commit
45626c947c
|
@ -272,7 +272,7 @@ Verisign/Symantec and CloudCA
|
||||||
|
|
||||||
Authentication
|
Authentication
|
||||||
--------------
|
--------------
|
||||||
Lemur currently supports Basic Authentication and Ping OAuth2 out of the box, additional flows can be added relatively easily
|
Lemur currently supports Basic Authentication and Ping OAuth2 out of the box, additional flows can be added relatively easily.
|
||||||
If you are not using Ping you do not need to configure any of these options.
|
If you are not using Ping you do not need to configure any of these options.
|
||||||
|
|
||||||
For more information about how to use social logins, see: `Satellizer <https://github.com/sahat/satellizer>`_
|
For more information about how to use social logins, see: `Satellizer <https://github.com/sahat/satellizer>`_
|
||||||
|
@ -368,7 +368,7 @@ Next we will create the the Lemur IAM role. Lemur
|
||||||
|
|
||||||
..note::
|
..note::
|
||||||
|
|
||||||
The default IAM role that Lemur assumes into is called `Lemur`, if you need to change this ensure you set `LEMUR_INSTANCE_PROFILE` to your role name in the configuration.
|
The default IAM role that Lemur assumes into is called `Lemur`, if you need to change this ensure you set `LEMUR_INSTANCE_PROFILE` to your role name in the configuration.
|
||||||
|
|
||||||
|
|
||||||
Here is an example policy for Lemur:
|
Here is an example policy for Lemur:
|
||||||
|
@ -495,7 +495,7 @@ Upgrading Lemur
|
||||||
===============
|
===============
|
||||||
|
|
||||||
Lemur provides an easy way to upgrade between versions. Simply download the newest
|
Lemur provides an easy way to upgrade between versions. Simply download the newest
|
||||||
version of Lemur from pypi and then apply any schema cahnges with the following command.
|
version of Lemur from pypi and then apply any schema changes with the following command.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
@ -595,7 +595,7 @@ All commands default to `~/.lemur/lemur.conf.py` if a configuration is not speci
|
||||||
Sub-commands
|
Sub-commands
|
||||||
------------
|
------------
|
||||||
|
|
||||||
Lemur includes several sub-commands for interacting with Lemur such as created new users, creating new roles and even
|
Lemur includes several sub-commands for interacting with Lemur such as creating new users, creating new roles and even
|
||||||
issuing certificates.
|
issuing certificates.
|
||||||
|
|
||||||
The best way to discovery these commands is by using the built in help pages
|
The best way to discovery these commands is by using the built in help pages
|
||||||
|
|
|
@ -8,7 +8,7 @@ Several interfaces exist for extending Lemur:
|
||||||
* Source (lemur.plugins.base.source)
|
* Source (lemur.plugins.base.source)
|
||||||
* Notification (lemur.plugins.base.notification)
|
* Notification (lemur.plugins.base.notification)
|
||||||
|
|
||||||
Each interface has its own function that will need to be defined in order for
|
Each interface has its own functions that will need to be defined in order for
|
||||||
your plugin to work correctly. See :ref:`Plugin Interfaces <PluginInterfaces>` for details.
|
your plugin to work correctly. See :ref:`Plugin Interfaces <PluginInterfaces>` for details.
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -6,18 +6,19 @@ There are several steps needed to make Lemur production ready. Here we focus on
|
||||||
Basics
|
Basics
|
||||||
======
|
======
|
||||||
|
|
||||||
Because of the sensitivity of the information stored and maintain by Lemur it is important that you follow standard host hardening practices:
|
Because of the sensitivity of the information stored and maintained by Lemur it is important that you follow standard host hardening practices:
|
||||||
|
|
||||||
- Run Lemur with a limited user
|
- Run Lemur with a limited user
|
||||||
- Disabled any unneeded service
|
- Disabled any unneeded services
|
||||||
- Enable remote logging
|
- Enable remote logging
|
||||||
|
- Restrict access to host
|
||||||
|
|
||||||
.. _CredentialManagement:
|
.. _CredentialManagement:
|
||||||
|
|
||||||
Credential Management
|
Credential Management
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
Lemur often contains credentials such as mutual SSL keys that are used to communicate with third party resources and for encrypting stored secrets. Lemur comes with the ability
|
Lemur often contains credentials such as mutual TLS keys or API tokens that are used to communicate with third party resources and for encrypting stored secrets. Lemur comes with the ability
|
||||||
to automatically encrypt these keys such that your keys not be in clear text.
|
to automatically encrypt these keys such that your keys not be in clear text.
|
||||||
|
|
||||||
The keys are located within lemur/keys and broken down by environment
|
The keys are located within lemur/keys and broken down by environment
|
||||||
|
@ -30,7 +31,7 @@ and
|
||||||
|
|
||||||
``lemur unlock``
|
``lemur unlock``
|
||||||
|
|
||||||
If you choose to use this feature ensure that the KEY are decrypted before Lemur starts as it will have trouble communicating with the database otherwise.
|
If you choose to use this feature ensure that the keys are decrypted before Lemur starts as it will have trouble communicating with the database otherwise.
|
||||||
|
|
||||||
Entropy
|
Entropy
|
||||||
-------
|
-------
|
||||||
|
@ -56,8 +57,8 @@ For additional information about OpenSSL entropy issues:
|
||||||
- `Managing and Understanding Entropy Usage <https://www.blackhat.com/docs/us-15/materials/us-15-Potter-Understanding-And-Managing-Entropy-Usage.pdf>`_
|
- `Managing and Understanding Entropy Usage <https://www.blackhat.com/docs/us-15/materials/us-15-Potter-Understanding-And-Managing-Entropy-Usage.pdf>`_
|
||||||
|
|
||||||
|
|
||||||
SSL
|
TLS/SSL
|
||||||
====
|
=======
|
||||||
|
|
||||||
Nginx
|
Nginx
|
||||||
-----
|
-----
|
||||||
|
@ -127,10 +128,10 @@ You can make some adjustments to get a better user experience::
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
This makes Nginx serve the favicon and static files which is is much better at than python.
|
This makes Nginx serve the favicon and static files which it is much better at than python.
|
||||||
|
|
||||||
It is highly recommended that you deploy SSL when deploying Lemur. This may be obvious given Lemur's purpose but the
|
It is highly recommended that you deploy TLS when deploying Lemur. This may be obvious given Lemur's purpose but the
|
||||||
sensitive nature of Lemur and what it controls makes this essential. This is a sample config for Lemur that also terminates SSL::
|
sensitive nature of Lemur and what it controls makes this essential. This is a sample config for Lemur that also terminates TLS::
|
||||||
|
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
add_header X-Frame-Options DENY;
|
add_header X-Frame-Options DENY;
|
||||||
|
@ -218,7 +219,7 @@ An example apache config::
|
||||||
...
|
...
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
Also included in the configurations above are several best practices when it comes to deploying SSL. Things like enabling
|
Also included in the configurations above are several best practices when it comes to deploying TLS. Things like enabling
|
||||||
HSTS, disabling vulnerable ciphers are all good ideas when it comes to deploying Lemur into a production environment.
|
HSTS, disabling vulnerable ciphers are all good ideas when it comes to deploying Lemur into a production environment.
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
4
setup.py
4
setup.py
|
@ -112,13 +112,15 @@ class BuildStatic(Command):
|
||||||
|
|
||||||
def run(self):
|
def run(self):
|
||||||
log.info("running [npm install --quiet] in {0}".format(ROOT))
|
log.info("running [npm install --quiet] in {0}".format(ROOT))
|
||||||
|
try:
|
||||||
check_output(['npm', 'install', '--quiet'], cwd=ROOT)
|
check_output(['npm', 'install', '--quiet'], cwd=ROOT)
|
||||||
|
|
||||||
log.info("running [gulp build]")
|
log.info("running [gulp build]")
|
||||||
check_output([os.path.join(ROOT, 'node_modules', '.bin', 'gulp'), 'build'], cwd=ROOT)
|
check_output([os.path.join(ROOT, 'node_modules', '.bin', 'gulp'), 'build'], cwd=ROOT)
|
||||||
log.info("running [gulp package]")
|
log.info("running [gulp package]")
|
||||||
check_output([os.path.join(ROOT, 'node_modules', '.bin', 'gulp'), 'package'], cwd=ROOT)
|
check_output([os.path.join(ROOT, 'node_modules', '.bin', 'gulp'), 'package'], cwd=ROOT)
|
||||||
|
except Exception as e:
|
||||||
|
log.warning("Unable to build static content")
|
||||||
|
|
||||||
setup(
|
setup(
|
||||||
name='lemur',
|
name='lemur',
|
||||||
|
|
Loading…
Reference in New Issue