ContextQMD
Back to Jaeger

Jaeger Security Assurance Case

docs/security/assurance-case.md

2.17.08.0 KB
Original Source

Jaeger Security Assurance Case

This document provides a security assurance case for the Jaeger project, demonstrating how security requirements are met through the application of secure design principles and mitigation of common implementation weaknesses.

Table of Contents

Threat Model Summary

Jaeger is a distributed tracing system that collects, stores, and visualizes trace data from instrumented applications. The primary security concerns are:

  1. Data Confidentiality: Trace data may contain sensitive information (service names, endpoints, timing data)
  2. Data Integrity: Trace data should not be tampered with
  3. Availability: The tracing infrastructure should not become a DoS vector
  4. Access Control: Only authorized users should access trace data

Threat Actors

ActorMotivationCapability
Malicious Internal ServiceDoS, data injectionNetwork access to collector
External AttackerData exfiltration, reconnaissanceVaries based on deployment
Unauthorized UserAccess to sensitive tracesUI/API access

For detailed threat analysis, see threat-model.md.

Trust Boundaries

┌─────────────────────────────────────────────────────────────────┐
│                    External Network                              │
│  ┌──────────────┐                                               │
│  │ Instrumented │                                               │
│  │ Applications │ ─────────── BOUNDARY 1 ───────────────────┐   │
│  │ (OTel SDK)   │                                           │   │
│  └──────────────┘                                           ▼   │
│                                                    ┌────────────┤
│                                                    │  Jaeger    │
│                                                    │  Collector │
│                                                    └─────┬──────┤
│                                                          │      │
│                              ─────── BOUNDARY 2 ─────────┤      │
│                                                          ▼      │
│                                                    ┌────────────┤
│                                                    │  Storage   │
│                                                    │  Backend   │
│                                                    └─────┬──────┤
│                                                          │      │
│                              ─────── BOUNDARY 3 ─────────┤      │
│                                                          ▼      │
│  ┌──────────────┐                                 ┌────────────┤
│  │   Users      │ ─────────── BOUNDARY 4 ────────▶│   Jaeger   │
│  │  (Browser)   │                                 │   Query/UI │
│  └──────────────┘                                 └────────────┤
└─────────────────────────────────────────────────────────────────┘
BoundaryFromToSecurity Controls
1OTel SDKCollectorTLS/mTLS, rate limiting
2CollectorStorageTLS, authentication
3StorageQueryTLS, authentication
4UsersQuery/UITLS, bearer tokens, RBAC

Secure Design Principles

Economy of Mechanism

  • Implementation: Jaeger leverages established protocols (OTLP, gRPC) rather than custom implementations
  • Evidence: Uses OpenTelemetry Collector framework for core functionality

Fail-Safe Defaults

  • Implementation: TLS certificate verification is enabled by default when TLS is configured
  • Evidence: insecure_skip_verify must be explicitly set to disable verification
  • Note: TLS itself is opt-in to simplify initial testing and non-production deployments; for all production deployments, TLS (preferably mTLS where supported) MUST be enabled on all external and inter-service connections.

Complete Mediation

  • Implementation: All API endpoints require passing through authentication when configured
  • Evidence: Bearer token and RBAC support at Query service level

Open Design

  • Implementation: All source code is publicly available on GitHub
  • Evidence: Apache 2.0 license, public security documentation

Separation of Privilege

  • Implementation: Different components (Collector, Query) can be deployed with different access levels
  • Evidence: Collector only writes, Query only reads from storage

Least Privilege

  • Implementation: Storage credentials can be scoped to minimum required permissions
  • Evidence: Separate read/write keyspaces supported for Cassandra

Least Common Mechanism

  • Implementation: Admin endpoints separated from data endpoints
  • Evidence: Separate ports for admin, metrics, and data APIs

Psychological Acceptability

  • Implementation: Security is configurable via standard YAML configuration
  • Evidence: Consistent TLS configuration across all components

Common Weakness Mitigations

OWASP Top 10 / CWE Top 25 Coverage

WeaknessMitigation
Injection (CWE-89, CWE-79)Structured data formats (protobuf/OTLP), parameterized storage queries
Broken Authentication (CWE-287)Bearer tokens, OAuth2, mTLS support
Sensitive Data Exposure (CWE-200)TLS for all communications, no credentials in traces
XML External EntitiesNot applicable - uses protobuf/JSON
Broken Access Control (CWE-284)RBAC support in Query service
Security MisconfigurationSecure defaults where possible, configuration validation
Cross-Site Scripting (CWE-79)UI built with React (auto-escaping), CSP headers
Insecure Deserialization (CWE-502)Uses protobuf with schema validation
Insufficient LoggingComprehensive logging in all components
SSRF (CWE-918)No user-controlled URLs in backend requests

Go-Specific Security

PracticeImplementation
Memory SafetyGo's inherent memory safety
Integer OverflowGo's bounds checking
Race ConditionsGo's race detector in CI
Dependency SecurityDependabot, daily vulnerability scans

Security Controls

Build and Release

ControlImplementation
Signed CommitsDCO required for all contributions
Signed ReleasesGPG-signed tags and artifacts
SBOMGenerated for each release
Container SecurityMinimal base images (alpine/scratch)
Supply ChainHarden-Runner, pinned dependencies

Runtime

ControlImplementation
TLS/mTLSConfigurable for all connections
AuthenticationBearer tokens, OAuth2, Kerberos
Rate LimitingConfigurable at collector
Input ValidationOTLP schema validation, size limits

References