Table of ContentsView in Frames

How the StorageGRID Webscale system implements security for the REST API

The StorageGRID Webscale system employs the use of Transport Layer Security (TLS) connection security, server authentication, client authentication, and client authorization. When considering security issues, you might find it helpful to understand how the StorageGRID Webscale system implements security, authentication, and authorization for the S3 or Swift REST API.

The StorageGRID Webscale system accepts HTTPS commands submitted over a network connection that uses TLS to provide connection security, application authentication and, optionally, transport encryption. Commands that do not use TLS are rejected. If an object is encrypted when it is ingested, it stays encrypted for the lifetime of the object in the StorageGRID Webscale system.

TLS enables the exchange of certificates as entity credentials and allows a negotiation that can use hashing and encryption algorithms.

When a StorageGRID Webscale system is installed, a certificate authority (CA) certificate is generated, as well as server certificates for each Storage Node. These server certificates are all signed by the grid CA. You need to configure client applications to trust this grid CA certificate. When a client application connects to any Storage Node using TLS, the application can authenticate the Storage Node by verifying that the server certificate presented by the Storage Node is signed by the trusted grid CA.

Alternatively, you can choose to supply a single, custom server certificate that should be used on all Storage Nodes rather than the generated ones. The custom server certificate must be signed by a CA selected by the administrator. The server authentication process by the client application is the same, but in this instance with a different trusted CA.

For details about configuring server certificates, see the Administrator Guide.

The following table shows how security issues are implemented for S3 and Swift API:

Security issue Implementation for REST API
Connection security TLS
Server authentication X.509 server certificate signed by grid CA or custom server certificate supplied by administrator
Client authentication
  • S3: S3 account (access key ID and secret access key)
  • Swift: Swift account (credentials of user name and password)
Client authorization
  • S3: Bucket ownership and all applicable access control policies
  • Swift: Account admin role access