mirror of https://github.com/dapr/docs.git
Merge branch 'v1.11' into issue_3400
This commit is contained in:
commit
6df4fc4e2d
|
@ -211,6 +211,21 @@ The Dapr threat model is below.
|
||||||
|
|
||||||
## Security audit
|
## Security audit
|
||||||
|
|
||||||
|
### June 2023
|
||||||
|
|
||||||
|
In June 2023, Dapr completed a fuzzing audit done by Ada Logics.
|
||||||
|
|
||||||
|
The audit achieved the following:
|
||||||
|
|
||||||
|
- OSS-Fuzz integration
|
||||||
|
- 39 new fuzzers for Dapr
|
||||||
|
- Fuzz test coverage for Dapr Runtime, Kit and Components-contrib
|
||||||
|
- All fuzzers running continuously after the audit has completed
|
||||||
|
|
||||||
|
You can find the full report [here](/docs/Dapr-june-2023-fuzzing-audit-report.pdf).
|
||||||
|
|
||||||
|
3 issues were found during the audit.
|
||||||
|
|
||||||
### February 2021
|
### February 2021
|
||||||
|
|
||||||
In February 2021, Dapr went through a 2nd security audit targeting its 1.0 release by Cure53.
|
In February 2021, Dapr went through a 2nd security audit targeting its 1.0 release by Cure53.
|
||||||
|
@ -255,4 +270,4 @@ Visit [this page]({{< ref support-security-issues.md >}}) to report a security i
|
||||||
|
|
||||||
## Related links
|
## Related links
|
||||||
|
|
||||||
[Operational Security]({{< ref "security.md" >}})
|
[Operational Security]({{< ref "security.md" >}})
|
||||||
|
|
|
@ -132,7 +132,7 @@ The following steps will show how to create an app that exposes a server for wit
|
||||||
"github.com/golang/protobuf/ptypes/empty"
|
"github.com/golang/protobuf/ptypes/empty"
|
||||||
|
|
||||||
commonv1pb "github.com/dapr/dapr/pkg/proto/common/v1"
|
commonv1pb "github.com/dapr/dapr/pkg/proto/common/v1"
|
||||||
pb "github.com/dapr/go-sdk/dapr/proto/runtime/v1"
|
pb "github.com/dapr/dapr/pkg/proto/runtime/v1"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
)
|
)
|
||||||
```
|
```
|
||||||
|
|
|
@ -37,6 +37,45 @@ If running on kubernetes apply the component to your cluster.
|
||||||
|
|
||||||
> **Note:** In production never place passwords or secrets within Dapr component files. For information on securely storing and retrieving secrets using secret stores refer to [Setup Secret Store]({{< ref setup-secret-store >}})
|
> **Note:** In production never place passwords or secrets within Dapr component files. For information on securely storing and retrieving secrets using secret stores refer to [Setup Secret Store]({{< ref setup-secret-store >}})
|
||||||
|
|
||||||
|
### Binding direction (optional)
|
||||||
|
|
||||||
|
In some scenarios, it would be useful to provide additional information to Dapr to indicate the direction supported by the binding component.
|
||||||
|
Providing the supported binding direction helps the Dapr sidecar avoid the `"wait for the app to become ready"` state, where it waits indefinitely for the application to become available.
|
||||||
|
|
||||||
|
You can specify the `direction` field as part of the component's metadata. The valid values for this field are:
|
||||||
|
- `"input"`
|
||||||
|
- `"output"`
|
||||||
|
- `"input, output"`
|
||||||
|
|
||||||
|
Here a few scenarios when the `"direction"` metadata field could help:
|
||||||
|
|
||||||
|
- When an application (detached from the sidecar) runs as a serverless workload and is scaled to zero, the `"wait for the app to become ready"` check done by the Dapr sidecar becomes pointless.
|
||||||
|
|
||||||
|
- If the detached Dapr sidecar is scaled to zero and the application reaches the sidecar (before even starting an HTTP server), the `"wait for the app to become ready"` deadlocks the app and the sidecar into waiting for each other.
|
||||||
|
|
||||||
|
### Example
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: dapr.io/v1alpha1
|
||||||
|
kind: Component
|
||||||
|
metadata:
|
||||||
|
name: kafkaevent
|
||||||
|
spec:
|
||||||
|
type: bindings.kafka
|
||||||
|
version: v1
|
||||||
|
metadata:
|
||||||
|
- name: brokers
|
||||||
|
value: "http://localhost:5050"
|
||||||
|
- name: topics
|
||||||
|
value: "someTopic"
|
||||||
|
- name: publishTopic
|
||||||
|
value: "someTopic2"
|
||||||
|
- name: consumerGroup
|
||||||
|
value: "group1"
|
||||||
|
- name: "direction"
|
||||||
|
value: "input, output"
|
||||||
|
```
|
||||||
|
|
||||||
## Invoking Service Code Through Input Bindings
|
## Invoking Service Code Through Input Bindings
|
||||||
|
|
||||||
A developer who wants to trigger their app using an input binding can listen on a `POST` http endpoint with the route name being the same as `metadata.name`.
|
A developer who wants to trigger their app using an input binding can listen on a `POST` http endpoint with the route name being the same as `metadata.name`.
|
||||||
|
|
|
@ -22,22 +22,30 @@ spec:
|
||||||
version: v1
|
version: v1
|
||||||
metadata:
|
metadata:
|
||||||
- name: audience
|
- name: audience
|
||||||
value: "<your token audience; e.g. the application's client ID>"
|
value: "<your token audience; i.e. the application's client ID>"
|
||||||
- name: issuer
|
- name: issuer
|
||||||
value: "<your token issuer, e.g. 'https://accounts.google.com'>"
|
value: "<your token issuer, e.g. 'https://accounts.google.com'>"
|
||||||
|
|
||||||
# Optional values
|
# Optional values
|
||||||
- name: jwksURL
|
- name: jwksURL
|
||||||
value: "https://accounts.google.com/.well-known/openid-configuration"
|
value: "<JWKS URL, e.g. 'https://accounts.google.com/.well-known/openid-configuration'>"
|
||||||
```
|
```
|
||||||
|
|
||||||
## Spec metadata fields
|
## Spec metadata fields
|
||||||
|
|
||||||
| Field | Required | Details | Example |
|
| Field | Required | Details | Example |
|
||||||
|-------|:--------:|---------|---------|
|
|-------|:--------:|---------|---------|
|
||||||
| `audience` | Y | The audience expected in the tokens. Usually, this corresponds to the client ID of your application that is created as part of a credential hosted by a OpenID Connect platform. |
|
| `audience` | Y | The audience expected in the tokens. Usually, this corresponds to the client ID of your application that is created as part of a credential hosted by a OpenID Connect platform. |
|
||||||
| `issuer` | Y | The issuer authority, which is the value expected in the issuer claim in the tokens. | `"https://accounts.google.com"`, `"https://login.salesforce.com"`
|
| `issuer` | Y | The issuer authority, which is the value expected in the issuer claim in the tokens. | `"https://accounts.google.com"`
|
||||||
| `jwksURL` | N | Address of the JWKS (JWK Set containing the public keys for verifying tokens). If empty, will try to fetch the URL set in the OpenID Configuration document `<issuer>/.well-known/openid-configuration`. | `"https://accounts.google.com/.well-known/openid-configuration"`
|
| `jwksURL` | N | Address of the JWKS (JWK Set containing the public keys for verifying tokens). If empty, will try to fetch the URL set in the OpenID Configuration document `<issuer>/.well-known/openid-configuration`. | `"https://accounts.google.com/.well-known/openid-configuration"`
|
||||||
|
|
||||||
|
Common values for `issuer` include:
|
||||||
|
|
||||||
|
- Auth0: `https://{domain}`, where `{domain}` is the domain of your Auth0 application
|
||||||
|
- Azure AD: `https://login.microsoftonline.com/{tenant}/v2.0`, where `{tenant}` should be replaced with the tenant ID of your application, as a UUID
|
||||||
|
- Google: `https://accounts.google.com`
|
||||||
|
- Salesforce (Force.com): `https://login.salesforce.com`
|
||||||
|
|
||||||
## Dapr configuration
|
## Dapr configuration
|
||||||
|
|
||||||
To be applied, the middleware must be referenced in [configuration]({{< ref configuration-concept.md >}}). See [middleware pipelines]({{< ref "middleware.md">}}).
|
To be applied, the middleware must be referenced in [configuration]({{< ref configuration-concept.md >}}). See [middleware pipelines]({{< ref "middleware.md">}}).
|
||||||
|
|
Binary file not shown.
Loading…
Reference in New Issue