Restricting RADOS gateway users to specific IP subnets

Restricting RADOS gateway users to specific IP subnets

[Wido den Hollander]

Hi,

At Amazon you can set Bucket Policies [0] on a bucket where you can restrict request to be done from specific IP addresses and/or subnets.

These policies are currently not supported by RGW, but that's not the use-case I'm looking for.

The use-case here is that when a Access/Secret key pair is stolen one can access all data from that user. With the Access/Secret key pair you can also update the bucket policies and still access all the data.

I'm thinking of a way where a IP ACL can be set for a user. All requests for that user will be matched to that ACL. That way, even if you steal the keys you still can't access the data.

The system in this case is connected to the internet, so a firewall in between won't help since it needs to allow traffic from all places, but just specific users and their data need to be isolated.

Does it sound sane if we have such a feature for the RGW? The JSON output from user info might look like:

{
  "user_id": "example",
  "user_ip_acl" {
    "allow" [
      "192.168.0.0/24",
      "2001:db8::/64
    ]
  }
}

Wido

[0]: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

Re: Restricting RADOS gateway users to specific IP subnets

[Orit Wasserman]

On Mon, Jan 23, 2017 at 5:04 PM, Wido den Hollander <wido@42on.com> wrote:
> Hi,
>
> At Amazon you can set Bucket Policies [0] on a bucket where you can restrict request to be done from specific IP addresses and/or subnets.
>
> These policies are currently not supported by RGW, but that's not the use-case I'm looking for.
>
> The use-case here is that when a Access/Secret key pair is stolen one can access all data from that user. With the Access/Secret key pair you can also update the bucket policies and still access all the data.
>
> I'm thinking of a way where a IP ACL can be set for a user. All requests for that user will be matched to that ACL. That way, even if you steal the keys you still can't access the data.
>
> The system in this case is connected to the internet, so a firewall in between won't help since it needs to allow traffic from all places, but just specific users and their data need to be isolated.
>
> Does it sound sane if we have such a feature for the RGW? The JSON output from user info might look like:
>
> {
>   "user_id": "example",
>   "user_ip_acl" {
>     "allow" [
>       "192.168.0.0/24",
>       "2001:db8::/64
>     ]
>   }
> }
>

This is possible but it is not a small change to the user and
authentication mechanism which are being reworked at the moment.
Cannot this be done by configuring the network?

Orit

> Wido
>
> [0]: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Restricting RADOS gateway users to specific IP subnets

[Wido den Hollander]

> Op 23 januari 2017 om 17:19 schreef Orit Wasserman <owasserm@redhat.com>:
> 
> 
> On Mon, Jan 23, 2017 at 5:04 PM, Wido den Hollander <wido@42on.com> wrote:
> > Hi,
> >
> > At Amazon you can set Bucket Policies [0] on a bucket where you can restrict request to be done from specific IP addresses and/or subnets.
> >
> > These policies are currently not supported by RGW, but that's not the use-case I'm looking for.
> >
> > The use-case here is that when a Access/Secret key pair is stolen one can access all data from that user. With the Access/Secret key pair you can also update the bucket policies and still access all the data.
> >
> > I'm thinking of a way where a IP ACL can be set for a user. All requests for that user will be matched to that ACL. That way, even if you steal the keys you still can't access the data.
> >
> > The system in this case is connected to the internet, so a firewall in between won't help since it needs to allow traffic from all places, but just specific users and their data need to be isolated.
> >
> > Does it sound sane if we have such a feature for the RGW? The JSON output from user info might look like:
> >
> > {
> >   "user_id": "example",
> >   "user_ip_acl" {
> >     "allow" [
> >       "192.168.0.0/24",
> >       "2001:db8::/64
> >     ]
> >   }
> > }
> >
> 
> This is possible but it is not a small change to the user and
> authentication mechanism which are being reworked at the moment.

I wasn't aware of any of that work. What is going to be changed?

> Cannot this be done by configuring the network?

Well, in this case port 80 and 443 are open to the internet. The use-case is '2FA' where we prevent anybody from accessing the data by just getting the Access/Secret keys.

Network can't do much here since we have to allow all HTTP(S) traffic.

Wido

> 
> Orit
> 
> > Wido
> >
> > [0]: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
> > --
> > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Restricting RADOS gateway users to specific IP subnets

[Orit Wasserman]

On Mon, Jan 23, 2017 at 8:21 PM, Wido den Hollander <wido@42on.com> wrote:
>
>> Op 23 januari 2017 om 17:19 schreef Orit Wasserman <owasserm@redhat.com>:
>>
>>
>> On Mon, Jan 23, 2017 at 5:04 PM, Wido den Hollander <wido@42on.com> wrote:
>> > Hi,
>> >
>> > At Amazon you can set Bucket Policies [0] on a bucket where you can restrict request to be done from specific IP addresses and/or subnets.
>> >
>> > These policies are currently not supported by RGW, but that's not the use-case I'm looking for.
>> >
>> > The use-case here is that when a Access/Secret key pair is stolen one can access all data from that user. With the Access/Secret key pair you can also update the bucket policies and still access all the data.
>> >
>> > I'm thinking of a way where a IP ACL can be set for a user. All requests for that user will be matched to that ACL. That way, even if you steal the keys you still can't access the data.
>> >
>> > The system in this case is connected to the internet, so a firewall in between won't help since it needs to allow traffic from all places, but just specific users and their data need to be isolated.
>> >
>> > Does it sound sane if we have such a feature for the RGW? The JSON output from user info might look like:
>> >
>> > {
>> >   "user_id": "example",
>> >   "user_ip_acl" {
>> >     "allow" [
>> >       "192.168.0.0/24",
>> >       "2001:db8::/64
>> >     ]
>> >   }
>> > }
>> >
>>
>> This is possible but it is not a small change to the user and
>> authentication mechanism which are being reworked at the moment.
>
> I wasn't aware of any of that work. What is going to be changed?
>
>> Cannot this be done by configuring the network?
>

There is the STS and Radoslaw is working on general authentication:
https://github.com/ceph/ceph/pull/12893

> Well, in this case port 80 and 443 are open to the internet. The use-case is '2FA' where we prevent anybody from accessing the data by just getting the Access/Secret keys.
>
> Network can't do much here since we have to allow all HTTP(S) traffic.
>
I thought more in the IP level like subnets and routing.

> Wido
>
>>
>> Orit
>>
>> > Wido
>> >
>> > [0]: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
>> > --
>> > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>> > the body of a message to majordomo@vger.kernel.org
>> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> --
>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Restricting RADOS gateway users to specific IP subnets

[Wido den Hollander]

> Op 23 januari 2017 om 19:40 schreef Orit Wasserman <owasserm@redhat.com>:
> 
> 
> On Mon, Jan 23, 2017 at 8:21 PM, Wido den Hollander <wido@42on.com> wrote:
> >
> >> Op 23 januari 2017 om 17:19 schreef Orit Wasserman <owasserm@redhat.com>:
> >>
> >>
> >> On Mon, Jan 23, 2017 at 5:04 PM, Wido den Hollander <wido@42on.com> wrote:
> >> > Hi,
> >> >
> >> > At Amazon you can set Bucket Policies [0] on a bucket where you can restrict request to be done from specific IP addresses and/or subnets.
> >> >
> >> > These policies are currently not supported by RGW, but that's not the use-case I'm looking for.
> >> >
> >> > The use-case here is that when a Access/Secret key pair is stolen one can access all data from that user. With the Access/Secret key pair you can also update the bucket policies and still access all the data.
> >> >
> >> > I'm thinking of a way where a IP ACL can be set for a user. All requests for that user will be matched to that ACL. That way, even if you steal the keys you still can't access the data.
> >> >
> >> > The system in this case is connected to the internet, so a firewall in between won't help since it needs to allow traffic from all places, but just specific users and their data need to be isolated.
> >> >
> >> > Does it sound sane if we have such a feature for the RGW? The JSON output from user info might look like:
> >> >
> >> > {
> >> >   "user_id": "example",
> >> >   "user_ip_acl" {
> >> >     "allow" [
> >> >       "192.168.0.0/24",
> >> >       "2001:db8::/64
> >> >     ]
> >> >   }
> >> > }
> >> >
> >>
> >> This is possible but it is not a small change to the user and
> >> authentication mechanism which are being reworked at the moment.
> >
> > I wasn't aware of any of that work. What is going to be changed?
> >
> >> Cannot this be done by configuring the network?
> >
> 
> There is the STS and Radoslaw is working on general authentication:
> https://github.com/ceph/ceph/pull/12893
> 

Interesting!

> > Well, in this case port 80 and 443 are open to the internet. The use-case is '2FA' where we prevent anybody from accessing the data by just getting the Access/Secret keys.
> >
> > Network can't do much here since we have to allow all HTTP(S) traffic.
> >
> I thought more in the IP level like subnets and routing.

Understood, but this system is shared among public users on the internet so it has to be open to any:any.

A few users want 2FA on their data so that when keys are compromised users can't access their data. A IP black/whitelist would help this.

Wido

> 
> > Wido
> >
> >>
> >> Orit
> >>
> >> > Wido
> >> >
> >> > [0]: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
> >> > --
> >> > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> >> > the body of a message to majordomo@vger.kernel.org
> >> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html