Uploaded image for project: 'Apache Ozone'
  1. Apache Ozone
  2. HDDS-8132

Secure S3 keys management

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None

    Description

      While attempting to get Ozone to production, we found several security flaws regarding S3 auth.

      Some of them we have already done (HDDS-7191, HDDS-7815), some of them are in progress (HDDS-8050,HDDS-7814), and some are to be implemented.

      This Jira has several purposes:

      1. To be an umbrella Jira for work regarding improving S3 security
      2. To share our vision regarding S3 security

      I attached a design document that describes all the security flaws we have found. Eliminating them will drastically increase Ozone S3 security.

      Attachments

        1. Secure S3 keys management.pdf
          89 kB
          Maksim Myskov

        Issue Links

          is a parent of

          Sub-task - The sub-task of the issue HDDS-8050 Create HTTP endpoint to access S3 secret via Kerberos auth

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7191 Create separate property for s3 admin

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7814 Implement remote S3 secret storage

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HDDS-7815 Extract layer of S3 secret manipulation

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #4372

          Activity

            People

              myskov Maksim Myskov
              myskov Maksim Myskov
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: