Initial areas for security strategy. Implementation needs to be easy to use when deployed locally or in development environment.
UI
Static Angular UI tester visible when deployed
Suggestion - HTTPs / basic auth and cookie. Minimum initial version could have a single admin account.
System API
Endpoints: deploy function / delete function / get a list of functions
Approach needs to be consumed by the UI and by an optional CLI.
Functions API
I.e. /function/function_name [POST]
This can be split into two use-cases:
For the functions expecting webhooks, it's rare that I've seen anything here - sometimes a digest of the message from the remote party. Mainly just a HTTP POST with a body to your endpoint.
For endpoints not receiving webhooks from third-parties, but being used as part of a chain of functions etc - maybe here it makes sense to add some kind of header/bearer token / JWT.
Related
In general seems like you're thinking about all the right things. I would say that supporting an HMAC injected as a header from any function receiving a web hook is probably the right call. That means that you probably need to have per-function symmetric keys?
Any further thoughts on this in the long run?
Hi @Omeryl - I would say that this is outside the scope of a serverless framework and could be implemented easily with a project specialising in these areas such as NGinx / Traefik or Kong. Does that make sense? What are your thoughts?
@alexellis I mean, as long as the client is capable of doing basic auth, or sending specific headers, it could definitely be built as plugins for the client. I was just wondering what the official thoughts were on this before I started tinkering with this for some coworkers is all.
Can you give me a quick outline of what you had in mind?
Kong/Mashape are working on a plugin for OpenFaaS - this should add whatever we need in terms of security / OAuth / basic auth / rate-limiting etc.
Most helpful comment
Kong/Mashape are working on a plugin for OpenFaaS - this should add whatever we need in terms of security / OAuth / basic auth / rate-limiting etc.