jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/docs/_site/security/index.html
Jeremie Fraeys 385d2cf386 docs: add comprehensive documentation with MkDocs site 
- Add complete API documentation and architecture guides
- Include quick start, installation, and deployment guides
- Add troubleshooting and security documentation
- Include CLI reference and configuration schema docs
- Add production monitoring and operations guides
- Implement MkDocs configuration with search functionality
- Include comprehensive user and developer documentation

Provides complete documentation for users and developers
covering all aspects of the FetchML platform.
2025-12-04 16:54:57 -05:00

2124 lines
No EOL
51 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Secure Machine Learning Platform">
<link rel="prev" href="../release-checklist/">
<link rel="next" href="../api-key-process/">
<link rel="icon" href="../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.7.0">
<title>Security Guide - Fetch ML Documentation</title>
<link rel="stylesheet" href="../assets/stylesheets/main.618322db.min.css">
<link rel="stylesheet" href="../assets/stylesheets/palette.ab4e12ef.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<script>__md_scope=new URL("..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="blue" data-md-color-accent="blue">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#security-guide" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href=".." title="Fetch ML Documentation" class="md-header__button md-logo" aria-label="Fetch ML Documentation" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Fetch ML Documentation
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Security Guide
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="" data-md-color-scheme="default" data-md-color-primary="blue" data-md-color-accent="blue" aria-hidden="true" type="radio" name="__palette" id="__palette_0">
<input class="md-option" data-md-color-media="" data-md-color-scheme="slate" data-md-color-primary="blue" data-md-color-accent="blue" aria-hidden="true" type="radio" name="__palette" id="__palette_1">
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/jfraeys/fetch_ml" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
<div class="md-grid">
<ul class="md-tabs__list">
<li class="md-tabs__item">
<a href=".." class="md-tabs__link">
Home
</a>
</li>
<li class="md-tabs__item">
<a href="../quick-start/" class="md-tabs__link">
Getting Started
</a>
</li>
<li class="md-tabs__item">
<a href="../development-setup/" class="md-tabs__link">
Development
</a>
</li>
<li class="md-tabs__item">
<a href="../deployment/" class="md-tabs__link">
Operations & Production
</a>
</li>
<li class="md-tabs__item md-tabs__item--active">
<a href="./" class="md-tabs__link">
Security
</a>
</li>
<li class="md-tabs__item">
<a href="../configuration-schema/" class="md-tabs__link">
Reference
</a>
</li>
</ul>
</div>
</nav>
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary md-nav--lifted md-nav--integrated" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href=".." title="Fetch ML Documentation" class="md-nav__button md-logo" aria-label="Fetch ML Documentation" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Fetch ML Documentation
</label>
<div class="md-nav__source">
<a href="https://github.com/jfraeys/fetch_ml" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M439.6 236.1 244 40.5c-5.4-5.5-12.8-8.5-20.4-8.5s-15 3-20.4 8.4L162.5 81l51.5 51.5c27.1-9.1 52.7 16.8 43.4 43.7l49.7 49.7c34.2-11.8 61.2 31 35.5 56.7-26.5 26.5-70.2-2.9-56-37.3L240.3 199v121.9c25.3 12.5 22.3 41.8 9.1 55-6.4 6.4-15.2 10.1-24.3 10.1s-17.8-3.6-24.3-10.1c-17.6-17.6-11.1-46.9 11.2-56v-123c-20.8-8.5-24.6-30.7-18.6-45L142.6 101 8.5 235.1C3 240.6 0 247.9 0 255.5s3 15 8.5 20.4l195.6 195.7c5.4 5.4 12.7 8.4 20.4 8.4s15-3 20.4-8.4l194.7-194.7c5.4-5.4 8.4-12.8 8.4-20.4s-3-15-8.4-20.4"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href=".." class="md-nav__link">
<span class="md-ellipsis">
Home
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Getting Started
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Getting Started
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../quick-start/" class="md-nav__link">
<span class="md-ellipsis">
Quick Start
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../installation/" class="md-nav__link">
<span class="md-ellipsis">
Simple Installation Guide
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../first-experiment/" class="md-nav__link">
<span class="md-ellipsis">
First Experiment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
Development
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Development
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../development-setup/" class="md-nav__link">
<span class="md-ellipsis">
Development Setup
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../testing/" class="md-nav__link">
<span class="md-ellipsis">
Testing Guide
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../architecture/" class="md-nav__link">
<span class="md-ellipsis">
Homelab Architecture
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../cli-reference/" class="md-nav__link">
<span class="md-ellipsis">
CLI Reference
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../zig-cli/" class="md-nav__link">
<span class="md-ellipsis">
Zig CLI Guide
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../queue/" class="md-nav__link">
<span class="md-ellipsis">
Task Queue Architecture
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../smart-defaults/" class="md-nav__link">
<span class="md-ellipsis">
Smart Defaults
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../cicd/" class="md-nav__link">
<span class="md-ellipsis">
CI/CD Pipeline
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Operations & Production
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Operations & Production
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../deployment/" class="md-nav__link">
<span class="md-ellipsis">
ML Experiment Manager - Deployment Guide
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../environment-variables/" class="md-nav__link">
<span class="md-ellipsis">
Environment Variables
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../production-monitoring/" class="md-nav__link">
<span class="md-ellipsis">
Production Monitoring Deployment Guide (Linux)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../operations/" class="md-nav__link">
<span class="md-ellipsis">
Operations Runbook
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../redis-ha/" class="md-nav__link">
<span class="md-ellipsis">
Redis High Availability (Optional)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../release-checklist/" class="md-nav__link">
<span class="md-ellipsis">
Release Checklist
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" checked>
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="">
<span class="md-ellipsis">
Security
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Security
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Security Guide
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Security Guide
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#security-features" class="md-nav__link">
<span class="md-ellipsis">
Security Features
</span>
</a>
<nav class="md-nav" aria-label="Security Features">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#authentication-authorization" class="md-nav__link">
<span class="md-ellipsis">
Authentication &amp; Authorization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#communication-security" class="md-nav__link">
<span class="md-ellipsis">
Communication Security
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#data-privacy" class="md-nav__link">
<span class="md-ellipsis">
Data Privacy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#network-security" class="md-nav__link">
<span class="md-ellipsis">
Network Security
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#security-checklist" class="md-nav__link">
<span class="md-ellipsis">
Security Checklist
</span>
</a>
<nav class="md-nav" aria-label="Security Checklist">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#initial-setup" class="md-nav__link">
<span class="md-ellipsis">
Initial Setup
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#production-hardening" class="md-nav__link">
<span class="md-ellipsis">
Production Hardening
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#password-management" class="md-nav__link">
<span class="md-ellipsis">
Password Management
</span>
</a>
<nav class="md-nav" aria-label="Password Management">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generate-secure-passwords" class="md-nav__link">
<span class="md-ellipsis">
Generate Secure Passwords
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#store-passwords-securely" class="md-nav__link">
<span class="md-ellipsis">
Store Passwords Securely
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#api-key-management" class="md-nav__link">
<span class="md-ellipsis">
API Key Management
</span>
</a>
<nav class="md-nav" aria-label="API Key Management">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generate-api-keys" class="md-nav__link">
<span class="md-ellipsis">
Generate API Keys
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#rotate-api-keys" class="md-nav__link">
<span class="md-ellipsis">
Rotate API Keys
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#revoke-api-keys" class="md-nav__link">
<span class="md-ellipsis">
Revoke API Keys
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#network-security_1" class="md-nav__link">
<span class="md-ellipsis">
Network Security
</span>
</a>
<nav class="md-nav" aria-label="Network Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#production-network-topology" class="md-nav__link">
<span class="md-ellipsis">
Production Network Topology
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#recommended-firewall-rules" class="md-nav__link">
<span class="md-ellipsis">
Recommended Firewall Rules
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#incident-response" class="md-nav__link">
<span class="md-ellipsis">
Incident Response
</span>
</a>
<nav class="md-nav" aria-label="Incident Response">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#suspected-breach" class="md-nav__link">
<span class="md-ellipsis">
Suspected Breach
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#security-monitoring" class="md-nav__link">
<span class="md-ellipsis">
Security Monitoring
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#security-best-practices" class="md-nav__link">
<span class="md-ellipsis">
Security Best Practices
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#compliance" class="md-nav__link">
<span class="md-ellipsis">
Compliance
</span>
</a>
<nav class="md-nav" aria-label="Compliance">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#data-privacy_1" class="md-nav__link">
<span class="md-ellipsis">
Data Privacy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#audit-trail" class="md-nav__link">
<span class="md-ellipsis">
Audit Trail
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#getting-help" class="md-nav__link">
<span class="md-ellipsis">
Getting Help
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../api-key-process/" class="md-nav__link">
<span class="md-ellipsis">
FetchML API Key Process
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../user-permissions/" class="md-nav__link">
<span class="md-ellipsis">
User Permissions in Fetch ML
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Reference
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Reference
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../configuration-schema/" class="md-nav__link">
<span class="md-ellipsis">
Configuration Schema
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../troubleshooting/" class="md-nav__link">
<span class="md-ellipsis">
Troubleshooting
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="security-guide">Security Guide<a class="headerlink" href="#security-guide" title="Permanent link">&para;</a></h1>
<p>This document outlines security features, best practices, and hardening procedures for FetchML.</p>
<h2 id="security-features">Security Features<a class="headerlink" href="#security-features" title="Permanent link">&para;</a></h2>
<h3 id="authentication-authorization">Authentication &amp; Authorization<a class="headerlink" href="#authentication-authorization" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>API Keys</strong>: SHA256-hashed with role-based access control (RBAC)</li>
<li><strong>Permissions</strong>: Granular read/write/delete permissions per user</li>
<li><strong>IP Whitelisting</strong>: Network-level access control</li>
<li><strong>Rate Limiting</strong>: Per-user request quotas</li>
</ul>
<h3 id="communication-security">Communication Security<a class="headerlink" href="#communication-security" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>TLS/HTTPS</strong>: End-to-end encryption for API traffic</li>
<li><strong>WebSocket Auth</strong>: API key required before upgrade</li>
<li><strong>Redis Auth</strong>: Password-protected task queue</li>
</ul>
<h3 id="data-privacy">Data Privacy<a class="headerlink" href="#data-privacy" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>Log Sanitization</strong>: Automatically redacts API keys, passwords, tokens</li>
<li><strong>Experiment Isolation</strong>: User-specific experiment directories</li>
<li><strong>No Anonymous Access</strong>: All services require authentication</li>
</ul>
<h3 id="network-security">Network Security<a class="headerlink" href="#network-security" title="Permanent link">&para;</a></h3>
<ul>
<li><strong>Internal Networks</strong>: Backend services (Redis, Loki) not exposed publicly</li>
<li><strong>Firewall Rules</strong>: Restrictive port access</li>
<li><strong>Container Isolation</strong>: Services run in separate containers/pods</li>
</ul>
<h2 id="security-checklist">Security Checklist<a class="headerlink" href="#security-checklist" title="Permanent link">&para;</a></h2>
<h3 id="initial-setup">Initial Setup<a class="headerlink" href="#initial-setup" title="Permanent link">&para;</a></h3>
<ol>
<li>
<p><strong>Generate Strong Passwords</strong>
<div class="highlight"><pre><span></span><code><span class="c1"># Grafana admin password</span>
openssl<span class="w"> </span>rand<span class="w"> </span>-base64<span class="w"> </span><span class="m">32</span><span class="w"> </span>&gt;<span class="w"> </span>.grafana-password
<span class="c1"># Redis password</span>
openssl<span class="w"> </span>rand<span class="w"> </span>-base64<span class="w"> </span><span class="m">32</span>
</code></pre></div></p>
</li>
<li>
<p><strong>Configure Environment Variables</strong>
<div class="highlight"><pre><span></span><code>cp<span class="w"> </span>.env.example<span class="w"> </span>.env
<span class="c1"># Edit .env and set:</span>
<span class="c1"># - GRAFANA_ADMIN_PASSWORD</span>
</code></pre></div></p>
</li>
<li>
<p><strong>Enable TLS</strong> (Production only)
<div class="highlight"><pre><span></span><code><span class="c1"># configs/config-prod.yaml</span>
<span class="nt">server</span><span class="p">:</span>
<span class="w"> </span><span class="nt">tls</span><span class="p">:</span>
<span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w"> </span><span class="nt">cert_file</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;/secrets/cert.pem&quot;</span>
<span class="w"> </span><span class="nt">key_file</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;/secrets/key.pem&quot;</span>
</code></pre></div></p>
</li>
<li>
<p><strong>Configure Firewall</strong>
<div class="highlight"><pre><span></span><code><span class="c1"># Allow only necessary ports</span>
sudo<span class="w"> </span>ufw<span class="w"> </span>allow<span class="w"> </span><span class="m">22</span>/tcp<span class="w"> </span><span class="c1"># SSH</span>
sudo<span class="w"> </span>ufw<span class="w"> </span>allow<span class="w"> </span><span class="m">443</span>/tcp<span class="w"> </span><span class="c1"># HTTPS</span>
sudo<span class="w"> </span>ufw<span class="w"> </span>allow<span class="w"> </span><span class="m">80</span>/tcp<span class="w"> </span><span class="c1"># HTTP (redirect to HTTPS)</span>
sudo<span class="w"> </span>ufw<span class="w"> </span><span class="nb">enable</span>
</code></pre></div></p>
</li>
</ol>
<h3 id="production-hardening">Production Hardening<a class="headerlink" href="#production-hardening" title="Permanent link">&para;</a></h3>
<ol>
<li>
<p><strong>Restrict IP Access</strong>
<div class="highlight"><pre><span></span><code><span class="c1"># configs/config-prod.yaml</span>
<span class="nt">auth</span><span class="p">:</span>
<span class="w"> </span><span class="nt">ip_whitelist</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;10.0.0.0/8&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;192.168.0.0/16&quot;</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;127.0.0.1&quot;</span>
</code></pre></div></p>
</li>
<li>
<p><strong>Enable Audit Logging</strong>
<div class="highlight"><pre><span></span><code><span class="nt">logging</span><span class="p">:</span>
<span class="w"> </span><span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;info&quot;</span>
<span class="w"> </span><span class="nt">audit</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w"> </span><span class="nt">file</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;/var/log/fetch_ml/audit.log&quot;</span>
</code></pre></div></p>
</li>
<li>
<p><strong>Harden Redis</strong>
<div class="highlight"><pre><span></span><code><span class="c1"># Redis security</span>
redis-cli<span class="w"> </span>CONFIG<span class="w"> </span>SET<span class="w"> </span>requirepass<span class="w"> </span><span class="s2">&quot;your-strong-password&quot;</span>
redis-cli<span class="w"> </span>CONFIG<span class="w"> </span>SET<span class="w"> </span>rename-command<span class="w"> </span>FLUSHDB<span class="w"> </span><span class="s2">&quot;&quot;</span>
redis-cli<span class="w"> </span>CONFIG<span class="w"> </span>SET<span class="w"> </span>rename-command<span class="w"> </span>FLUSHALL<span class="w"> </span><span class="s2">&quot;&quot;</span>
</code></pre></div></p>
</li>
<li>
<p><strong>Secure Grafana</strong>
<div class="highlight"><pre><span></span><code><span class="c1"># Change default admin password</span>
docker-compose<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>grafana<span class="w"> </span>grafana-cli<span class="w"> </span>admin<span class="w"> </span>reset-admin-password<span class="w"> </span>new-strong-password
</code></pre></div></p>
</li>
<li>
<p><strong>Regular Updates</strong>
<div class="highlight"><pre><span></span><code><span class="c1"># Update system packages</span>
sudo<span class="w"> </span>apt<span class="w"> </span>update<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>sudo<span class="w"> </span>apt<span class="w"> </span>upgrade<span class="w"> </span>-y
<span class="c1"># Update containers</span>
docker-compose<span class="w"> </span>pull
docker-compose<span class="w"> </span>up<span class="w"> </span>-d<span class="w"> </span><span class="o">(</span>testing<span class="w"> </span>only<span class="o">)</span>
</code></pre></div></p>
</li>
</ol>
<h2 id="password-management">Password Management<a class="headerlink" href="#password-management" title="Permanent link">&para;</a></h2>
<h3 id="generate-secure-passwords">Generate Secure Passwords<a class="headerlink" href="#generate-secure-passwords" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code><span class="c1"># Method 1: OpenSSL</span>
openssl<span class="w"> </span>rand<span class="w"> </span>-base64<span class="w"> </span><span class="m">32</span>
<span class="c1"># Method 2: pwgen (if installed)</span>
pwgen<span class="w"> </span>-s<span class="w"> </span><span class="m">32</span><span class="w"> </span><span class="m">1</span>
<span class="c1"># Method 3: /dev/urandom</span>
head<span class="w"> </span>-c<span class="w"> </span><span class="m">32</span><span class="w"> </span>/dev/urandom<span class="w"> </span><span class="p">|</span><span class="w"> </span>base64
</code></pre></div>
<h3 id="store-passwords-securely">Store Passwords Securely<a class="headerlink" href="#store-passwords-securely" title="Permanent link">&para;</a></h3>
<p><strong>Development</strong>: Use <code>.env</code> file (gitignored)
<div class="highlight"><pre><span></span><code><span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;REDIS_PASSWORD=</span><span class="k">$(</span>openssl<span class="w"> </span>rand<span class="w"> </span>-base64<span class="w"> </span><span class="m">32</span><span class="k">)</span><span class="s2">&quot;</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>.env
<span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;GRAFANA_ADMIN_PASSWORD=</span><span class="k">$(</span>openssl<span class="w"> </span>rand<span class="w"> </span>-base64<span class="w"> </span><span class="m">32</span><span class="k">)</span><span class="s2">&quot;</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>.env
</code></pre></div></p>
<p><strong>Production</strong>: Use systemd environment files
<div class="highlight"><pre><span></span><code>sudo<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/etc/fetch_ml/secrets
sudo<span class="w"> </span>chmod<span class="w"> </span><span class="m">700</span><span class="w"> </span>/etc/fetch_ml/secrets
<span class="nb">echo</span><span class="w"> </span><span class="s2">&quot;REDIS_PASSWORD=...&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>sudo<span class="w"> </span>tee<span class="w"> </span>/etc/fetch_ml/secrets/redis.env
sudo<span class="w"> </span>chmod<span class="w"> </span><span class="m">600</span><span class="w"> </span>/etc/fetch_ml/secrets/redis.env
</code></pre></div></p>
<h2 id="api-key-management">API Key Management<a class="headerlink" href="#api-key-management" title="Permanent link">&para;</a></h2>
<h3 id="generate-api-keys">Generate API Keys<a class="headerlink" href="#generate-api-keys" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code><span class="c1"># Generate random API key</span>
openssl<span class="w"> </span>rand<span class="w"> </span>-hex<span class="w"> </span><span class="m">32</span>
<span class="c1"># Hash for storage</span>
<span class="nb">echo</span><span class="w"> </span>-n<span class="w"> </span><span class="s2">&quot;your-api-key&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>sha256sum
</code></pre></div>
<h3 id="rotate-api-keys">Rotate API Keys<a class="headerlink" href="#rotate-api-keys" title="Permanent link">&para;</a></h3>
<ol>
<li>Generate new API key</li>
<li>Update <code>config-local.yaml</code> with new hash</li>
<li>Distribute new key to users</li>
<li>Remove old key after grace period</li>
</ol>
<h3 id="revoke-api-keys">Revoke API Keys<a class="headerlink" href="#revoke-api-keys" title="Permanent link">&para;</a></h3>
<p>Remove user entry from <code>config-local.yaml</code>:
<div class="highlight"><pre><span></span><code><span class="nt">auth</span><span class="p">:</span>
<span class="w"> </span><span class="nt">apikeys</span><span class="p">:</span>
<span class="w"> </span><span class="c1"># user_to_revoke: # Comment out or delete</span>
</code></pre></div></p>
<h2 id="network-security_1">Network Security<a class="headerlink" href="#network-security_1" title="Permanent link">&para;</a></h2>
<h3 id="production-network-topology">Production Network Topology<a class="headerlink" href="#production-network-topology" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code>Internet
[Firewall] (ports 3000, 9102)
[Reverse Proxy] (nginx/Apache) - TLS termination
┌─────────────────────┐
│ Application Pod │
│ │
│ ┌──────────────┐ │
│ │ API Server │ │ ← Public (via reverse proxy)
│ └──────────────┘ │
│ │
│ ┌──────────────┐ │
│ │ Redis │ │ ← Internal only
│ └──────────────┘ │
│ │
│ ┌──────────────┐ │
│ │ Grafana │ │ ← Public (via reverse proxy)
│ └──────────────┘ │
│ │
│ ┌──────────────┐ │
│ │ Prometheus │ │ ← Internal only
│ └──────────────┘ │
│ │
│ ┌──────────────┐ │
│ │ Loki │ │ ← Internal only
│ └──────────────┘ │
└─────────────────────┘
</code></pre></div>
<h3 id="recommended-firewall-rules">Recommended Firewall Rules<a class="headerlink" href="#recommended-firewall-rules" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code><span class="c1"># Allow only necessary inbound connections</span>
sudo<span class="w"> </span>firewall-cmd<span class="w"> </span>--permanent<span class="w"> </span>--zone<span class="o">=</span>public<span class="w"> </span>--add-rich-rule<span class="o">=</span><span class="s1">&#39;</span>
<span class="s1"> rule family=&quot;ipv4&quot;</span>
<span class="s1"> source address=&quot;YOUR_NETWORK&quot;</span>
<span class="s1"> port port=&quot;3000&quot; protocol=&quot;tcp&quot; accept&#39;</span>
sudo<span class="w"> </span>firewall-cmd<span class="w"> </span>--permanent<span class="w"> </span>--zone<span class="o">=</span>public<span class="w"> </span>--add-rich-rule<span class="o">=</span><span class="s1">&#39;</span>
<span class="s1"> rule family=&quot;ipv4&quot;</span>
<span class="s1"> source address=&quot;YOUR_NETWORK&quot;</span>
<span class="s1"> port port=&quot;9102&quot; protocol=&quot;tcp&quot; accept&#39;</span>
<span class="c1"># Block all other traffic</span>
sudo<span class="w"> </span>firewall-cmd<span class="w"> </span>--permanent<span class="w"> </span>--set-default-zone<span class="o">=</span>drop
sudo<span class="w"> </span>firewall-cmd<span class="w"> </span>--reload
</code></pre></div>
<h2 id="incident-response">Incident Response<a class="headerlink" href="#incident-response" title="Permanent link">&para;</a></h2>
<h3 id="suspected-breach">Suspected Breach<a class="headerlink" href="#suspected-breach" title="Permanent link">&para;</a></h3>
<ol>
<li><strong>Immediate Actions</strong></li>
<li><strong>Investigation</strong> </li>
<li><strong>Recovery</strong> </li>
<li>Rotate all API keys</li>
<li>Stop affected services</li>
<li>
<p>Review audit logs</p>
</li>
<li>
<p><strong>Investigation</strong>
<div class="highlight"><pre><span></span><code><span class="c1"># Check recent logins</span>
sudo<span class="w"> </span>journalctl<span class="w"> </span>-u<span class="w"> </span>fetchml-api<span class="w"> </span>--since<span class="w"> </span><span class="s2">&quot;1 hour ago&quot;</span>
<span class="c1"># Review failed auth attempts</span>
grep<span class="w"> </span><span class="s2">&quot;authentication failed&quot;</span><span class="w"> </span>/var/log/fetch_ml/*.log
<span class="c1"># Check active connections</span>
ss<span class="w"> </span>-tnp<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>:9102
</code></pre></div></p>
</li>
<li>
<p><strong>Recovery</strong></p>
</li>
<li>Rotate all passwords and API keys</li>
<li>Update firewall rules</li>
<li>Patch vulnerabilities</li>
<li>Resume services</li>
</ol>
<h3 id="security-monitoring">Security Monitoring<a class="headerlink" href="#security-monitoring" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code><span class="c1"># Monitor failed authentication</span>
tail<span class="w"> </span>-f<span class="w"> </span>/var/log/fetch_ml/api.log<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="s2">&quot;auth.*failed&quot;</span>
<span class="c1"># Monitor unusual activity</span>
journalctl<span class="w"> </span>-u<span class="w"> </span>fetchml-api<span class="w"> </span>-f<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span>-E<span class="w"> </span><span class="s2">&quot;(ERROR|WARN)&quot;</span>
<span class="c1"># Check open ports</span>
nmap<span class="w"> </span>-p-<span class="w"> </span>localhost
</code></pre></div>
<h2 id="security-best-practices">Security Best Practices<a class="headerlink" href="#security-best-practices" title="Permanent link">&para;</a></h2>
<ol>
<li><strong>Principle of Least Privilege</strong>: Grant minimum necessary permissions</li>
<li><strong>Defense in Depth</strong>: Multiple security layers (firewall + auth + TLS)</li>
<li><strong>Regular Updates</strong>: Keep all components patched</li>
<li><strong>Audit Regularly</strong>: Review logs and access patterns</li>
<li><strong>Secure Secrets</strong>: Never commit passwords/keys to git</li>
<li><strong>Network Segmentation</strong>: Isolate services with internal networks</li>
<li><strong>Monitor Everything</strong>: Enable comprehensive logging and alerting</li>
<li><strong>Test Security</strong>: Regular penetration testing and vulnerability scans</li>
</ol>
<h2 id="compliance">Compliance<a class="headerlink" href="#compliance" title="Permanent link">&para;</a></h2>
<h3 id="data-privacy_1">Data Privacy<a class="headerlink" href="#data-privacy_1" title="Permanent link">&para;</a></h3>
<ul>
<li>Logs are sanitized (no passwords/API keys)</li>
<li>Experiment data is user-isolated</li>
<li>No telemetry or external data sharing</li>
</ul>
<h3 id="audit-trail">Audit Trail<a class="headerlink" href="#audit-trail" title="Permanent link">&para;</a></h3>
<p>All API access is logged with:
- Timestamp
- User/API key
- Action performed
- Source IP
- Result (success/failure)</p>
<h2 id="getting-help">Getting Help<a class="headerlink" href="#getting-help" title="Permanent link">&para;</a></h2>
<ul>
<li><strong>Security Issues</strong>: Report privately via email</li>
<li><strong>Questions</strong>: See documentation or create issue</li>
<li><strong>Updates</strong>: Monitor releases for security patches</li>
</ul>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"annotate": null, "base": "..", "features": ["navigation.instant", "navigation.tracking", "navigation.tabs", "navigation.sections", "navigation.expand", "navigation.indexes", "toc.integrate", "search.highlight", "search.share"], "search": "../assets/javascripts/workers/search.7a47a382.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": null}</script>
<script src="../assets/javascripts/bundle.e71a0d61.min.js"></script>
</body>
</html>
Reference in a new issue View git blame Copy permalink