scylla-monitoring icon indicating copy to clipboard operation
scylla-monitoring copied to clipboard

Published 20 hours ago verified publisher icon scylladb

Improve default security features

Open tzach opened this issue 5 years ago • 3 comments

The default of the current start_all is running both Prometheus and Grafana with default no auth. This make it easier to start with, but also easier to forgot to secure later.

Some ideas on how to improve:

  • Force user to choose user/pass for Prometheus and Grafana
  • Generate random password for Prometheus and provision it into Grafana
  • Limit Grafana data_source_proxy_whitelist
  • Open Prometheus IP to local server only

tzach avatar Jun 23 '20 12:06 tzach

In my opinion, The first 'Force user to choose user/pass for Prometheus and Grafana' is not user friendly. We can either use SSO or go with the other options. (assuming we are talking about the cloud, and the user already logged in once to the UI). If it's not the cloud - please ignore.

GalitElad avatar Jun 23 '20 12:06 GalitElad

User/password just make life harder for the user. They have enough passwords already. Better to support OAuth2.

Grafana should talk to prometheus directly.

avikivity avatar Jun 23 '20 12:06 avikivity

Make Monitoring Stack dependent on SSO will make it very hard to use for most users. It is not a SaaS service, rather a standalone application.

Grafana should talk to prometheus directly.

It already do.

tzach avatar Jun 23 '20 18:06 tzach