Home Explore Help
Sign In
yangck
/
celery
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b78b84a90e
Branches Tags
celery
/
docs
/
userguide
/
security.rst

security.rst 4.8 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153 
  1. .. _guide-security:
    2. 

  2. 

  3. ==========
    4. 

  4.  Security
    5. 

  5. ==========
    6. 

  6. 

  7. .. contents::
    8. 

  8.     :local:
    9. 

  9. 

  10. Introduction
    11. 

  11. ============
    12. 

  12. 

  13. While Celery is written with security in mind, it should be treated as an
    14. 

  14. unsafe component.
    15. 

  15. 

  16. Depending on your `Security Policy`_, there are
    17. 

  17. various steps you can take to make your Celery installation more secure.
    18. 

  18. 

  19. 

  20. .. _`Security Policy`: http://en.wikipedia.org/wiki/Security_policy
    21. 

  21. 

  22. 

  23. Areas of Concern
    24. 

  24. ================
    25. 

  25. 

  26. Broker
    27. 

  27. ------
    28. 

  28. 

  29. It is imperative that the broker is guarded from unwanted access, especially
    30. 

  30. if it is publically accesible.
    31. 

  31. By default, workers trust that the data they get from the broker has not
    32. 

  32. been tampered with. See `Message Signing`_ for information on how to make
    33. 

  33. the broker connection more trusthworthy.
    34. 

  34. 

  35. The first line of defence should be to put a firewall in front of the broker,
    36. 

  36. allowing only white-listed machines to access it.
    37. 

  37. 

  38. Keep in mind that both firewall misconfiguration, and temproraily disabling
    39. 

  39. the firewall, is common in the real world. Solid security policy includes
    40. 

  40. monitoring of firewall equipment to detect if they have been disabled, be it 
    41. 

  41. accidentally or on purpose. 
    42. 

  42. 

  43. In other words, one should not blindly trust the firewall either.
    44. 

  44. 

  45. If your broker supports fine-grained access control, like RabbitMQ,
    46. 

  46. this is something you should look at enabling. See for example
    47. 

  47. http://www.rabbitmq.com/access-control.html.
    48. 

  48. 

  49. Client
    50. 

  50. ------
    51. 

  51. 

  52. In Celery, "client" refers to anything that sends messages to the 
    53. 

  53. broker, e.g. web-servers that apply tasks.
    54. 

  54. 

  55. Having the broker properly secured doesn't matter if arbitrary messages
    56. 

  56. can be sent through a client.
    57. 

  57. 

  58. *[Need more text here]*
    59. 

  59. 

  60. Worker
    61. 

  61. ------
    62. 

  62. 

  63. The default permissions of tasks running inside a worker are the same ones as
    64. 

  64. the privileges of the worker itself. This applies to resources such as 
    65. 

  65. memory, file-systems and devices.
    66. 

  66. 

  67. An exception to this rule is when using the multiprocessing based task pool,
    68. 

  68. which is currently the default. In this case, the task will have access to
    69. 

  69. any memory copied as a result of the :func:`fork` call (does not apply
    70. 

  70. under MS Windows), and access to memory contents written
    71. 

  71. by parent tasks in the same worker child process.
    72. 

  72. 

  73. Limiting access to memory contents can be done by launching every task
    74. 

  74. in a subprocess (:func:`fork` + :func:`execve`).
    75. 

  75. 

  76. Limiting file-system and device access can be accomplished by using
    77. 

  77. `chroot`_, `jail`_, `sandboxing`_, virtual machines or other
    78. 

  78. mechanisms as enabled by the platform or additional software.
    79. 

  79. 

  80. Note also that any task executed in the worker will have the
    81. 

  81. same network access as the machine on which it's running. If the worker
    82. 

  82. is located on an internal network it's recommended to add firewall rules for
    83. 

  83. outbound traffic.
    84. 

  84. 

  85. .. _`chroot`: http://en.wikipedia.org/wiki/Chroot
    86. 

  86. .. _`jail`: http://en.wikipedia.org/wiki/FreeBSD_jail
    87. 

  87. .. _`sandboxing`:
    88. 

  88.     http://en.wikipedia.org/wiki/Sandbox_(computer_security)
    89. 

  89. 

  90. Serializers
    91. 

  91. ===========
    92. 

  92. 

  93. *[To be written]*
    94. 

  94. 

  95. Message Signing
    96. 

  96. ===============
    97. 

  97. 

  98. *[To be written]*
    99. 

  99. 

  100. Intrusion Detection
    101. 

  101. ===================
    102. 

  102. 

  103. The most important part when defending your systems against
    104. 

  104. intruders is being able to detect if the system has been compromised.
    105. 

  105. 

  106. Logs
    107. 

  107. ----
    108. 

  108. 

  109. Logs are usually the first place to look for evidence
    110. 

  110. of security breaches, but they are useless if they can be tampered with.
    111. 

  111. 

  112. A good solution is to set up centralized logging with a dedicated logging
    113. 

  113. server. Acess to it should be restricted.
    114. 

  114. In addition to having all of the logs in a single place, if configured
    115. 

  115. correctly, it can make it harder for intruders to tamper with your logs.
    116. 

  116. 

  117. This should be fairly easy to setup using syslog (see also `syslog-ng`_ and
    118. 

  118. `rsyslog`_.).  Celery uses the :mod:`logging` library, and already has
    119. 

  119. support for using syslog.
    120. 

  120. 

  121. A tip for the paranoid is to send logs using UDP and cut the
    122. 

  122. transmit part of the logging servers network cable :-)
    123. 

  123. 

  124. .. _`syslog-ng`: http://en.wikipedia.org/wiki/Syslog-ng
    125. 

  125. .. _`rsyslog`: http://www.rsyslog.com/
    126. 

  126. 

  127. Tripwire
    128. 

  128. --------
    129. 

  129. 

  130. `Tripwire`_ is a (now commercial) data integrity tool, with several
    131. 

  131. open source implementations, used to keep
    132. 

  132. cryptographic hashes of files in the file-system, so that administrators
    133. 

  133. can be alerted when they change. This way when the damage is done and your
    134. 

  134. system has been compromised you can tell exactly what files intruders
    135. 

  135. have changed  (password files, logs, backdoors, rootkits and so on).
    136. 

  136. Often this is the only way you will be able to detect an intrusion.
    137. 

  137. 

  138. Some open source implementations include:
    139. 

  139. 

  140. * `OSSEC`_
    141. 

  141. * `Samhain`_
    142. 

  142. * `Open Source Tripwire`_
    143. 

  143. * `AIDE`_
    144. 

  144. 

  145. Also, the `ZFS`_ file-system comes with built-in integrity checks
    146. 

  146. that can be used.
    147. 

  147. 

  148. .. _`Tripwire`: http://tripwire.com/
    149. 

  149. .. _`OSSEC`: http://www.ossec.net/
    150. 

  150. .. _`Samhain`: http://la-samhna.de/samhain/index.html
    151. 

  151. .. _`AIDE`: http://aide.sourceforge.net/
    152. 

  152. .. _`Open Source Tripwire`: http://sourceforge.net/projects/tripwire/
    153. 

  153. .. _`ZFS`: http://en.wikipedia.org/wiki/ZFS
    154.