Configure security for REST API

Contributors netapp-perveilerk netapp-lhalbert

You should review the security measures implemented for the REST API and understand how to secure your system.

How StorageGRID provides security for REST API

You should understand how the StorageGRID system implements security, authentication, and authorization for the REST API.

StorageGRID uses the following security measures.

  • Client communications with the Load Balancer service use HTTPS if HTTPS is configured for the load balancer endpoint.

    When you configure a load balancer endpoint, HTTP can optionally be enabled. For example, you might want to use HTTP for testing or other non-production purposes. See the instructions for administering StorageGRID for more information.

  • By default, StorageGRID uses HTTPS for client communications with Storage Nodes and the CLB service on Gateway Nodes.

    HTTP can optionally be enabled for these connections. For example, you might want to use HTTP for testing or other non-production purposes. See the instructions for administering StorageGRID for more information.

    Note The CLB service is deprecated.
  • Communications between StorageGRID and the client are encrypted using TLS.

  • Communications between the Load Balancer service and Storage Nodes within the grid are encrypted whether the load balancer endpoint is configured to accept HTTP or HTTPS connections.

  • Clients must supply HTTP authentication headers to StorageGRID to perform REST API operations.

Security certificates and client applications

Clients can connect to the Load Balancer service on Gateway Nodes or Admin Nodes, directly to Storage Nodes, or to the CLB service on Gateway Nodes.

In all cases, client applications can make TLS connections using either a custom server certificate uploaded by the grid administrator or a certificate generated by the StorageGRID system:

  • When client applications connect to the Load Balancer service, they do so using the certificate that was configured for the specific load balancer endpoint used to make the connection. Each endpoint has its own certificate, which is either a custom server certificate uploaded by the grid administrator or a certificate that the grid administrator generated in StorageGRID when configuring the endpoint.

  • When client applications connect directly to a Storage Node or to the CLB service on Gateway Nodes, they use either the system-generated server certificates that were generated for Storage Nodes when the StorageGRID system was installed (which are signed by the system certificate authority), or a single custom server certificate that is supplied for the grid by a grid administrator.

Clients should be configured to trust the certificate authority that signed whichever certificate they use to establish TLS connections.

See the instructions for administering StorageGRID for information on configuring load balancer endpoints, and for instructions on adding a single custom server certificate for TLS connections directly to Storage Nodes or to the CLB service on Gateway Nodes.

Summary

The following table shows how security issues are implemented in the S3 and Swift REST APIs:

Security issue Implementation for REST API

Connection security

TLS

Server authentication

X.509 server certificate signed by system CA or custom server certificate supplied by administrator

Client authentication

  • S3: S3 account (access key ID and secret access key)

  • Swift: Swift account (user name and password)

Client authorization

  • S3: Bucket ownership and all applicable access control policies

  • Swift: Administrator role access

Related information

Administer StorageGRID

Supported hashing and encryption algorithms for TLS libraries

The StorageGRID system supports a limited set of cipher suites that client applications can use when establishing a Transport Layer Security (TLS) session.

Supported versions of TLS

StorageGRID supports TLS 1.2 and TLS 1.3.

Important SSLv3 and TLS 1.1 (or earlier versions) are no longer supported.

Supported cipher suites

TLS version IANA name of cipher suite

1.2

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

1.2

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

1.3

TLS_AES_256_GCM_SHA384

1.3

TLS_CHACHA20_POLY1305_SHA256

1.3

TLS_AES_128_GCM_SHA256

Deprecated cipher suites

The following cipher suites are deprecated. Support for these ciphers will be removed in a future release.

IANA Name

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384