Security model

This document details Vespa Cloud's security model.

Control plane

The following explains how access to management features in Vespa is controlled.

Vespa console access

Console access is available to authenticated users only. This is bootstrapped by creating a tenant with an owner. From this, additional users, as well as applications can be created under the tenant. Access is granted based membership in the following roles:

administratorCan manages users and tenant information inside the tenant
developerCan manage applications and their deployments

Application deployment

There are two kinds of application deployments:

Likewise, there are two kinds of keys that can be used for API authentication:
  • developer keys, which identify a member of the _developer_ role, and allows, e.g., manual deployments and system tests, and
  • headless keys, which identify a build service which submits application packages for automated deployment
Developer keys are personal, and are managed on the tenant level, in the Vespa Cloud console. Each developer may have a single key at any time, and both administrators and developers may revoke the key of another developer, if it has been compromised.

Headless keys are managed on the application level, in the Vespa Cloud console. Each application may have several headless keys.

For both kinds of key, the public key is uploaded through the console. The private key is kept secret, but must be made available to the Maven Vespa plugin which deploys applications, and to test code for system tests against dev/perf deployments. In both cases, this is done by setting apiKeyFile in pom.xml, or by specifying this system property on the command line (-DapiKeyFile=/path/to/key).

Data plane

All application endpoints are secured with mutual TLS.

Server certificate

On first time deployment, a server certificate identifying the application is provisioned. This certificate will be automatically set up on all application endpoints. The certificate is signed by DigiCert or Globalsign.

Client certificate

To enable TLS client side authentication:

  1. Add trusted certificates (or issuer certificates) to the file [application-package]/security/clients.pem
With this, only clients presenting a valid certificate will be able to access the application endpoints. In order to test application deployments, another trusted client certificate is added by Vespa Cloud for deployment to the test and staging zones only. This does not affect production deployments.

To run system tests against a development endpoint, specify the dataPlaneCertificateFile and dataPlaneKeyFile properties, in the same manner as the apiKeyFile used for API access.

Application isolation

All application nodes run as separate isolated Docker containers.

All internal communication between nodes in an application is secured in two layers:

  • Network ACLs (iptables) allowing only local communication within the application
  • Mutual TLS with authorization only allowing nodes from the same application

Data at rest

All content written to Vespa is encrypted at rest.