cyralinc / approzium Goto Github PK
View Code? Open in Web Editor NEWApprozium allows a cloud service to authenticate to a database without ever having access to its password
Home Page: https://approzium.com
License: Apache License 2.0
Approzium allows a cloud service to authenticate to a database without ever having access to its password
Home Page: https://approzium.com
License: Apache License 2.0
Do a general security review of the plugin, focusing on logic. Provide tests to ensure security issues don't arise over time.
Make sure we support Mac in general and especially with psycopg2
connections
Currently, we allow the Authenticator's configuration to be provided by env variables. However, we will soon have accumulated over 10 environment variables that may be set before startup. It would be a nicer developer experience to also support providing them via a file, and taking the path to the config file as a parameter when starting the Approzium Authenticataor.
They would run the Go authenticator
binary like this: $ authenticator -config=/path/to/config.yml
. At a minimum, we would support the config file as .yml (because it supports comments, which can be very useful for people to use in explaining why this or that is set), but it would be a bonus if json were supported too.
This is intended to prevent an attacker from getting us to panic in order to maliciously take us down.
The idea is to enrich tracing information with additional information we collect/gather such as instance metadata. Could target frameworks such as OpenTelemetry
first.
We make the claim that we support Python 3.5+, however, it would be good to verify that in our CI. We can add matrix tests that run tests on Python 3.5, 3.6, 3.7, 3.8. Those tests have to run quickly, so they cannot include the Docker environment. Thus, we will have to mock the authenticator functionality in Python to allow the tests to run. This is not bad in itself because it allows us to isolate testing the Python SDK from the authenticator
This includes:
Intended changes:
async operations
cache temp credentials
how will creds be stored in and retrieved from vault? are they stored against ARN as key?
I'm thinking we could add an endpoint in the Authenticator for adding credentials that would be accessible to clients. Since Authenticator needs them in a certain format, Authenticator would do the work of adding them in the format it needs.
This needs further design, but the endpoint would be one that you'd need admin access to. So we'd need to figure out a way to determine who administrators should be and how they authenticate to this Authenticator endpoint.
Then, after authenticating as an administrator, someone could CRUD credentials for clients. They would post to some endpoint, where the path would be something like the object the caller will be able to access (maybe a postgres DB, but also could be mysql, etc.). And the body would be something like:
{
"access_granted_to": [
{
// Each object here would vary by platform. For AWS it would be their IAM arns, but this should be extensible for Azure and GCP too.
}
],
"credentials": [
{
// Each object here would vary too due to needing to support multiple types of databases, but the reason we should allow multiple is because maybe somebody would want to be able to add 3 sets of credentials in case they're shared and they don't want to run out.
}
],
}
After receiving such a request, we would turn around and store the creds in whatever credential storage mechanism they're using.
I'm not totally stuck on this design, just trying to provide some food for thought. Also, I think this should be prioritized as low because, since users can also directly add credentials to things, this is more of a "nice to have" for UX than a "must have".
We should log inbound and outbound calls, as well as information that can help with attributing calls to a particular identity. However, by default, sensitive values should be redacted. There should be a toggle to make them not redacted that is via an API call that can only be changed by an administrator.
from approzium import Authenticator
from approzium.psycopg2 import connect
auth = Authenticator(authenticator_addr, optional_iam_arn)
connect(<typical psycopg.connect() args>, authenticator = auth)
or
from approzium import Authenticator, set_default_authenticator
from approzium.psycopg2 import connect
auth = Authenticator(authenticator_addr, optional_iam_arn)
set_default_authenticator(auth)
connect(<typical psycopg.connect() args>)
or
from approzium import Authenticator, set_default_authenticator
import approzium.psycopg2
auth = Authenticator(authenticator_addr, optional_iam_arn)
set_default_authenticator(auth)
approzium.psycopg2.connect(<typical psycopg.connect() args>)
test connection establishment time
vary number of connections opened
When psycopg2 connect()
is called with async=true
, we expect that it returns an async conneciton for which the query behavior would be different. With this type of connection, the user would have to call wait()
to get the results from a query, rather than having the execute()
call block until results are returned. source
We want to be able to call connect()
with async=true
because it allows us to poll the connection without leaving the approzium python sdk, but above that we want no change to the query behavior. If we cannot revert the async connection to a sync connection, then we have to find an alternative method of establishing the connection.
Specifically, on the loggable metadata about the instance, a json()
and maybe a string()
method (or similar) that can just be called and logged prettily.
Postgres 10.0 and beyond include scram-sha-256 encryption for pw auth, which is more secure than md5
we might have to look into new client libs because per the docs:
it is not supported by older client libraries
If possible, please implement support for scram-sha-256 encryption as an alternative to md5
Need to add .github files with instructions for contributors and such, example here.
Either remove the method (and replace with something more secure), or clearly comment upon reason for using it and risks.
we want it to come up as an ASG
Probably through Prometheus, but need to add more requirements to this.
these will be linked from approzium.org
tim - define outline, get necessary info from dio
This Github issue is a Request For Comment regarding adding an administrative API to Approzium.
Currently, to plant credentials for the Go authenticator to use in creating connections, people must directly place credentials in their storage back-end. They are placed as a JSON map, for example, these are placed for those using HashiCorp Vault:
$ vault write approzium/1.2.3.4:5432 [email protected]
# creds.json is:
{
"password": "asdfghjkl",
"iam_arns": [
"arn:aws:iam::accountid:role/rolename1",
"arn:aws:iam::accountid:role/rolename2"
]
}
This approach is brittle. A slight typo on the user's end regarding the Vault path or the credentials will result in the Authenticator failing to locate or authorize use of the credentials.
We would like to add an API that improves user experience.
We will take a secure by default approach, since this is a security application.
We would expose the following endpoints:
/v1/administrators/:username
/v1/administrators
We would expose endpoints specific to each database type for which we were given credentials. For example, since we currently support postgres:
/v1/creds/:human-friendly-name
{ iam_arns: [foo] }
/v1/creds
We would ensure that all endpoints were well described from the outset using Swagger, so that it would be easy in the future for others to build integrations with us, or for a UI to be built.
This is an early-stage RFC and I am happy to edit it as your feedback arrives! Please don't hesitate to comment. :-)
Right now, Approzium is stateless. So, HA can be achieved by simply having 3 instances of the Authenticator up and if one fails, the other 2 are still there.
We should document prescriptive best practices for this in an AWS EC2 environment. How big should the EC2 instances be? Should they be behind a load balancer? This will probably need to tie into the Terraform config that's given in #19 .
We also need to document inside the Authenticator's code that caching is not desirable. The reason is, if we were to receive a write (someday) and cache it, the other two instances that didn't service the write might have different data cached. We should document for developers that the Authenticator's HA design is stateless.
This ticket is to support tracing using OpenTracing. In the Go authenticator, we should implement receiving tracing info, creating a span for the time a request is in Approzium, and sending trace metrics to the properly configured location.
ssl
library is on the system. However, there is no guarantee that this is the same SSL library that libpq
is using. Ideally, we can use ensure that the SSL library we are using is the same one libpq
is using.we want to bring up an app using approzium sdk to connect to a database without passing a password
something we're looking for here is that the sts identity stuff works out of the box with aws resources
possible challenges
Adding metrics will add our first endpoint that is not gRPC. We should implement Swagger for both our gRPC and non-gRPC endpoints to make it easy for folks to use us even if we don't yet have an SDK in their language.
Add config to authenticator (configure the host and port), ideas: use envconfig or Viper
Need to capture metadata about the entity behind an authentication - stuff like instance ID, instance ARN, and more, specific fields TBD.
iam/info
categoryA declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.