The New Relic Plugins product has been designed to be open and extensible, where any New Relic user, developer, technology vendor, or partner may publish publicly accessible plugins within the New Relic Plugins directory, Plugin Central. Anyone who has a New Relic account can install and use these plugins through their New Relic user interface.
Having an open community where users both create and consume plugins can provoke questions surrounding security. This document intends to address any security considerations for using these plugins.
Plugins is not supported with accounts that host data in the EU region data center.
For some plugins, New Relic, Inc. is the publisher, and will be clearly identified as the publisher. However, the New Relic Plugins product is designed to be open with contributions from the community of developers; therefore, many plugins are created by New Relic's partners and third-party developers.
New Relic requires plugin publishers to provide an About link to their website, documentation about what the plugin is for and how to use it, and a link to obtain support when using the plugin. New Relic also requires plugin publishers to review and accept the Developer Terms of Service agreement before they can make their plugin publicly accessible. Be sure to review all information provided by the publisher before installing any plugin.
If you have any concerns about plugins developed with the SDKs for New Relic Plugins, you can review the source code and verify that the plugin agents behave as expected. The plugin agent's code is light, and it can be reviewed in minutes.
Access to license keys
Important: Always keep your New Relic license key private. Typically access to your license key is needed only to record metric data or deployments for your applications, hosts, or plugins that are monitored by New Relic Plugins, not to introduce new data or code. No other access is allowed.
When developing a plugin agent, authors and publishers need to consider the environment in which they will be run. You should do everything possible to reduce the level of permissions your plugin users need to grant to the agent in order for it to run correctly. In particular:
- Unless it is absolutely necessary, do not require "su" or "sudo" permissions in order to install your agent or support software on your users' computers. In this situation, the requirements should be limited in scope and well-documented. For additional information about access rights for plugin users, see Installing a plugin.
- When running your agent on the users' computers, do not require "su" or "sudo" permissions.
- The components (instances) your plugin agent is monitoring should only need to grant read-only permissions in order for your agent to perform its actions.
- As much as possible, the components (instances) your plugin agent is monitoring should be able to reduce the levels of information and access needed.
- When documenting your plugin, describe what level of permissions your plugin agent requires from the components (instances) it is monitoring and why this is necessary.
Following these steps will make it easier for your plugin users to install your agent and increase their confidence that your agent cannot harm their components or instances being monitored. This will also reduce the likelihood of user problems if your agent has any serious bugs or other defects.
Plugins only need access to their monitored systems and New Relic for the purpose of reporting metrics. You may want to consider running plugin agents in sequestered systems with limited network access that allow no more than the minimum required network access. Also, data retention time periods for plugins follow New Relic's standard policies, which are based on your subscription level.
If you have any concerns about deploying any plugin from New Relic Plugins, follow your organization's guidelines. If for any reason you do not trust the source of an existing plugin, try creating your own version. Plugins can be created in less than a day. It's that easy!
For more help
Additional documentation resources include: