Hi,
Apologies up front that the subject line reads like some sort of
passive-aggressive dodge ("I Am Sorry If You Feel You Have Been
Abused By Us", or "I Could Tell You But Then You Would Have To Be
Destroyed By Me"¹), but I didn't want to use language like
THERE HAS BEEN A COMPROMISE OF YOUR DATA
…because at the heart of this is a miscommunication on my part, of a
situation that has existed forever. Essentially nothing has changed
but it is perhaps surprising to some that things were/are the way
they are.
== The issue ==
If you are logged in to BitFolk's Grafana² to look at the graphs of
your service, then you can look at the queries that the Javascript
is sending, edit some of the placeholders, and look at graphs for
any other BitFolk customer.
This was known by me when I set up our Grafana last
October/November. The possibility of logged-in users sending
arbitrary queries was raised to me at the time by a couple of
people, and my response to that was to set some ACLs such that only
the specific queries that correspond to defined dashboards are
allowed. That is, the things that you can see can also be seen by
any logged in user if they make some trivial effort to do so.
I thought this was acceptable because with our previous solution
(Cacti), all users' graphs were visible by anyone on the Internet,
and that was the case from some time in 2007 up until late last
year. So in fact the current Grafana is more restrictive than Cacti
was.
I thought that this had been adequately communicated to you, the
customer base, including to the people who had raised concerns about
the Prometheus/Grafana security model.
I was wrong. Conrad Wood was one of the people who kindly advised me
when I was setting up Grafana/Prometheus; Conrad did warn me about
this issue as did a couple of other people, and I thought that I had
communicated what my solution was going to be (and that it was
actually stricter than Cacti was), but I might not have.
That suggests that there will be other customers who are unaware of
this, and unhappy about it.
== What we will do about it ==
I don't want customers to be unhappy, so what I will do is work on
tightening up the ACLs such that logged-in users can only use the
label/placeholder values that pertain to them.
I will work on this as a priority but I think it will still take a
couple of weeks to do.
In the mean time, if you are not comfortable with the situation that
any other user can craft a query to look at your CPU / bandwidth /
block IO stats, please drop an email to support@??? and I
will block all non-admin access to your stats. That will include
your own access.
== Don't shoot the messenger ==
I appreciate that many of you probably will not care that other
customers could with some minor effort look at your graphs. The fact
that Conrad doesn't think it's acceptable, and repeatedly tried to
tell me that (but I failed to communicate and our wires initially
got crossed), probably means that there are some other customers for
whom this is news and who would be unhappy about it.
So I thank Conrad for bringing it to my attention again; I have
adjusted my viewpoint; I will restrict it; it would not be useful
for anyone to comment that they personally don't care. There will be
others who care, and this is for them.
(I did check with Conrad that they wanted to be named here and they
indicated that would be fine. If they'd said no then I'd just have
said, "a customer has brought to my attention…")
Thanks for reading, and I apologise for not making the situation
about visibility of stats clear throughout this long period of time.
Cheers,
Andy
¹
https://www.amazon.com/Could-Tell-Then-Would-Destroyed/dp/193555414X
²
https://tools.bitfolk.com/grafana/
--
https://bitfolk.com/ -- No-nonsense VPS hosting
