Skip to main content

Configure security for the REST API

Contributors netapp-lhalbert ssantho3 netapp-madkat netapp-pcelmer netapp-perveilerk

You should review the security measures implemented for the REST API and understand how to secure your system.

How StorageGRID provides security for the REST API

You should understand how the StorageGRID system implements security, authentication, and authorization for the REST API.

StorageGRID uses the following security measures.

  • Client communications with the Load Balancer service use HTTPS if HTTPS is configured for the load balancer endpoint.

    When you configure a load balancer endpoint, HTTP can optionally be enabled. For example, you might want to use HTTP for testing or other non-production purposes.

  • By default, StorageGRID uses HTTPS for client communications with Storage Nodes.

    Optionally, enable HTTP for these connections. For example, you might want to use HTTP for testing or other non-production purposes.

  • Communications between StorageGRID and the client are encrypted using TLS.

  • Communications between the Load Balancer service and Storage Nodes within the grid are encrypted whether the load balancer endpoint is configured to accept HTTP or HTTPS connections.

  • Clients must supply HTTP authentication headers to StorageGRID to perform REST API operations.

Security certificates and client applications

Clients can connect to the Load Balancer service on Gateway Nodes or Admin Nodes, directly to Storage Nodes.

In all cases, client applications can make TLS connections using either a custom server certificate uploaded by the grid administrator or a certificate generated by the StorageGRID system:

  • When client applications connect to the Load Balancer service, they do so using the certificate that was configured for the specific load balancer endpoint used to make the connection. Each endpoint has its own certificate, which is either a custom server certificate uploaded by the grid administrator or a certificate that the grid administrator generated in StorageGRID when configuring the endpoint.

  • When client applications connect directly to a Storage Node, they use either the system-generated server certificates that were generated for Storage Nodes when the StorageGRID system was installed (which are signed by the system certificate authority), or a single custom server certificate that is supplied for the grid by a grid administrator.

Clients should be configured to trust the certificate authority that signed whichever certificate they use to establish TLS connections.

See configuring load balancer endpoints and adding a single custom server certificate for TLS connections directly to Storage Nodes.

Summary

The following table shows how security issues are implemented in the S3 and Swift REST APIs:

Security issue Implementation for REST API

Connection security

TLS

Server authentication

X.509 server certificate signed by system CA or custom server certificate supplied by administrator

Client authentication

  • S3: S3 account (access key ID and secret access key)

  • Swift: Swift account (user name and password)

Client authorization

  • S3: Bucket ownership and all applicable access control policies

  • Swift: Administrator role access

Supported hashing and encryption algorithms for TLS libraries

The StorageGRID system supports a limited set of cipher suites that client applications can use when establishing a Transport Layer Security (TLS) session. To configure ciphers, go to CONFIGURATION > Security > Security settings and select TLS and SSH policies.

Supported versions of TLS

StorageGRID supports TLS 1.2 and TLS 1.3.

Important SSLv3 and TLS 1.1 (or earlier versions) are no longer supported.