On Fri, Dec 08, 2023 at 10:41:59AM +0100, marc@singer.services wrote: > Hi Ceph users > > We are using Ceph Pacific (16) in this specific deployment. > > In our use case we do not want our users to be able to generate signature v4 URLs because they bypass the policies that we set on buckets (e.g IP restrictions). > Currently we have a sidecar reverse proxy running that filters requests with signature URL specific request parameters. > This is obviously not very efficient and we are looking to replace this somehow in the future. > > 1. Is there an option in RGW to disable this signed URLs (e.g returning status 403)? > 2. If not is this planned or would it make sense to add it as a configuration option? > 3. Or is the behaviour of not respecting bucket policies in RGW with signature v4 URLs a bug and they should be actually applied? Trying to clarify your ask: - you want ALL requests, including presigned URLs, to be subject to the IP restrictions encoded in your bucket policy? e.g. auth (signature AND IP-list) That should be possible with bucket policy. Can you post the current bucket policy that you have? (redact with distinct values the IPs, userids, bucket name, any paths, but otherwise keep it complete). You cannot fundamentally stop anybody from generating presigned URLs, because that's purely a client-side operation. Generating presigned URLs requires an access key and secret key, at which point they can do presigned or regular authenticated requests. P.S. What stops your users from changing the bucket policy? -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation President & Treasurer E-Mail : robbat2@xxxxxxxxxx GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |