New component: confmap.Provider for credential encryption #35550
Comments
shazlehu
added
needs triage
|
@shazlehu If you are passing the key through an environment variable, what is the security benefit of doing this instead of just using the |
|
@mx-psi While I agree the security advantage over the However, the real benefit this provider adds is in dealing with large, dynamic configs, such as those managed through OpAMP. With the With this proposed provider, collectors could be deployed with the two proposed variables (key, key type) and changing a collector's configuration wouldn't require a change to the environment or a redeploy of the collector. |
|
cc @evan-bradley @atoulme @tigrannajaryan @BinaryFissionGames any thoughts on the OpAMP use case? |
Does this refer to Supervisor's persistence of config to disk? If I remember correctly we recently added the ability to redact config settings when OpAMP Supervisor persists the effective config. Or is this about the user putting those credentials manually in a config file and supplying the config via --config? If OpAMP is used this should not be the case, the config comes from the server. So, I am a bit confused about which particular scenario this refers to and what kind of attack exactly the proposed solution prevents. |
The config reported in the EffectiveConfig message should be redacted properly, but I think this issue is more about the config that's persisted to disk for the collector to read. It necessarily needs the secrets in the config for the collector to be able to read them. If that config file were written with the wrong permissions, or a user had configured their groups wrong (once we implement So, it seems like the concern is having those secrets written to a file. If that's the issue, the only way to solve it seems to be some encryption scheme. We need to persist those secrets in some format because the collector will need them to run. There could be other ways to accomplish this goal (e.g. persisted RemoteConfig message is encrypted on-disk by supervisor, collector configuration is passed directly as yaml to the command line so the final config never persisted to disk). |
Ah, yes, that file. Makes sense. For completeness, just a reminder that OpAMP has built-in support for connection settings to be provided via OpAMP protocol instead of being stored in the config. It is intended to be used for exporters, although we may be able to stretch it to use for receivers too. However, the plan was that these credentials will be written to the config file by the Supervisor, so we are back to the same problem when the config file is persisted. If we could make opampextension aware of |
We could make an OpAMP confmap provider that would allow sending the configuration to the Collector through a socket, which would let us avoid writing any configuration to the disk. |
Right. I think, we would need to combine it with opampextension since config providers don't have access to what extension have (e.g. |
|
Yeah, they would have to implement complementary OpAMP capabilities. I think the provider would only implement Unfortunately any communication between the two would require some kind of global state that exists outside of the Collector framework, for example if we wanted to report remote config status in the extension after receiving it in the confmap provider. It would also be challenging to share a single connection between the two. |
|
I think the idea of using OpAMP to retrieve credentials at runtime is interesting but my understanding is that this presents a number of challenges. Confmap providers work on the config before there is any semantic understanding of it, and before any extensions can be created. I'm not opposed to the idea but unless there is a clear path forward, can this be a separate issue?
This is the key benefit of what was originally proposed. I don't see it as a meaningful increase in security over the Are there any objections to moving this forward solely as a confmap provider? If not, I'm willing to sponsor the provider. |
|
I have no objections to this, it seems to solve real practical issues even if security is not improved. One thing that I do wonder is how we plan to support different encryption schemes. For a start, we should support a single scheme and key size, but we need to think about how to support more as time goes by and schemes get deprecated/people have different use cases. Concretely: do we just do this? Do we want a different provider per encryption scheme (so e.g. here instead of |
I'm in favor of this. At least some other encryption schemes are likely to require different inputs. We might as well just be specific for now. It also simplifies the minimum config for this one, since we'd only need one environment variable. |
|
Sounds like a good path forward. I'll revise the PR to be AES-specific. Thanks for the helpful input! |
|
If there are no objections before Wednesday, I'll mark this as an Accepted Component |
…ption of values (#35549) **Description:** This package provides a `confmap.Provider` implementation for symmetric AES encryption of credentials (and other sensitive values) in configurations. It relies on the environment variable `OTEL_CREDENTIAL_PROVIDER` with the value of the AES key, base64 encoded. 16, 24, or 32 byte keys are supported, selecting AES-128, AES-192, or AES-256 respectively. An AES 32-byte (AES-256) key can be generated using the following command: ```shell openssl rand -base64 32 ``` Configurations can now use placeholders with the following pattern `${credential:<encrypted & base64-encoded value>}`. The value will be decrypted using the AES key provided in the environment variable `OTEL_CREDENTIAL_PROVIDER` > For example: > > ```shell > export OTEL_CREDENTIAL_PROVIDER="GQi+Y8HwOYzs8lAOjHUqB7vXlN8bVU2k0TAKtzwJzac=" > ``` > > ```yaml > password: ${aes:RsEf6cTWrssi8tlssfs1AJs2bRMrVm2Ce5TaWPY=} > ``` > > will resolve to: > ```yaml > password: '1' > ``` Since AES is a symmetric encryption algorithm, the same key must be used to encrypt and decrypt the values. If the key is exchanged between the collector and a server, it should be done over a secure connection. When the collector persists its configuration to disk, storing the key in the environment prevents compromising secrets in the configuration. It still presents a vulnerability if the attacker has access to the collector's memory or the environment's configuration, but increases security over plaintext configurations. **Testing:** Unit tests with 93.0% coverage, built agent and configured with `${credential:<encrypted value>}` values. **Documentation:** `README.md` reflecting this PR description. **Issue:** #35550
The purpose and use-cases of the new component
Many receivers and exporters require credentials that deployers want to keep confidential, particularly when collectors are deployed to systems where users have elevated access. When the collector persists its configuration to disk, storing credentials in plain text is a potential vulnerability. This provider will allow configurations to use AES-encrypted values by decrypting configuration values using a key stored as an environment variable. This still presents a vulnerability if the attacker has access to the collector's memory or the environment's configuration, but increases security over plaintext configurations.
Example configuration for the component
${credential:<value>}values must be replaced with valid, AES encrypted & base64-encoded values.Telemetry data types supported
All
Is this a vendor-specific component?
Code Owner(s)
No response
Sponsor (optional)
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: