Security design and risk mitigation
Talend Management Console and
Dynamic Engine solution incorporates a security-specific design to address common risks
associated with using any cloud solution.
- Network communications:
- All communications across different parts of Talend Management Console and Dynamic Engine go through HTTPS or WSS.
- All users are required to access the Dynamic Engine services exclusively through Talend Management Console and its API endpoints.
- Talend processing services deployed in the Kubernetes clusters are directly or indirectly connected to Talend Cloud through a web socket or ActiveMQ over HTTPS. Talend Cloud services are designed with request isolation in mind; therefore, a request targeting a given Dynamic Engine environment cannot reach other Dynamic Engine environments.
- Authentication and authorization:
A Talend Cloud user must authenticate to Talend Management Console and in the meantime, obtain the Engines - Manage permission (ID: TMC_CLUSTER_MANAGEMENT) to manage Dynamic Engines. This user's login activities are recorded in Talend Cloud logs.
- Protection against DoS attacks:
You can use the jobLimits property to limit the Job size for deployment and execution in each Dynamic Engine environment. Any artifact that exceeds this limit is deleted to protect against DoS attacks.
The jobLimits property is added in the ConfigMap called global-configuration of each Dynamic Engine environment and accepts the format in the following example:Among the fields,"jobLimits": { "maxZipNameLength": 240, "maxZippedEntries": 2048, "maxUnzippedSize": 1000000000, "maxUnzippedFolderNameLength": 240, "maxUnzippedFileNameLength": 240, "maxZipDepth": 64 }- maxUnzippedSize: maximum size of the uncompressed zip file in bytes.
- maxZippedEntries: maximum number of files and directories in the zip file.
- maxZipDepth: maximum nesting level of directories in each artifact zip.