-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarified consumer-to-query security support. #522
Conversation
Signed-off-by: Travis Illig <[email protected]>
content/docs/1.22/security.md
Outdated
@@ -38,7 +38,7 @@ Clients can be configured to communicate directly with the Collector via HTTP. U | |||
|
|||
## Consumers to Query Service | |||
|
|||
* {{< check_yes >}} HTTP - no TLS/authentication. | |||
* {{< check_yes >}} gRPC - no TLS/authentication. | |||
* {{< check_yes >}} HTTP - TLS supported, no authentication supported. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Forgive my ignorance as I don't know much about TLS; I thought authentication is built into TLS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TLS is about encrypting the communication channel, not proving you are who you say you are. mTLS (mutual TLS) has authentication built in because it involves an exchange of client certificates.
Think about it like this - you visit https://www.amazon.com from your browser. That's using TLS, but Amazon doesn't know who you are until you authenticate (e.g., username + password). Same principle here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, thanks for that explanation, I didn't know about mTLS, but did a bit of reading about it; I guess with TLS, the server is authenticated, but not the client, and this is the gap that mTLS fills.
How did you determine that HTTP doesn't support mTLS?
I was looking at the source code and I think here is where we enable the RequireAndVerifyClientCert
flag (mTLS).
IIUC it looks like that RequireAndVerifyClientCert
flag is enabled when the .tls.client-ca
option is enabled, and the initialization of these flags appear to be done for both gRPC and HTTP in the query service.
It's quite likely I'm misunderstanding something though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was going by the latest comment on the related issue since I mentioned I don't actually know the answer. If I need to fix it, please do let me know. We're outside my Go + Jaeger source expertise here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, I think both gRPC and HTTP servers now support mTLS. I closed #2249.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that as of 1.22? I want to make sure I update the right version(s).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's right.
Signed-off-by: Travis Illig <[email protected]>
lgtm, thanks @tillig!
|
@@ -38,7 +38,7 @@ Clients can be configured to communicate directly with the Collector via HTTP. U | |||
|
|||
## Consumers to Query Service | |||
|
|||
* {{< check_yes >}} HTTP - no TLS/authentication. | |||
* {{< check_yes >}} gRPC - no TLS/authentication. | |||
* {{< check_yes >}} HTTP - TLS with client cert authentication supported. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we could use the same text as for Cassandra above: "TLS with mTLS supported"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was using the same text from the Agent to Collector
section for gRPC. Should I switch them all to "TLS with mTLS supported" ?
I don't mind fixing |
no worries, good as is. Thanks! |
Signed-off-by: Travis Illig [email protected]
Which problem is this PR solving?
Resolves #475
Short description of the changes
Clarification on what is supported for encryption and authentication in collector-to-query communications. Previously the green checkmark indicated there was support but the text was inconsistent with that; this resolves the ambiguity.