Security in DC/OS
Security in DC/OS
In this article, we take a look at the various mechanisms through which DC/OS manages security and allows developers to provide higher levels of data security.
Join the DZone community and get the full member experience.Join For Free
Every company's most valuable asset is its data. However, that data is also constantly under threat from bad actors around the world. To retain the trust of their customers, partners, and shareholders, every business needs to protect their data and applications. DC/OS Enterprise offers a range of features that allows you to secure your cluster and prevent breaches and other attacks. So, let's see the different mechanisms through which DC/OS manages security.
DC/OS is based on a Linux kernel and userspace. The same best practices for securing any Linux system apply to securing DC/OS, including setting correct file permissions, restricting root and normal user accounts, protecting network interfaces with iptables or other firewalls, and regularly applying updates from the Linux distribution used with DC/OS to ensure that system libraries, utilities, and core services like systemd and OpenSSH are secure.
The goals of DC/OS security are:
- Isolate the cluster perimeter with strong authentication and authorization across all interfaces.
- Secure and protect the internal cluster communication, containers, and sandboxes.
- Enhance cluster security with support for third-party security integrations.
At the highest level, we can distinguish three security zones in a DC/OS deployment, which are admin, private, and public security zones.
- The admin zone is accessible via HTTP/HTTPS and SSH connections and provides access to the master nodes. It also provides reverse proxy access to the other nodes in the cluster via URL routing. Access to the admin zone is controlled by the Admin Router. The Admin Router denies access to most HTTP endpoints for unauthenticated requests. In order for a request to be authenticated, it needs to present a valid authentication token in its
- The private zone is a non-routable network that is only accessible from the admin zone or through the edge router from the public zone. Deployed services are run in the private zone. This zone is where the majority of agent nodes are run.
- The optional public zone is where publicly accessible applications are run. Generally, only a small number of agent nodes run in this zone. The edge router forwards traffic to applications running in the private zone. These agent nodes have both public and private IP addresses and only specific ports should be open in their
We can control DC/OS Enterprise access by resource and operation. The available security modes are disabled, permissive, and strict. The strict mode provides the finest-grained controls. The DC/OS permissions are enforced based on your security mode. The security mode is set during DC/OS installation and can only be changed by upgrading.
Disabled: This mode is designed to ensure smooth upgrades from earlier versions of DC/OS, but only provides minimal security features and is not intended for production environments. The disabled mode does not provide Marathon or Mesos permissions.
Permissive: This mode provides some of the security features, but does not include the Mesos permissions.
Strict: This mode provides the most robust security posture and requires a significant amount of configuration.
All requests from outside of the DC/OS cluster require an authentication token. The DC/OS authentication token is a JSON web token (JWT) that expires five days after issuance by default. The default expiration can be modified during installation or upgrade. When the authentication token expires, the user can re-authenticate to receive another. DC/OS provisions masters with ZooKeeper credentials during the bootstrap sequence.
Users can log in by using the DC/OS GUI, the DC/OS CLI, or a programmatic client.
- Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. If you have configured an LDAP directory server, DC/OS will pass the user's credentials to the LDAP directory server for verification.
- Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. If you have configured a SAML or an OpenID Connect identity provider (IdP), the user passes their credentials directly to the IdP.
When a user logs in with the DC/OS GUI, the Identity and Access Manager plants a cookie that contains the authentication token. Clearing the cookie does not invalidate the authentication token. If sniffed over an unencrypted connection or extracted from the cookie, someone could use the authentication token to log into DC/OS. Users should Sign Out at the end of their browser session to clear this cookie.
Credentials for cluster-local user accounts (those not using LDAP, SAML, or OpenID Connect) consist of a username and password that can be used to validate user passwords. Passwords are individually salted and cryptographically hashed using crypt(3) SHA-512. Once DC/OS Identity and Access Management (IAM) has validated user credentials, an authentication token is returned to the user. The authentication token is then used for further request authentication during the user session. This way the password does not need to be stored in the client and is only sent over the wire immediately after the user enters it.
In addition to authenticating requests, DC/OS also checks the permissions associated with the account to determine whether the requestor is authorized to access the requested resource. The sequence in the diagram illustrates how permission enforcement varies by security mode.
- The Admin Router and the Secret Store enforce their permissions in all security modes.
- Metronome and Marathon enforce their permissions in
strictmodes. However, the enforcement in
permissivemode only occurs if the requestor presents an authentication token, which is optional in
permissivemode. If an in-cluster requestor does not present an authentication token, Metronome and Marathon will act as if the request was made by a user with the
- The Mesos masters and agents enforce their permissions only in
Spaces allow you to:
- Restrict user access to services and jobs. You can put services and jobs into groups in any security mode. This can help users find the jobs or services that pertain to them. In
permissivesecurity modes, you can use permissions to restrict user's access on a per service/job or service/job group basis.
- Restrict service access to secrets. The secret path controls which services can access it. If you do not specify a path when storing a secret, any service can access it. Secret paths work in conjunction with service groups to control access. However, you do not need to have service groups to control access to secrets, you can also use the name of the service.
Secure Storage and Transport of Secrets
DC/OS stores Secret Store data in ZooKeeper, encrypted under an unseal key using the Advanced Encryption Standard (AES) algorithm in Galois Counter Mode (GCM). The Secret Store uses the unseal key to encrypt secrets before sending them to ZooKeeper and to decrypt secrets after receiving them from ZooKeeper. This ensures that secrets are encrypted both at rest and in transit. TLS provides an additional layer of encryption on the secrets in transit from ZooKeeper to the Secret Store. The unseal key is encrypted under a public GPG key. Requests to the Secrets API return only the encrypted unseal key. When the Secret Store becomes sealed, either manually or due to a failure, the private GPG key must be used to decrypt the unseal key and unseal the Secret Store. By default, you cannot store a secret larger than one megabyte.
Fine-Grained Access Control of Secrets
DC/OS allows you to restrict:
- User access to secrets: use permissions to control which users can access what secrets and what operations they can perform.
- Application access to secrets: use spaces to control which applications can retrieve what secrets.
Published at DZone with permission of Sudeep James Tirkey , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.