From 6af802d163b372078e205419e86ee3fa9fac51cb Mon Sep 17 00:00:00 2001 From: Doug Szumski Date: Tue, 16 Feb 2021 10:40:00 +0000 Subject: [PATCH] Add Monasca Grafana security note Update the Monasca docs to improve security considerations. Trivial-Fix Change-Id: I97eb8441466f8c6abdbd66068257765bdbe32d4d --- .../logging-and-monitoring/monasca-guide.rst | 15 +++++++++++++-- ...grafana-security-warning-0d3743122ccec331.yaml | 6 ++++++ 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/add-monasca-grafana-security-warning-0d3743122ccec331.yaml diff --git a/doc/source/reference/logging-and-monitoring/monasca-guide.rst b/doc/source/reference/logging-and-monitoring/monasca-guide.rst index 2644bf3b4b..a73d4a4254 100644 --- a/doc/source/reference/logging-and-monitoring/monasca-guide.rst +++ b/doc/source/reference/logging-and-monitoring/monasca-guide.rst @@ -32,6 +32,10 @@ fairly straightforward exercise. Pre-deployment configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Before enabling Monasca, read the :ref:`Security impact` section and +decide whether you need to configure a firewall, and/or wish to prevent +users from accessing Monasca services. + Enable Monasca in ``/etc/kolla/globals.yml``: .. code-block:: yaml @@ -353,11 +357,18 @@ multi-core CPU. You will also need enough space to store metrics and logs, and to buffer these in Kafka. Whilst Kafka is happy with spinning disks, you will likely want to use SSDs to back InfluxDB and Elasticsearch. +.. _Security impact: + Security impact ~~~~~~~~~~~~~~~ -The Monasca API and the Monasca Log API will be exposed on public endpoints -via HAProxy/Keepalived. +The Monasca API, Log API and Grafana fork will be exposed on public +endpoints via HAProxy/Keepalived. If your public endpoints are exposed +externally, then you should use a firewall to restrict access. In +particular, external access to the Monasca Grafana endpoint should be +blocked, since it is effectively unmaintained and is likely to contain +unpatched vulnerabilities. You should also consider whether you +wish to allow tenants to access these services on the internal network. If you are using the multi-tenant capabilities of Monasca there is a risk that tenants could gain access to other tenants logs and metrics. This could diff --git a/releasenotes/notes/add-monasca-grafana-security-warning-0d3743122ccec331.yaml b/releasenotes/notes/add-monasca-grafana-security-warning-0d3743122ccec331.yaml new file mode 100644 index 0000000000..25736509ff --- /dev/null +++ b/releasenotes/notes/add-monasca-grafana-security-warning-0d3743122ccec331.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + The Monasca Grafana service is effectively unmaintained and should + not be exposed externally, or in situations where the risk of + monitoring data leakage between tenants would be undesired.