Faas: Get to 1.0 - Security strategy

Created on 1 May 2017  路  6Comments  路  Source: openfaas/faas

Initial areas for security strategy. Implementation needs to be easy to use when deployed locally or in development environment.

UI

Static Angular UI tester visible when deployed

Suggestion - HTTPs / basic auth and cookie. Minimum initial version could have a single admin account.

System API

Endpoints: deploy function / delete function / get a list of functions

Approach needs to be consumed by the UI and by an optional CLI.

Functions API

I.e. /function/function_name [POST]

This can be split into two use-cases:

For the functions expecting webhooks, it's rare that I've seen anything here - sometimes a digest of the message from the remote party. Mainly just a HTTP POST with a body to your endpoint.

For endpoints not receiving webhooks from third-parties, but being used as part of a chain of functions etc - maybe here it makes sense to add some kind of header/bearer token / JWT.

Related

  • Rate limiting
  • IP black/whitelisting
  • Account lock-out for bad login attempts
  • Account reset (via? email?)
  • Is persistent storage needed for any of the above?
enhancement help wanted skilintermediate

Most helpful comment

Kong/Mashape are working on a plugin for OpenFaaS - this should add whatever we need in terms of security / OAuth / basic auth / rate-limiting etc.

All 6 comments

In general seems like you're thinking about all the right things. I would say that supporting an HMAC injected as a header from any function receiving a web hook is probably the right call. That means that you probably need to have per-function symmetric keys?

Any further thoughts on this in the long run?

Hi @Omeryl - I would say that this is outside the scope of a serverless framework and could be implemented easily with a project specialising in these areas such as NGinx / Traefik or Kong. Does that make sense? What are your thoughts?

@alexellis I mean, as long as the client is capable of doing basic auth, or sending specific headers, it could definitely be built as plugins for the client. I was just wondering what the official thoughts were on this before I started tinkering with this for some coworkers is all.

Can you give me a quick outline of what you had in mind?

Kong/Mashape are working on a plugin for OpenFaaS - this should add whatever we need in terms of security / OAuth / basic auth / rate-limiting etc.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

alexellis picture alexellis  路  7Comments

matthewdolman picture matthewdolman  路  5Comments

ohld picture ohld  路  6Comments

alexellis picture alexellis  路  8Comments

maxbry picture maxbry  路  7Comments