From 69a7b74c30e96cd945ce914edbc5292991e20f98 Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Fri, 15 May 2020 18:50:29 +0200 Subject: [PATCH 1/4] Add a note about browsers Signed-off-by: Julien Pivotto --- content/docs/operating/security.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/content/docs/operating/security.md b/content/docs/operating/security.md index 7768ad575..96a7cacda 100644 --- a/content/docs/operating/security.md +++ b/content/docs/operating/security.md @@ -202,6 +202,17 @@ environment variable as used by EC2 service discovery) may end up exposed due to code outside of our control or due to functionality that happens to expose wherever it is stored. +## Browser local storage + +Prometheus and Alertmanager store data in the local storage. The history of the +queries made using the Prometheus web UI, and the creator of a silence in +Alertmanager are save locally, amongst other data. + +We expect that no secrets are entered into those fields and that browser +sessions are not shared between users. If the same browser is accessed by +multiple users, they might have access to other users' local query history in +Prometheus or name in Alertmanager. + ## Denial of Service There are some mitigations in place for excess load or expensive queries. From c879a588048f1966601ef4f75aab5499127af16f Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Fri, 15 May 2020 18:52:15 +0200 Subject: [PATCH 2/4] Clarity Signed-off-by: Julien Pivotto --- content/docs/operating/security.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/docs/operating/security.md b/content/docs/operating/security.md index 96a7cacda..138b73db3 100644 --- a/content/docs/operating/security.md +++ b/content/docs/operating/security.md @@ -1,4 +1,5 @@ --- + title: Security sort_rank: 4 --- @@ -204,9 +205,10 @@ wherever it is stored. ## Browser local storage -Prometheus and Alertmanager store data in the local storage. The history of the -queries made using the Prometheus web UI, and the creator of a silence in -Alertmanager are save locally, amongst other data. +Prometheus and Alertmanager web interfaces store data in the local storage of +the web browser. The history of the queries made using the Prometheus web UI, +and the creator of a silence in Alertmanager are save locally, amongst other +data. We expect that no secrets are entered into those fields and that browser sessions are not shared between users. If the same browser is accessed by From 1461e7dccfdd0914fe76c3b60871302c3d6854ff Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Fri, 15 May 2020 18:53:20 +0200 Subject: [PATCH 3/4] remove bl Signed-off-by: Julien Pivotto --- content/docs/operating/security.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/docs/operating/security.md b/content/docs/operating/security.md index 138b73db3..6bc1d2c46 100644 --- a/content/docs/operating/security.md +++ b/content/docs/operating/security.md @@ -1,5 +1,4 @@ --- - title: Security sort_rank: 4 --- From 308f46bc2bb0a1321aea96f38244262174399f99 Mon Sep 17 00:00:00 2001 From: Julien Pivotto Date: Fri, 15 May 2020 19:01:31 +0200 Subject: [PATCH 4/4] Julius' comments Signed-off-by: Julien Pivotto --- content/docs/operating/security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/operating/security.md b/content/docs/operating/security.md index 6bc1d2c46..58678d661 100644 --- a/content/docs/operating/security.md +++ b/content/docs/operating/security.md @@ -205,8 +205,8 @@ wherever it is stored. ## Browser local storage Prometheus and Alertmanager web interfaces store data in the local storage of -the web browser. The history of the queries made using the Prometheus web UI, -and the creator of a silence in Alertmanager are save locally, amongst other +the web browser. The history of the queries made using the Prometheus web UI +and the creator of a silence in Alertmanager are saved locally, amongst other data. We expect that no secrets are entered into those fields and that browser