[incubator-devlake-website] 01/02: docs: security and basic authentication

[yu...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

yumeng pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-devlake-website.git

commit bd911c01c006450ce891c53c7ec29751e8d340b5
Author: Klesh Wong <zh...@merico.dev>
AuthorDate: Fri Sep 30 16:22:39 2022 +0800

    docs: security and basic authentication
---
 docs/UserManuals/Authentication.md | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/docs/UserManuals/Authentication.md b/docs/UserManuals/Authentication.md
new file mode 100644
index 000000000..0df2b0ead
--- /dev/null
+++ b/docs/UserManuals/Authentication.md
@@ -0,0 +1,35 @@
+---
+title: "Security and Authentication"
+description: How to secure your deployment and enable the Authentication
+---
+
+The document explains how you can set up Apache DevLake in terms of security. First of all, there are 4 services included in deployment:
+
+- database: `postgress` and `mysql` are supported, you may choose one of them or any other compatible DBS like cloud-based systems. You should follow the document from the database to make it secure.
+- grafana: you are likely to use it most of the time, browsing built-in dashboards, and creating your own customized metric. grafana supports [User Management](https://grafana.com/docs/grafana/latest/administration/user-management/), please follow the official document to set it up based on your need.
+- devlake: this is the core service for Data Collection and Metric Calculation, all collected/calculated data would be stored to the database, and accessed by the `grafana` service. `devlake` itself doesn't support User Management of any kind, so we don't recommend that you expose its port to the outside world.
+- config-ui: a web interface to set up `devlake` to do the work. You may set up some automated `blueprint` and let it be. `config-ui` supports `Basic Authentication`, by simply set up the Environment Variable `ADMIN_USER` and `ADMIN_PASS` for the container. There are commented lines in `config-ui.environment` section in our `docker-compose.yml` file for your convenience.
+In General, we suggest that you reduce the Attack Surface as small as possible.
+
+
+### Internal Deployment (Recommended)
+
+- database: remove the `ports` if you don't need to access the database directly
+- devlake: remove the `ports` section. If you want to call the API directly, do it via `config-ui/api` endpoint.
+- grafana: we have no choice but to expose the `ports` for people to browse the dashboards. However, you may want to set up the User Management, and a read-only database account for `grafana`
+- config-ui: Normally, exposing the `ports` with `Basic Authentication` is sufficient for Internal Deployment, you may choose to remove the `ports` and use techniques like `k8s port-forwarding` or `expose-port-when-needed` to enhance the security. Keep in mind config-ui is NOT designed to be used by many people, and it shouldn't be. Do NOT grant access if NOT necessary.
+
+
+### Internet Deployment (NOT Recommended)
+
+THIS IS DANGEROUS, DON'T DO IT. If you insist, here are some suggestions you may follow, please consult Security Advisor before everything:
+
+- database: same as above.
+- grafana: same as above, plus, set up the `HTTPS` for the transportation.
+- devlake: same as above.
+- config-ui: same as above, plus, use port-forward if you are using `k8s`, otherwise, set up `HTTPS` for the transportation.
+
+
+## Disclaimer
+
+Security is complicated, all suggestions listed above are based on what we learned so far. Apache Devlake makes no guarantee of any kind, please consult your Security Advisor before applying.