Unsolved
This post is more than 5 years old
41 Posts
0
1479
ECS F5 loadbalancer config -- for Protected and Non protects for S3
Hello All,
We have a non-protected network and protected network, in the case of ECS do we need to configure these network separately
for the confidential data security if we are using S3 protocol ????
Is the S3 secret key will be enough for the Namespace/ bucket data security??
Any advises welcome.
coneryj
22 Posts
0
May 7th, 2018 09:00
I don't really understand your description of the protected and unprotected network and where ECS is with respect to those networks.
You'll want to have some kind of firewall in front of the ECS access and only open access to the ports that are required
The S3 api only validates that that user is authorized to make the specific request. It does NOT do anything for the confidentiality of the request data.
Also a PUT request may or may not ensure the integrity of the file being uploaded as the content-md5 is an optional header and would only be in the auth signature if it was used.
HEagle18
41 Posts
0
May 7th, 2018 10:00
Protected network -- having confidential data
non-protected network -- having general data
I understand 4443 port is opened as management network port and port 9021 for https if we are using S3 protocol.
My question is do we need to setup two separate logins to get into ECS data. Will S3 buckets and secret keys may not be enough for the exclusive access of the data??
coneryj
22 Posts
0
May 8th, 2018 06:00
you're still not making any sense to me. I understand the basic concept of protected and nonnprotected. I don't understand how you are achieving this separation?
Do you have multiple VDCs?
Are there different replication groups and namespaces mapped to those replication groups? And are you dividing the ECS S3 access into different namespace/replGroup that are mapped to different VDCs?
Then creating a set of object users in the "protected" namespace and the "nonprotected" namespace? This would achieve physical separation of those 2 categories of data.
I don't know how you are creating 2 different networks? Different F5s or different front end ports on the same F5s that route to different VDCs?
Your questions are not making any sense the way that you are asking them... You don't login for S3 access. Object users don't login. They have a secret key that is used to sign each request verifying that the request came from them. Management users (sysadmin or namespace admin) users login with a password. They get an authentication session token that is sent with each mgmt request.