On 7/21/20 6:30 PM, Jean-Sebastien Landry wrote:
Hi everyone, we have a ceph cluster for object storage
only, the rgws are accessible from the internet, and everything is ok.
Is there a HTTP proxy in between?
Now, one of our team/client required that their data should not ever be accessible from
the internet.
First: Upload with a Private ACL. This means that Authentication is
always required to read the data.
In any case of security bug/breach/whatever, they want
to limit the access to their data from the local network.
Before creating a second "private" cluster, is there a way to achieve this on
our current "public" cluster?
Is a multi-zone without replication would help me with that?
A public rgws for public access on the "pub_zone", and a private rgws for
private access on the "prv_zone"?
pubzone.rgw.buckets.data
prvzone.rgw.buckets.data
If the "public" rgws is hacked, without the access_key/secret_key of the
private zone, is there any possibilities to access the private zone?
Does a multi-realms would help me to secure it more?
Any input would be really appreciated.
I don't want to put to much energy for false security and/or security by obscurity,
so if these scenarios of multi-sites/multi-realms are useless, in a security point of
view, please tell me. :-)
Why not work with a HTTP proxy in between that filters out specific
bucket names? Or only allows access to them if the client IP matches X.
This way two barriers need to be crossed:
- Filtering in the proxy
- RGW authentication
Wido
>
> Thanks!
> JS
> _______________________________________________
> ceph-users mailing list -- ceph-users(a)ceph.io
> To unsubscribe send an email to ceph-users-leave(a)ceph.io
>