Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

newrelicexporter: Add warning to user for insecure storage of user credentials at rest #2233

Closed
alolita opened this issue Jan 30, 2021 · 0 comments
Closed

newrelicexporter: Add warning to user for insecure storage of user credentials at rest #2233

alolita opened this issue Jan 30, 2021 · 0 comments
Assignees
@flands

Comments

@alolita
Copy link
Member

alolita commented Jan 30, 2021

Is your feature request related to a problem? Please describe.
When using the the newrelicexporter to connect with the vendor backend service the user has to input API tokens in plain text which is exposed at rest. This is a security exposure that needs to be communicated to the user as use at their own risk.

Describe the solution you'd like
The proposed solution includes -

  • adding a warning which is actively communicated to the user
  • recommend storing the token securely at rest (encryption at rest)
  • recommend adding clear documentation itemizing security risks bundled in the exporter folder

Additional context
Unit tests exist for checking unauthorized access but these tests are not enough for an user to understand this security risk. See related unit tests -
https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/exporter/newrelicexporter/factory_test.go#L29
https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/exporter/newrelicexporter/factory_test.go#L42
@mx-psi mx-psi mentioned this issue Feb 10, 2021
Closed
@gramidt gramidt mentioned this issue Feb 12, 2021
Closed
@flands flands mentioned this issue Feb 13, 2021
Merged
@flands flands self-assigned this Feb 13, 2021
flands added a commit to flands/opentelemetry-collector-contrib that referenced this issue Feb 13, 2021
@flands
Add information about security documentation to exporter README
41e45ba 
Attempts to address:

- open-telemetry#2230
- open-telemetry#2231
- open-telemetry#2232
- open-telemetry#2233
@flands flands mentioned this issue Feb 13, 2021
Merged
bogdandrutu pushed a commit that referenced this issue Feb 16, 2021
@flands
Add information about security documentation to exporter README (#2341)
e7415d7 
Attempts to address:

- #2230
- #2231
- #2232
- #2233
@flands flands closed this as completed Feb 17, 2021
kisieland referenced this issue in kisieland/opentelemetry-collector-contrib Mar 16, 2021
@trask
Remove outdated restriction from docs (#2233)
f7cc49d 
Documentation for processors states:

> Only match_type=strict is allowed if "attributes" are specified.

but this restriction was removed in https://github.com/open-telemetry/opentelemetry-collector/pull/928/files#diff-4548db28578c2ac90e2b277f24654cfa24fd0f99d854e0fcc4b50871c0b529caL166-R198, and so this doc appears to be outdated.

**Testing:**

I did not test this, but others (including @tigrannajaryan) have: open-telemetry/opentelemetry-collector#1935 (comment)

[btw, in case you're curious my interest in this, we are implementing a subset of this behavior at the java agent layer, as we aren't using otel collector. So far only in our vendor distro, though happy to move it to otel javaagent if/when others are interested.]
pmatyjasek-sumo pushed a commit to pmatyjasek-sumo/opentelemetry-collector-contrib that referenced this issue Apr 28, 2021
@flands @pmatyjasek-sumo
Add information about security documentation to exporter README (#2341)
e1d6639 
Attempts to address:

- open-telemetry#2230
- open-telemetry#2231
- open-telemetry#2232
- open-telemetry#2233
ljmsc referenced this issue in ljmsc/opentelemetry-collector-contrib Feb 21, 2022
@MrAlias
Remove the deprecated bridge/opencensus/utils pkg (#2233)
486afd3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@flands flands

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flands @alolita