Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SC-23] Ensure all inter-component traffic within Solr is sent over TLS #4119

Closed
10 tasks
nickumia-reisys opened this issue Dec 10, 2022 · 15 comments
Closed
10 tasks
Assignees
Labels
compliance Relating to security compliance or documentation component/solr-service Related to Solr-as-a-Service, a brokered Solr offering component/ssb POAM Issues that should also be appearing in POAM lists

Comments

@nickumia-reisys
Copy link
Contributor

nickumia-reisys commented Dec 10, 2022

User Story

In order to increase our security posture, the Data.gov Solr Team wants to secure all communication channels within our Solr deployment.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

  • GIVEN communication between Solr and the LB is encrypted
    WHEN I look at the Solr service
    THEN I see it listening only on port 443

  • GIVEN communication between Solr and the Admin Init app is encrypted
    WHEN I look at the logs of the Admin Init app
    THEN I see it talking to Solr over https

  • GIVEN communication between Solr and EFS is encrypted
    WHEN I look at the Solr service
    THEN I see it talking to EFS in an encrypted way

Background

[Any helpful contextual notes or links to artifacts/evidence, if needed]
Related tickets:

Security Considerations (required)

TODO

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]

  • Determine the scope of what traffic falls under this category
    • All internal traffic is unencrypted in the current design
      • Solr to/from LB
      • Solr to/from Admin Init app
      • Solr to/from EFS
  • Design solutions for each component
  • Implement them
@nickumia-reisys
Copy link
Contributor Author

Full disclosure: This is not an easy issue. There are known issues as to why we couldn't get EFS encrypted-in-transit and to support HTTPS from the Solr node itself would require installing either self-signed certificates or some other solution which is further customization to the design (not to mention the implementation details themselves).

@nickumia-reisys nickumia-reisys added compliance Relating to security compliance or documentation component/solr-service Related to Solr-as-a-Service, a brokered Solr offering POAM Issues that should also be appearing in POAM lists component/ssb labels Dec 10, 2022
@hkdctol
Copy link
Contributor

hkdctol commented Dec 15, 2022

We don't know if this is possible to be implemented; may have to look into getting acceptance of current.

@hkdctol hkdctol moved this to 📔 Product Backlog in data.gov team board Dec 15, 2022
@jbrown-xentity jbrown-xentity moved this from 📔 Product Backlog to 📟 Sprint Backlog [7] in data.gov team board Dec 22, 2022
@jbrown-xentity jbrown-xentity moved this from 📟 Sprint Backlog [7] to 📔 Product Backlog in data.gov team board Dec 22, 2022
@btylerburton
Copy link
Contributor

have things changed? is this easy now?
https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html

@btylerburton btylerburton moved this from 📔 Product Backlog to 📟 Sprint Backlog [7] in data.gov team board Dec 22, 2022
@nickumia-reisys
Copy link
Contributor Author

So, I remembered that I looked at that page and that I tried to use the efs-utils. I was trying to track down the problem we saw when we tried to implement it. However, as a trail of that specific work @btylerburton:

There was some issue with connectivity. Either AWS didn't like the hack with efs-utils trying to initiate the connection after the Solr container was already running and since it couldn't establish the connection, Solr just made a temporary directory for its data. The primary issue was that the connection was not being established TLS and there were no errors, no warnings, no indications about which part of the connection was failing. Not being able to debug it, I had given up. We can try again, but I stand by the fact that it is not worth the effort to investigate this.

We had even submitted an issue with AWS Support and there wasn't any specific help that they could provide because they thought it was an application/infrastructure-specific issue that they were not knowledgeable enough to diagnose.

@hkdctol hkdctol moved this from 📟 Sprint Backlog [7] to 📡 Blocked in data.gov team board Jan 5, 2023
@hkdctol
Copy link
Contributor

hkdctol commented Jan 19, 2023

Next step looks like discuss with our ISSO.

@hkdctol
Copy link
Contributor

hkdctol commented Feb 16, 2023

Discussed with ISSO on 2/14/23. He will raise with ISSM.

@jbrown-xentity
Copy link
Contributor

Summary doc @hkdctol

@hkdctol
Copy link
Contributor

hkdctol commented Apr 11, 2023

@hkdctol hkdctol moved this from 📡 Blocked to 🏗 In Progress [8] in data.gov team board Apr 11, 2023
@hkdctol hkdctol self-assigned this Apr 11, 2023
@jbrown-xentity jbrown-xentity self-assigned this Apr 12, 2023
@hkdctol
Copy link
Contributor

hkdctol commented Apr 18, 2023

Draft sent to ISSO

@hkdctol hkdctol moved this from 🏗 In Progress [8] to 📡 Blocked in data.gov team board Apr 18, 2023
@hkdctol
Copy link
Contributor

hkdctol commented Aug 9, 2023

Met with ISSM 8/9, this is pending CISO's return from leave in a few weeks

@nickumia-reisys
Copy link
Contributor Author

While the work wasn't fully documented in motion, an exhaustive search for how to enable TLS for EFS volumes in ECS was pursued combining documentation at the crossroads of Solr, Terraform and AWS. The full list of options were attempted without success setting up the IAM permissions, EFS volume, EFS access points, ECS mounting and solr volume setup. There may have been a bug or something very unique about our Solr application that was causing issues; however, all attempts were inconclusive.

All of the commits where in this PR:

List of references used:

AWS Support Ticket:

@rpalmer-gsa
Copy link

@nickumia-reisys can you dump the support ticket to a PDF as I don't have access to view it.

Thank you

@nickumia-reisys
Copy link
Contributor Author

nickumia-reisys commented Sep 21, 2023

@rpalmer-gsa Here is the doc version of the support ticket.

P.S. I tried my best to paste it in a readable structure. (additional discussion)

@hkdctol
Copy link
Contributor

hkdctol commented Jan 25, 2024

Met with ISSM 1/22, he will follow up on AOR status

@jbrown-xentity jbrown-xentity removed their assignment Jan 26, 2024
@btylerburton
Copy link
Contributor

Not carried over as a new POA&M

@github-project-automation github-project-automation bot moved this from 📡 Blocked to ✔ Done in data.gov team board Oct 23, 2024
@Bagesary Bagesary moved this from ✔ Done to 🗄 Closed in data.gov team board Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
compliance Relating to security compliance or documentation component/solr-service Related to Solr-as-a-Service, a brokered Solr offering component/ssb POAM Issues that should also be appearing in POAM lists
Projects
Archived in project
Development

No branches or pull requests

5 participants