Feature request: managed task hubs

[vigouredelaruse]

a durable function orchestration places an onus on the developer to avoid pii leakage - see the additional context below from here https://docs.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-serialization-and-persistence?tabs=csharp

the summary is that function inputs may be persisted to a storage account visible to the tenant where a function app is deployed

Describe the solution you'd like
i'd prefer not to have to censor the various kinds of IDs and/or command channel data i send to my durable function orchestrations. other kinds of web apps deployed to azure app service don't bring quite such a visceral risk of implementation detail exposure to outsiders.

Describe alternatives you've considered
the mitigations are already described at the azure docs i reference here. what i'm suggesting is that the perhaps the need for mitigations ought to be factored out, given the increasingly grim security situation on the information highways of the internet

Additional context
the durable orchestration framework is not quite as opaque as other azure offerings. for example, i cannot directly examine the storage subsystem of azure ad without microsoft employee credentials. perhaps it should be so with durable functions

note that except perhaps for .mil and .gov type customers i do not believe these comments should be used as a justification for the eradication of all but the consumption plan, which is suitably opaque, but risky fiscally in the case of a ddos attack on a consumption plan endpoint for example

FROM THE DOCUMENTATION

The following is a list of the different types of data that will be serialized and persisted when using features of Durable Functions:

All inputs and outputs of orchestrator, activity, and entity functions, including any IDs and unhandled exceptions
Orchestrator, activity, and entity function names
External event names and payloads
Custom orchestration status payloads
Orchestration termination messages
Durable timer payloads
Durable HTTP request and response URLs, headers, and payloads
Entity call and signal payloads
Entity state payloads
Working with sensitive data
When using Azure Storage, all data is automatically encrypted at rest. However, anyone with access to the storage account can read the data in its unencrypted form.

[cgillum]

Hi @vigouredelaruse. Thanks for this feedback. As you rightly point out, the developer has the burden of ensuring that there is no PII leak into the storage account since that account is owned by the developer. You mention that you'd prefer Durable Functions be more "opaque" such that you don't have to worry about such concerns. Is it fair to say that having the Azure Functions manage the underlying storage account for you (making this our burden instead of yours) would satisfy your concern?

[vigouredelaruse]

hi @cgillum thanks for looking into it

based on the documentation i referenced (sorry for being all legal about it here - one does have to careful what one asks for) and for my particular implementation, the functions runtime's use of 'opaque infrastructure' storage account resources would resolve my concerns, and the concerns of users of a docker appliance i'm implementing using durable functions and entities

in this case, the appliance will enumerate storage accounts, retrieve keys and enumerate tables and entities all with the caller's token

i would prefer the token to disappear from the user's browser session into an opaque infrastructure for delivery to the function endpoint. the persistence of such tokens would serve as an impediment to this implementation's survival of a rigorous risk vector review.

obviously for the implementation i'm concerned about, all the above applies to the leakage of the storage account keys and other table entity meta-data via orchestration history

at the very minimum it seems we're discussing something akin to managed disk vs unmanaged disk. and there's the pricing rub. one may need to be careful here not to produce a class system, where people pay for the security they can afford, and everybody still has to code defensively

it's relevant to consider the situation over at azure devops, where public repositories are apparently under abuse, and have to be requested, whereupon the abuse shifted to private repositories. it's impossible to make anything foolproof because of course, fools like me are so ingenious
over

[olitomlinson]

@cgillum couple of thoughts

1. Opaque TaskHubs similar to what I was describing on Twitter when I suggested wrapping the new Netherite provider resources ( storage + event hubs) behind a new “TaskHub RP” similarly to what the SF Team are doing with the new Managed Cluster RP which encapsulates the actual SF infra.

2. Alternatively, What if we provided a way of passing secrets around orchestrations and activities without that secret ever getting serialised into the TaskHub?

I’m thinking similar to my idea of passing references to large object graphs, what if we pass around references to key vault secrets instead?(is this actually a KeyVault input/output binding?!?!) - Onus is on the customer to ensure all secrets are in KV, and customer manages the lifecycle of those secrets in KV.

Imo this provides a stronger security story than opaque TaskHubs. Not to say that both ideas couldn’t be combined for even more depth of security.

[cgillum]

@olitomlinson yeah, this is something I'd love to do (TaskHub RP), I just need to figure out how to make the business case for it to my management. :)

Secrets is interesting. I can't really think of a scenario where it would make sense to pass secrets around an orchestration though. It feels like that scenario would be better served using input/output bindings for KeyVault on individual activity functions.

[olitomlinson]

@cgillum FYI

I've just seen that Dapr has an input binding for retrieving secrets, and one of the implementations that that the Secret Component has is a KeyVault implementation.

This is exactly what I was calling for, but of course without the dependency on Dapr.

namespace dotnet_azurefunction
{
    using Microsoft.Azure.WebJobs;
    using Microsoft.Extensions.Logging;
    using Dapr.AzureFunctions.Extension;
    using System.Collections.Generic;

    public static class RetrieveSecret
    {
        /// <summary>
        /// Example to use Dapr Service Invocation Trigger and Dapr Secret input binding to retrieve a saved state from statestore
        /// </summary>
        [FunctionName("RetrieveSecret")]
        public static void Run(
            [DaprServiceInvocationTrigger] object args,
            [DaprSecret("kubernetes", "my-secret", Metadata = "metadata.namespace=default")] IDictionary<string, string> secret,
            ILogger log)
        {
            log.LogInformation("C# function processed a RetrieveSecret request from the Dapr Runtime.");

            // print the fetched secret value
            // this is only for demo purpose
            // please do not log any real secret in your production code        
            foreach (var kvp in secret)
            {
                log.LogInformation("Stored secret: Key = {0}, Value = {1}", kvp.Key, kvp.Value);
            }

        }
    }
}

https://github.com/dapr/azure-functions-extension/blob/master/samples/dotnet-azurefunction/RetrieveSecret.cs

[ConnorMcMahon]

A somewhat lightweight way to get secrets in Azure Functions is KeyVault References. Then you could just read it from an environment variable in activity function.

It has it's own downsides, like I believe that the app will be recycled when a secret updates to make sure it gets the latest value, but I think that is the closest thing we have for now.

[olitomlinson]

Hey @ConnorMcMahon

There is a world of difference between accessing a handful of static keyfault settings via AppSettings/Configuration that are declared at the infrastructure level (ARM) and then accessing potentially thousands of KeyVault secrets at runtime dynamically via the potential of a KeyVault input binding.

In my use-case I had a multi-tenant orchestration that needed to make HTTP calls to customers own 3rd party endpoints beyond the bounds of my system. I had to store their auth credentials along with the rest of the data that flowed around the orchestration

think of a model like this used as data to start an Orchestration

{   
   "customer" : "11111",
   "endpoint" : "http://contoso.com/api/v1/handler",
   "bearer" : "29fi203i0293i23i9fi2093if"
}

It would be far safer for me to include a KV reference in the model, instead of a plain text bearer token (which will then get serialised into the TaskHub eventually...)

{
   "customer" : "11111",
   "endpoint" : "http://contoso.com/api/v1/handler",
   "BearerKeyVaultReference" : "https://myvault.vault.azure.net/secrets/customer-11111/"
}

Then in my DF Activity I could use something like KeyVaultReference input binding to automatically fetch the secret on activity trigger, this way the actual secret is never part of the orchestration flow and never serialized into the TaskHub - The secret only ever persists in KeyVault.

    public static class CallCustomerEndpointActivity
    {
        [FunctionName("ActivityA")]
        public static void Run(
            [ActivityTrigger] CustomerEndpointData data,
            [KeyVaultSecret(Reference = "data.BearerKeyVaultReference")] string secret,
            ILogger log)
        {
            using (var requestMessage = new HttpRequestMessage(HttpMethod.Get, data.endpoint))
            {
                 requestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", secret);
    
                 await httpClient.SendAsync(requestMessage);
                 
                 ...
           }
        }
    }

Now imagine doing the above but for thousands of different customers with different endpoints in a multi-tenant system.

Hope that helps clarify :)

[vigouredelaruse]

on the proactive risk management, regarding the proposed 'managed task hub' sku please don't forget disaster recovery and the need to promote security by default on the configuration blade.

by this i mean

• fools and other people's oprah moments can be expected to attack the sandboxed environment possibly resulting in service degradation within and across tiers
• as an implementer i can't ignore the tradeoff whereby the managed storage accounts can be expected to see very high blob lease loads, for all the azure function developers of the internet will be involved, diligent and/or malicious
• in the case of a 'managed task hub' service degradation or some other concern i would consequently advocate strongly for the usual failover-failback mechanisms, acceptably by altering the (expected) tier (sku categorization) of the proposed service

[olitomlinson]

@cgillum

yeah, this is something I'd love to do (TaskHub RP), I just need to figure out how to make the business case for it to my management. :)

Few ideas for the business case :

• Hiding implementation detail to make the overall experience more Serverless - Feedback from my team who are somewhat new to DF is that the whole control queue/ work queue/instances/history stuff is scary barrier to entry.
• Drive diagnostic tooling and monitoring at the Orchestraion/Entity level rather than the TaskHub implementation (a good start is the open source ‘Durable Functions Monitor’ tool) - once we have this tooling embedded into the portal, there is less need for devs to learn about control queues and the deep details.
• Opaque TaskHub provider-agnostic Backup & restores API (like BACPAK for MS-SQL)
• BUILDING ON THE ABOVE : handsfree Migration from one TaskHub implementation to another (storage -> netherite )

Secrets is interesting. I can't really think of a scenario where it would make sense to pass secrets around an orchestration though. It feels like that scenario would be better served using input/output bindings for KeyVault on individual activity functions.

I would actually fully get behind a KeyVault input/output binding for Functions, so that I can resolve secrets dynamically at runtime per function call, and create new secrets in the same vein. I don’t think there is a KV binding? Where is the best place to raise this as a feature request?

[vigouredelaruse]

Secrets is interesting. I can't really think of a scenario where it would make sense to pass secrets around an orchestration though. It feels like that scenario would be better served using input/output bindings for KeyVault on individual activity functions.

i welcome your thoughts on the following. consider a potentially long-running situation where you have to mutate an unknowable number of table entities in an arbitrary user's storage account.

for easy deployment you want to avoid having to keyvault creds for every single storage account users want to operate against. also dynamic environment discovery, starting with the user's auth token prevents the app from having hardcoded god permissions, albeit backed by keyvault. so the user's permissions enable activity.

because of auth method impedance mismatch you decide to leverage impersonation to read the service keys of storage accounts within the user's rbac scope. you decide to embed this key retrieval in a function app orchestration, next to where they'll be used

you don't want to post the keys to the orchestration for good reasons. but now you have locally scoped variables in an orchestration referring to secrets like table names and entity lookup keys. and then you pay closer attention to task hubs and realize you have a problem and now thanks to you we're discussing this as a feature request

[olitomlinson]

@vigouredelaruse

I totally understand using RBAC / Managed Identity to discover storage accounts attached to an AAD User and subscription and list out the keys as secrets.

I agree this can be done in an Activity.

in the Activity, if there was such thing as a KeyVault output binding available at the point of listing out the keys, we could easily create KeyVault secrets and then pass references back to the orchestration.

Subsequently, when it’s time to use those secrets we would use the KeyVault input binding in the Activity also.

—

Functions support for KeyVault comes from a different world where secrets are configuration driven constants accessible from app settings etc

I think the problem here is that dynamically creating and reading secrets in Functions is not a well supported story, so people are put off completely from using it. When IMO, if KV was much easier to utilise from a Function it would get more adoption.

[vigouredelaruse]

[draft] [rfc]
for a 'cloud middleware based authz toolset' low-footprint secret consumption/production solution for functions suitable clients running in environments like azure app service and azure functions. actually a hit out the park would be data paths 1 service endpoint on a subnet away a keyvault key vault frontdoor if you will

a v0.5 slightly contrived use case, a microservice supporting a subscriber signup website (hosted anywhere) that

• sends a marketing funnel-sensitive welcome email with embedded content requiring secrets for retrieval such as

• a confirmation url with an expiring querystring token parameter sourced from cosmos db
• a paragraph containing content sourced from a product database hosted in Oracle running in AWS
• a paragraph containing content retrieved from THE END USER'S twitter account
• uh, the form letter sourced from a workflow backed by le's say a sharepoint list

for v1 obviously we go for data insertion/retrieval on-prem

proposed solution
a durable orchestration a workflow supported by a (new sku) opaque infrastructure sidecar microservice

• let's say the sidecar is a co-deployed function app deployed to the function app customer tenant with /appservice/../list permissions no azure customer can acquire
• the sidecar implements something like /tenant/secretprovider/supportedapi/secretoperation
• the functions team generates intellectual property that exposes the sidecar's /api via some convenient [Context]
• the sidecar's throughput scales and it otherwise behaves like a 'managed task hub' for people for whom money is no object

the walkthrough

• to support the "hosted anywhere" requirement the IMPLEMENTERS kick off an orchestration with a correlation id signal the workflow via some convenient mechanism, say signals sent via a Q to a [Binding]
• to support the context sensitive email, the IMPLEMENTERS pull the email from a sharepoint list /workflow/endpoint using THE END USER'S permissions. let's say the implementers use Microsoft Graph and user_impersonation to id the user principal assets. the END USER consents to THE SIDECAR'S azure ad (b2c) app registration and the IMPLEMENTERS auth to the graph sdk using secrets they implicitly [receive] from the SIDECAR. they acquire verify and use the auth token via an in-band browser session signal to the workflow. here they may choose to request offline refresh permissions. so now the sidecar helps them out with a secure token store. the sidecar surfaces the workflow output as per /provider/supportedapi/secretoperation
• to support retrieving content from the signing up user's twitter account, the user consents to the SIDECAR'S app registration on their twitter account. this means the sidecar has to be configurable as an arbitrary twitter client. season with token storage. the ORCHESTRATION consumes the token to hit the twitter api as directed.
• to support retrieving data from CosmosDb the SIDECAR leverages managed identity to gain access like this https://docs.microsoft.com/en-us/azure/cosmos-db/managed-identity-based-authentication or [keyvault] [Keyvault(ConfigSource)]
• pretty sure the aws/oracle piece will resemble the SIDECAR using oracle sqlclient to connect the endpoint like this https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToOracleInstance.html. also maybe the IMPLEMENTERS want to supply their own implementation for this. personally i would appreciate the flexibility
• to support sending the email the SITE DEVELOPERS decide to use their office 365 exchange smpt relay option like this https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365. So the SIDECAR needs to hide their smpt secrets for them
• to support embedding corporate page gutter details the SITE DEVELOPERS decide to use Microsoft Graph to get at their contact assets. so the SIDECAR needs support this workflow https://docs.microsoft.com/en-us/graph/tutorials/azure-functions

must mention implementation details
the mythos here is storage backed dynamic key distribution center, as opposed to hsm backed static key vault. but the solution stores secrets on behalf of various system entity roles. if it's a durable function, those secrets could be stored in durable entities that NOOOOOOBODY Must Ever See.

the wins

• very little a modicum a quantum of inter-silo cooperation required within microsoft to achieve, and no co-operation required from entities outside microsoft
• near-transparent secret consumption that need never leave local variable scope, once deserialized from storage (behind the opaque layer) of course where you've just got to be able to pay for hsm backing, and regardless you (i) gotta know NOBODY is EVER gonna see what i put there. yes and here we derive the elegance. from opacity comes near transparency
• low technical debt impacting c#/java function developers who need never see the /rest api
• cheaper infrastructure approaches are possible, such as offering the sidecar as a container based deployment you run on a simple app service plan. you deploy the sidecar with your app as per docker-compose. this gives you ubiquity, private networking and you can operate with or without an opaque task hub (in an azure functions situation)

division of realms

• the (Big Infrastructure)SIDECAR's SECURITY profile is managed by azure, obfuscating everything but the /endpoints behind datacenter fingerprint scanners
• the Little Infrastructure SIDECAR's (storage not included) SECURITY profile is managed by the implementers, since it's a co-deployment to their app service. this still begs the question of whether the solution results in hardened deployments across the environment, or whether the solution merely provides another tasty attack vector
• the SIDECAR's PROVIDER CONFIGURATION is managed by the function implementer (via your basic signals, callbacks and whatnot). NOT that i'm saying one (meaning YOU and ONLY your managed identity) should or shouldn't be able to directly signal a let's say durable entity containing the heavily encrypted json you want, er and that cannot be routed beyond the host subnet regardless of your app service sku. you have to pay for offloading the crypto operations to your crypto farm

gimmie some sausages widdit
right. the integration point will (have to avoid) running a multitude of nugets for sdks that change all the time. people will want to use preview features sometimes. you probably can't responsibly offer this service on one instance of the something that contains the integrated sdks. so you have to try to avoid compiled code and probably try to make all outcalls rest based, leaving the service to manage its rest clients more transparently.

alternatively the implementer gets to manage the deployment of sdk packs. not their own personal ones of course, but those sourced from the private vetted repo

oh all right maybe you're a .gov or a .mil or .edu and your secrets are associated with a main frame where you keep your vector output dataset. and uh, you don't trust the interconnect code in the sidecar, so you want to own the datapath with your own shim marketplace provider. you'll just use the sidecar to surface the main frame secrets to the [Context]. you already own the sla on your deployments

en plus, this also suggests on-demand builds of a tailored sidecar, driven by a ci/cd pipeline that must support gosh, who knows how many instances

hmm. this starts to look like the spec for a your basic 'cloud middleware pipeline' saas offering if it doesn't make it into production at microsoft

[vigouredelaruse]

associated work shows this is a nascent market segment dominated by ambassador pattern solutions

https://www.infoq.com/news/2021/04/cncf-radar-secrets-management/

[vigouredelaruse]

perhaps you're talking about a different product.

consider: if the ambassador pattern (that what it is?) is embedded in the keyvault mythos (and indeed the pricing/transaction suggests lowish expected transaction rates) and instead you want arbitrary rates of secret production and consumption then maybe hosting your own keyvault might seem like good horse sense when you're fine with sitting grim faced at kubectl>.

your idea starts to sound more like a 'opaque infrastructure' azure/kerberos key distribution center or something like it, where secret providers have endpoints (and transaction rates are prorated in the zillions) that can be surfaced by queue to a [binding] or something else like it that sounds like it involves a multitude of cross-cutting concerns.

so- those concerns that i can see are pairing/paring the cost of the queue and the connector mechanism for all the secret repositories supported, and making this a default tls required choice for getting at your client secrets and certificate thumbprints everywhere on the internet

uhhh - you could start the chain of trust with an auth token associated with a suitably armoured public/confidential client app. or is that firewall penetrating broker client. um and zone certificate authorities

i'm not so sure this is just theoretical computer science. if i'm not mistaken there are doors slamming shut on the internet and security is a big deal

[ConnorMcMahon]

I am very intrigued by this conversation. Since this feature request is still pretty hazy and needs some more fleshing out, I'm going to move it to the new discussion format.

[vigouredelaruse]

@cgillum ditto - let's say you're supervising a team of workflow developers building out functions. as it is one would have to account for human error when working with sensitive data, to a different degree than a normal webapp deployment. sure it's a skill to have but if one could factor the human error part out of the equation i'm certain it would harden deployments against secret loss. so at this point in the discussion i can still see the need. it would be interesting to know if people other than the two of us did

[vigouredelaruse]

congrats to the functions team for noticeable plaudits from forrester here https://visualstudiomagazine.com/articles/2021/03/31/forrester-faas.aspx as per

'The Azure profile continues: "Azure Functions supports a multitude of programming languages and stateful durable functions in its consumption plan, but preprovisioned instances, docker container support, and robust security features require developers to step up to a premium, dedicated, or Azure App Service plan."'

it is noteworthy to see that the plot summary calls out robust security as available, and this discussion is about making further waves in that direction

[vigouredelaruse]

as well, the following really needs to be called out

• there is an active incident over at azure devops that's been on for longer than the 15D indicated here https://status.dev.azure.com/ - according to this https://devblogs.microsoft.com/devops/change-in-azure-pipelines-grant-for-private-projects/ the reason is some form of abuse of the pipeline infrastructure
• the keyvault service recently provisioned larger vms (namspace collision) following high loads and ping-ponging during recovery
• my google filter for 'azure security breach' shows me all kinds of horrifying leaks due to blobs with pii left available to the internet
• let's be real about the threat environment. there is a raging cyberwar on with state level budgets involved

the argument trends to suggesting infrastructure is not just under attack, but creaking like crazy