This document details Vespa Cloud's security model.
The following explains how access to management features in Vespa is controlled.
Vespa console access
Console access is available to authenticated users only. This is bootstrapped by creating a tenant with an owner. From this, additional users, as well as applications can be created under the tenant. Access is granted based membership in the following roles:
|administrator||Can manages users and tenant information inside the tenant|
|developer||Can manage applications and their deployments|
There are two kinds of application deployments:
- manual deployments to dev/perf zones, for application development testing, and
- automated deployments to production zones
- developer keys, which identify a member of the _developer_ role, and allows, e.g., manual deployments and system tests, and
- headless keys, which identify a build service which submits application packages for automated deployment
Headless keys are managed on the application level, in the Vespa Cloud console. Each application may have several headless keys.
For both kinds of key, the public key is uploaded through the console.
The private key is kept secret,
but must be made available to the Maven Vespa plugin which deploys applications,
and to test code for system tests against dev/perf deployments.
In both cases, this is done by setting
or by specifying this system property on the command line (
All application endpoints are secured with mutual TLS.
On first time deployment, a server certificate identifying the application is provisioned. This certificate will be automatically set up on all application endpoints. The certificate is signed by DigiCert or Globalsign.
To enable TLS client side authentication:
- Add trusted certificates (or issuer certificates) to the file
dataPlaneKeyFileproperties, in the same manner as the
apiKeyFileused for API access.
All application nodes run as separate isolated Docker containers.
All internal communication between nodes in an application is secured in two layers:
- Network ACLs (iptables) allowing only local communication within the application
- Mutual TLS with authorization only allowing nodes from the same application
Data at rest
All content written to Vespa is encrypted at rest.