Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review any security implications with OpenTelemetry Collector Jaeger receivers/exporters #2156

Closed
objectiser opened this issue Feb 28, 2020 · 6 comments
Closed

Review any security implications with OpenTelemetry Collector Jaeger receivers/exporters #2156

objectiser opened this issue Feb 28, 2020 · 6 comments
Labels
area/otel
Milestone
OpenTelemetry-col...

Comments

@objectiser
Copy link
Contributor

Re: #1718

  1. Client To Agent
    1. UDP Channels - still no TLS/authentication 👍
    2. HTTP Config Channel - still no TLS/authentication 👍
  2. Client To Collector
    1. HTTP - still no TLS/authentication 👍
  3. Agent To Collector
    1. gRPC - TLS with client cert authentication: Exporter 👍 Receiver 👎 (see TLS config for Jaeger gRPC receiver jaeger-opentelemetry-collector#22)
  4. Collector To Storage (relevant if storage implemented as exporters)
    1. Cassandra - TLS with client cert authentication supported (TO BE CONFIRMED)
    2. Elasticsearch - TLS with client cert authentication supported; bearer token propagation (TO BE CONFIRMED)
    3. Kafka - Kerberos authentication supported (TO BE CONFIRMED)
@pavolloffay pavolloffay transferred this issue from jaegertracing/jaeger-opentelemetry-collector Apr 6, 2020
@ghost ghost added the needs-triage label Apr 6, 2020
@yurishkuro
Copy link
Member

what is the goal of this ticket vs. #1718?

@objectiser
Copy link
Contributor Author

This was moved from the jaeger-opentelemetry-collector repo, so was referring to security implications related to OpenTelemetry Collector receivers/exporters.

@objectiser objectiser changed the title Review any security implications Review any security implications with OpenTelemetry Collector Jaeger receivers/exporters Apr 6, 2020
@pavolloffay
Copy link
Member

  1. Storage exporters support all auth mechanisms.

The missing part is the TLS configuration in Jaeger gRPC exporter. I will submit a PR to OTEL.

@pavolloffay
Copy link
Member

Replicated @jpkrohling deployment from jaegertracing/jaeger-opentelemetry-collector#22 with Jaeger OTEL components. It uses TLS between agent and collector. But we need also mTLS.

Jager OTEL collector: SPAN_STORAGE_TYPE=elasticsearch go run ./cmd/collector/main.go --config=conf.yaml --new-metrics=true

receivers:
  jaeger:
    protocols:
      grpc:
        endpoint: "localhost:14250"
        tls_credentials:
          cert_file: /home/ploffay/projects/opentelemetry/opentelemetry-collector/receiver/jaegerreceiver/testdata/certificate.pem
          key_file: /home/ploffay/projects/opentelemetry/opentelemetry-collector/receiver/jaegerreceiver/testdata/key.pem

service:
  pipelines:
    traces:
      receivers: [jaeger]

Jaeger OTEL agent: go run ./cmd/agent/main.go --config=conf-agent.yaml --metrics-addr=:8889 --new-metrics=true

exporters:
  jaeger:
    endpoint: "localhost:14250"
    cert_pem_file: /home/ploffay/projects/opentelemetry/opentelemetry-collector/receiver/jaegerreceiver/testdata/certificate.pem
    server_name_override: opentelemetry.io

extensions:
  health_check:
    port: 13134

@pavolloffay
Copy link
Member

PR to add mTLS to gRPC exporters
open-telemetry/opentelemetry-collector#927

We need also TLS for remote sampling strategies open-telemetry/opentelemetry-collector#461

@pavolloffay
Copy link
Member

I am closing this as done. The last part is to expose configure TLS config via flags but that is a separate issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/otel
Projects
None yet
Milestone
OpenTelemetry-collector drop-in repla...
Development

No branches or pull requests
3 participants
@objectiser @yurishkuro @pavolloffay