Configure security for REST API
You should review the security measures implemented for the REST API and understand how to secure your system.
How StorageGRID provides security for REST API
You should understand how the StorageGRID system implements security, authentication, and authorization for the REST API.
StorageGRID uses the following security measures.
-
Client communications with the Load Balancer service use HTTPS if HTTPS is configured for the load balancer endpoint.
When you configure a load balancer endpoint, HTTP can optionally be enabled. For example, you might want to use HTTP for testing or other non-production purposes. See the instructions for administering StorageGRID for more information.
-
By default, StorageGRID uses HTTPS for client communications with Storage Nodes and the CLB service on Gateway Nodes.
HTTP can optionally be enabled for these connections. For example, you might want to use HTTP for testing or other non-production purposes. See the instructions for administering StorageGRID for more information.
The CLB service is deprecated. -
Communications between StorageGRID and the client are encrypted using TLS.
-
Communications between the Load Balancer service and Storage Nodes within the grid are encrypted whether the load balancer endpoint is configured to accept HTTP or HTTPS connections.
-
Clients must supply HTTP authentication headers to StorageGRID to perform REST API operations.
Security certificates and client applications
Clients can connect to the Load Balancer service on Gateway Nodes or Admin Nodes, directly to Storage Nodes, or to the CLB service on Gateway Nodes.
In all cases, client applications can make TLS connections using either a custom server certificate uploaded by the grid administrator or a certificate generated by the StorageGRID system:
-
When client applications connect to the Load Balancer service, they do so using the certificate that was configured for the specific load balancer endpoint used to make the connection. Each endpoint has its own certificate, which is either a custom server certificate uploaded by the grid administrator or a certificate that the grid administrator generated in StorageGRID when configuring the endpoint.
-
When client applications connect directly to a Storage Node or to the CLB service on Gateway Nodes, they use either the system-generated server certificates that were generated for Storage Nodes when the StorageGRID system was installed (which are signed by the system certificate authority), or a single custom server certificate that is supplied for the grid by a grid administrator.
Clients should be configured to trust the certificate authority that signed whichever certificate they use to establish TLS connections.
See the instructions for administering StorageGRID for information on configuring load balancer endpoints, and for instructions on adding a single custom server certificate for TLS connections directly to Storage Nodes or to the CLB service on Gateway Nodes.
Summary
The following table shows how security issues are implemented in the S3 and Swift REST APIs:
Security issue | Implementation for REST API |
---|---|
Connection security |
TLS |
Server authentication |
X.509 server certificate signed by system CA or custom server certificate supplied by administrator |
Client authentication |
|
Client authorization |
|
Supported hashing and encryption algorithms for TLS libraries
The StorageGRID system supports a limited set of cipher suites that client applications can use when establishing a Transport Layer Security (TLS) session.
Supported versions of TLS
StorageGRID supports TLS 1.2 and TLS 1.3.
SSLv3 and TLS 1.1 (or earlier versions) are no longer supported. |
Supported cipher suites
TLS version | IANA name of cipher suite |
---|---|
1.2 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
1.2 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
1.2 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
1.3 |
TLS_AES_256_GCM_SHA384 |
1.3 |
TLS_CHACHA20_POLY1305_SHA256 |
1.3 |
TLS_AES_128_GCM_SHA256 |
Deprecated cipher suites
The following cipher suites are deprecated. Support for these ciphers will be removed in a future release.
IANA Name |
---|
TLS_RSA_WITH_AES_128_GCM_SHA256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 |