Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Improvement: Database connections using integrated service users of cloud providers #2111

Open
1 task done
ZuitAMB opened this issue Nov 28, 2024 · 1 comment
Open
1 task done

Security Improvement: Database connections using integrated service users of cloud providers #2111

ZuitAMB opened this issue Nov 28, 2024 · 1 comment
Labels
api Indicates api related issue or feature feature Indicates a new feature implementation good first issue Good for newcomers

Comments

@ZuitAMB
Copy link

ZuitAMB commented Nov 28, 2024

  • I have searched the issues of this repository and believe that this is not a duplicate.

Description 💡

Currently, TruBudget can use an optional database in a few containers:

  • API (used for session managment)
  • Notification service (to user user information like mail addresses off-chain)
  • Authbuddy (used for mappings)

At the moment, authentication is performed using simple username/password combinations (see here

From a security point of view, an option to use Role Based Access e.g. of an identity or service user assigned to the container would be even more secure. The password could be replaced by dynamic access tokens, and the rights could be managed and reviewed centrally.

Options are available on various clouds, e.g.:

Azure

  • Use Identity to get a token to use as password
  • reference
    AWS
  • On AWS we could also use their IAM management, to get a token as a one time password
  • reference
    Google Cloud
  • Google Cloud also support IAM authentication
  • reference

Similar features are available on smaller clouds.

If added, such a more advanced authentication pattern should be optional, so also the simpler "username/password" option would stay usable. But the possibility to enable the most advanced authentications, e.g. on for TruBudget containers running on AWS, Azure or Google would be great.

As a start, Azure support would be nice.
@ZuitAMB ZuitAMB added the feature Indicates a new feature implementation label Nov 28, 2024
@issuelabeler issuelabeler bot added the api Indicates api related issue or feature label Nov 28, 2024
@SamuelPull SamuelPull self-assigned this Dec 2, 2024
@jzakotnik jzakotnik added the good first issue Good for newcomers label Dec 2, 2024
@SamuelPull SamuelPull removed their assignment Dec 2, 2024
@SamuelPull
Copy link
Collaborator

SamuelPull commented Dec 2, 2024
edited
Loading

Azure Postgresql connection #2113

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api Indicates api related issue or feature feature Indicates a new feature implementation good first issue Good for newcomers
Projects
TruBudget Support & Development
Status: To Do
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzakotnik @SamuelPull @ZuitAMB