Aspire Dashboard #2679

Closed
9 of 10 tasks
kvenkatrajan opened this issue Mar 6, 2024 · 2 comments
Closed
9 of 10 tasks

Create and review threat model for Aspire Dashboard #2679

kvenkatrajan opened this issue Mar 6, 2024 · 2 comments
Assignees
@JamesNK @drewnoakes @kvenkatrajan
Labels
area-dashboard 🔥must have/do to ship🔥 security 🔐
Milestone
preview 6 (Apr)

Comments

@kvenkatrajan
Copy link
Member

kvenkatrajan commented Mar 6, 2024
edited
Loading

Relates to #237

@drewnoakes

  • Create threat model diagrams for localhost, ACA and external scenarios
  • Introduce an UnsafeAuthMode environment variable which is off by default forcing the dashboard to not render since required authentication is not performed
  • Mitigation document incase UnSafeAuthMode is applied
  • Ensure that authentication/authorization of dashboard is supported for external hosting scenarios (via OpenID connect auth flow) - Dashboard certification and authorization #1483
  • Ensure that all communications endpoints are defaulted to use https incase UnsafeAuthMode != true
  • Ensure for external hosting grpc endpoints are authenticated (via ClientCertificate)
  • Ensure for ACA that the otel grpc channel to otelcollector are authenticated
  • Ensure that dashboard localhost can connect only to resource server on localhost
  • Ensure dashboard performs audit logging
  • Ensure access to senstive data is protected/authorized

CC: @joperezr , @davidfowl, @JamesNK
@kvenkatrajan kvenkatrajan added this to the preview 5 (Apr) milestone Mar 6, 2024
@kvenkatrajan
Copy link
Member Author

Fixed via #3033 (oidc and resource server), #2316 (OTLP), #3119 (configuration unification)

@KalleOlaviNiemitalo
Copy link

Create threat model diagrams for localhost, ACA and external scenarios

Are the diagrams public? I didn't find any in the linked pull requests.

@github-actions github-actions bot locked and limited conversation to collaborators May 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@JamesNK JamesNK

@drewnoakes drewnoakes

@kvenkatrajan kvenkatrajan

Labels
area-dashboard 🔥must have/do to ship🔥 security 🔐
Projects
None yet
Milestone
preview 6 (Apr)
Development

No branches or pull requests
4 participants
@JamesNK @drewnoakes @KalleOlaviNiemitalo @kvenkatrajan