Unverified Commit 54d0f70f authored by Richard Hartmann's avatar Richard Hartmann Committed by GitHub

Update security.md

Some minor cleanups and clarifications
parent f92839f9
......@@ -14,13 +14,15 @@ attack vectors that some configurations may enable.
As with any complex systems it is not possible to guarantee that there are no
bugs. If you find a security bug, please file it in the issue tracker of the
relevant component.
relevant component. If you prefer to report security issues in secret, you may
email the non-public [Prometheus team mailing list](mailto:prometheus-team@googlegroups.com).
### Prometheus
It is presumed that untrusted users have access to the Prometheus HTTP endpoint
and logs. They have access to all time series information contained in the
database, plus a variety of operational/debugging information.
database, plus a variety of operational/debugging information, including all
targets and alerts.
It is also presumed that only trusted users have the ability to change the
command line, configuration file, rule files and other aspects of the runtime
......@@ -34,10 +36,10 @@ that service discovery system.
Scraped targets may be run by untrusted users. It should not by default be
possible for a target to expose data that impersonates a different target. The
`honor_labels` option removes this protection, as can certain relabelling
setups.
`honor_labels` option removes and certain relabelling setups remove this
protection.
As of Prometheus 2.0, the `--web.enable-admin-api` flag controls access to the
As of Prometheus 2.x, the `--web.enable-admin-api` flag controls access to the
administrative HTTP API which includes functionality such as deleting time
series. This is disabled by default. If enabled, administrative and mutating
functionality will be accessible under the `/api/*/admin/` paths. The
......@@ -84,7 +86,8 @@ configuration file.
Any user with access to the Pushgateway HTTP endpoint can create, modify and
delete the metrics contained within. As the Pushgateway is usually scraped with
`honor_labels` enabled, this means anyone with access to the Pushgateway can
create any time series in Prometheus.
create any time series in Prometheus, including impersonating other targets or
generating alerts.
## Exporters
......@@ -125,7 +128,7 @@ secret. Throughout the Prometheus system, metrics are not considered secret.
Fields containing secrets in configuration files (marked explicitly as such in
the documentation) will not be exposed in logs or via the HTTP API. Secrets
should not be placed in other configuration fields, as it is common for
should not be placed in any other configuration fields, as it is common for
components to expose their configuration over their HTTP endpoint.
Secrets from other sources used by dependencies (e.g. the `AWS_SECRET_KEY`
......@@ -136,7 +139,7 @@ wherever it is stored.
## Denial of Service
There are some mitigations in place for excess load or expensive queries.
However, if too many or too expensive queries/metrics are provided components
However, if too many or too expensive queries/metrics are provided, components
will fall over. It is more likely that a component will be accidentally taken
out by a trusted user than by malicious action.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment