11By default when dependent services such as MongoDB, RabbitMQ and PostgreSQL are installed, they
22have authentication disabled or use a default static password. As such, after you install those
3- services you should configure them and enable authentication with a strong randomly generated
3+ services you should configure them and enable authentication with strong randomly generated
44passwords.
55
6- Configuring authorization and passwords for those services is out of the scope of this documents,
7- but for more information you can refer to the links below.
6+ Configuring authorization and passwords for those services is out of the scope for this documentation.
7+ For more information refer to the links below:
88
99* MongoDB - https://docs.mongodb.com/manual/tutorial/enable-authentication/, https://docs.mongodb.com/manual/core/authorization/
1010* RabbitMQ - https://www.rabbitmq.com/authentication.html
@@ -13,7 +13,7 @@ but for more information you can refer to the links below.
1313After you enable authentication for those components, you will also need to configure StackStorm
1414services so they can talk to them.
1515
16- This means editing editing the following configuration file options:
16+ This means editing the following configuration options:
1717
18181. StackStorm config - ``/etc/st2/st2.conf ``
1919
@@ -26,21 +26,21 @@ This means editing editing the following configuration file options:
2626 * ``database.connection `` - PostgreSQL database connection string (``postgresql://<username>:<password>@<hostname>/mistral ``)
2727 * ``transport_url `` - RabbitMQ transport url (``rabbit://<username>:<password>@<hostname>:5672 ``)
2828
29- In addition to that , you are strongly encouraged to follow other best practices for running network
29+ In addition, you are strongly encouraged to follow these best practices for running network
3030services:
3131
32- * Ensure communication between services is encrypted an enable SSL / TLS for all the services -
32+ * Ensure communication between services is encrypted. Enable SSL / TLS for all the services -
3333 MongoDB, RabbitMQ, PostgreSQL.
34- * Configure services to only listen on localhost and where needed, also internal IP address . There
34+ * Configure services to only listen on localhost, and where needed, internal IP addresses . There
3535 is usually no need for most services which are used by |st2 | (MongoDB, RabbitMQ, PostgreSQL) to
3636 be available to the public and listen on an external (public) IP address.
37- * Configure firewall and set up a whitelist. You should set up a firewall and only allow services
37+ * Configure a firewall and set up a whitelist. You should set up a firewall and only allow services
3838 and users which need access to the services to be able to access them. API and auth service
3939 usually need to be accessible to your users, but other dependent services such as MongoDB,
40- RabbitMQ and PostgreSQL aren't and shouldn't be directly accessible to the users should be
41- locked down and only StackStorm components should be allowed to talk to them.
42- * Where possible and available, you should also utilize additional network based isolation and
43- security features such as VLANs .
40+ RabbitMQ and PostgreSQL aren't. These should not be directly accessible by users, and only
41+ StackStorm components should be allowed to talk to them.
42+ * Where possible and available, you should also utilize additional network- based isolation and
43+ security features such as DMZs .
4444
45- Steps mentioned above are especially important for distributed production deployments where |st2 |
45+ The steps mentioned above are especially important for distributed production deployments where |st2 |
4646components are running on multiple servers.
0 commit comments