0015: Authenticated Internal Status Page for Private Incidents

STATUS

Accepted

CONTEXT

Our Laravel application, based on the Cachet open-source project, currently includes a publicly accessible /status page listing incidents suitable for external users. Organizations increasingly require the capability to privately share sensitive incident information exclusively with authenticated internal users.

A generalized, configurable solution is preferred over a domain-specific implementation to enable adoption by a broader audience within the open-source community.

Considered Options

• Option 1: Develop a proprietary internal authentication mechanism specific to our organization.
• Has some inflexibility and limited usefulness to the wider open-source community.
• Option 2: Implement configurable OAuth2 authentication supporting multiple providers via Laravel Socialite.
• Broad applicability within Cachet’s user community.
• Secure, clearly delineated internal incident communication.
• High configurability, allowing diverse authentication scenarios.
• Increased complexity in authentication setup and ongoing management.
• Administrators must handle OAuth provider and domain configurations carefully.
• Potential misconfiguration leading to unauthorized access.
• Dependency on third-party OAuth providers could introduce availability risks
• OAuth2 authentication via Laravel Socialite supporting configurable providers (Google, Azure, GitHub, etc.).
• Administrator-configurable domain-based authorization.
• A boolean private flag for incidents to identify sensitive incidents.
• Route /internal-status serving private and public incidents exclusively to authenticated users matching configured criteria.
• Option 3: Allow LDAP or similar directory integration for internal users.
• Considered overly complex and unnecessary for initial implementation
• Option 4: Run two instances of Cachet, one for public consumption and the other for the private organization's consumption.
• Good stop-gap while we work on an open-source contribution to the wider community
• Achievable via the IaC setup that facilitates the status-page project.
• The private one could be hosted behind an ALB with cognito.
• Which instance receives an incident would be managed with the datadog workflow.
• In this scenario you don't need to modify cachet code at all.
• Option 5: Cachet for public incidents, and integrate Atlassian Statuspage for private incidents
• Atlassian offers a free tier for Statuspage that we can use to evaluate it's efficacy as a solution for making incidents visible
• Atlassian and Datadog have built in integrations with each-other
• Once we ramp up usage, I believe the price goes up significantly, possibly up to $400 a month
• Limited usefulness to the wider open-source community
• Statuspage offers Audienec-specific pages for tailoring status information for each of our different users, but those get pricey too.

DECISION

Option 4: Run two instances of Cachet, one for public consumption and the other for the private organization's consumption.

CONSEQUENCES

• We'll create another set of Stacks for the private instance of Cachet
• We'll also update our Datadog Workflow to send incidents to the correct instance(s) of Cachet
• We'll set up Cognito to handle the authentication for the private instance of Cachet

NOTES

• Laravel Socialite documentation

References

• Datadog Statuspage Integration
• Atlassian Statuspage feature page
• Atlassian Statuspage Specific-Audience Pages
• PR #54: docs(ADR-0024): Add page for accessing private incidents in Status Page project
• PR #68: fix: Flatten indexes of docs to prep for auto-index merge
• PR #127: docs: backfill PR reference links for existing ADRs

Original Author

Dakota Washok

Approval date

2025-03-27

Approved by

- Dakota Washok

Appendix

• Configuration examples and administrator documentation (to be provided upon implementation).