All agents currently authenticate to the backend using the same credentials, and they are granted virtually all permissions, which is not desired.
We need to determine the desired behaviour around agent authentication. Some discussion tracks:
I wanted to drop some notes from my experience deploying Sensu 1.x regarding agent authentication. Most of these requirements stem from how I've ended up locking down and restricted the sensu-client to RabbitMQ in the 1.x world and they might be helpful to have in mind when looking at re-implementing client auth for Sensu Go.
Hi @jaredledvina, excellent points you made here. I will add some thoughts (about server auth too)
The agent can further validate the backend endpoint with an SKI (cert pinning). In this case, we can use leverage x509 certificates signed by a standard authority (instead of an internal one) and simply provide the agent the expected cert pin.
I like the idea of OCSP and CRL status for agent certificates. Maybe we can look at the possibility of utilising a certificate transparency log as an alternative? Also we can use SKI of agent certificates to further authenticate an agent. The benefit of using SKI here is that we can easily revoke a cert without the need for any other infrastructure mentioned above.
In terms of ciphers, since we write both the backend and agent, there is no need to make them configurable. TLS 1.2 with only PFS ciphers #2700
We are proceeding with the proposed mTLS approach linked to above. This will be an Enterprise feature.
Most helpful comment
I wanted to drop some notes from my experience deploying Sensu 1.x regarding agent authentication. Most of these requirements stem from how I've ended up locking down and restricted the
sensu-clientto RabbitMQ in the 1.x world and they might be helpful to have in mind when looking at re-implementing client auth for Sensu Go.