> Op 23 januari 2017 om 19:40 schreef Orit Wasserman <owasserm@xxxxxxxxxx>:
>
>
> On Mon, Jan 23, 2017 at 8:21 PM, Wido den Hollander <wido@xxxxxxxx> wrote:
> >
> >> Op 23 januari 2017 om 17:19 schreef Orit Wasserman <owasserm@xxxxxxxxxx>:
> >>
> >>
> >> On Mon, Jan 23, 2017 at 5:04 PM, Wido den Hollander <wido@xxxxxxxx> wrote:
> >> > Hi,
> >> >
> >> > At Amazon you can set Bucket Policies [0] on a bucket where you can restrict request to be done from specific IP addresses and/or subnets.
> >> >
> >> > These policies are currently not supported by RGW, but that's not the use-case I'm looking for.
> >> >
> >> > The use-case here is that when a Access/Secret key pair is stolen one can access all data from that user. With the Access/Secret key pair you can also update the bucket policies and still access all the data.
> >> >
> >> > I'm thinking of a way where a IP ACL can be set for a user. All requests for that user will be matched to that ACL. That way, even if you steal the keys you still can't access the data.
> >> >
> >> > The system in this case is connected to the internet, so a firewall in between won't help since it needs to allow traffic from all places, but just specific users and their data need to be isolated.
> >> >
> >> > Does it sound sane if we have such a feature for the RGW? The JSON output from user info might look like:
> >> >
> >> > {
> >> > "user_id": "example",
> >> > "user_ip_acl" {
> >> > "allow" [
> >> > "192.168.0.0/24",
> >> > "2001:db8::/64
> >> > ]
> >> > }
> >> > }
> >> >
> >>
> >> This is possible but it is not a small change to the user and
> >> authentication mechanism which are being reworked at the moment.
> >
> > I wasn't aware of any of that work. What is going to be changed?
> >
> >> Cannot this be done by configuring the network?
> >
>
> There is the STS and Radoslaw is working on general authentication:
> https://github.com/ceph/ceph/pull/12893
>
Interesting!
> > Well, in this case port 80 and 443 are open to the internet. The use-case is '2FA' where we prevent anybody from accessing the data by just getting the Access/Secret keys.
> >
> > Network can't do much here since we have to allow all HTTP(S) traffic.
> >
> I thought more in the IP level like subnets and routing.
Understood, but this system is shared among public users on the internet so it has to be open to any:any.
A few users want 2FA on their data so that when keys are compromised users can't access their data. A IP black/whitelist would help this.
Wido
>
> > Wido
> >
> >>
> >> Orit
> >>
> >> > Wido
> >> >
> >> > [0]: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
> >> > --
> >> > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> >> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> >> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> >> the body of a message to majordomo@xxxxxxxxxxxxxxx
> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
