Add Monasca Grafana security note

Update the Monasca docs to improve security considerations.

Trivial-Fix
Change-Id: I97eb8441466f8c6abdbd66068257765bdbe32d4d
This commit is contained in:
Doug Szumski 2021-02-16 10:40:00 +00:00
parent 2b906bc382
commit 6af802d163
2 changed files with 19 additions and 2 deletions

View File

@ -32,6 +32,10 @@ fairly straightforward exercise.
Pre-deployment configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Before enabling Monasca, read the :ref:`Security impact` section and
decide whether you need to configure a firewall, and/or wish to prevent
users from accessing Monasca services.
Enable Monasca in ``/etc/kolla/globals.yml``:
.. code-block:: yaml
@ -353,11 +357,18 @@ multi-core CPU. You will also need enough space to store metrics and logs,
and to buffer these in Kafka. Whilst Kafka is happy with spinning disks,
you will likely want to use SSDs to back InfluxDB and Elasticsearch.
.. _Security impact:
Security impact
~~~~~~~~~~~~~~~
The Monasca API and the Monasca Log API will be exposed on public endpoints
via HAProxy/Keepalived.
The Monasca API, Log API and Grafana fork will be exposed on public
endpoints via HAProxy/Keepalived. If your public endpoints are exposed
externally, then you should use a firewall to restrict access. In
particular, external access to the Monasca Grafana endpoint should be
blocked, since it is effectively unmaintained and is likely to contain
unpatched vulnerabilities. You should also consider whether you
wish to allow tenants to access these services on the internal network.
If you are using the multi-tenant capabilities of Monasca there is a risk
that tenants could gain access to other tenants logs and metrics. This could

View File

@ -0,0 +1,6 @@
---
security:
- |
The Monasca Grafana service is effectively unmaintained and should
not be exposed externally, or in situations where the risk of
monitoring data leakage between tenants would be undesired.