ECS: CAS Client IP Restriction

Introduction:

• The feature can be used when customer wants to restrict client IPs from accessing a CAS bucket. Only the IPs that are set under the restriction list can have access to the pertaining user. 
• By default, there are no restrictions set for a user. 
• CAS user IP restriction is applicable for the user across all VDCs.
• The default IP's limit for a user is 10 and it is configurable. 

Steps for configuring CAS Client IP restriction:

1. Create a CAS user
2. Create an .xml file with the IP list that you want to provide access to the user, any other IP trying access to the CAS user should fail with FP_AUTHENTICATION_FAILED_ERR
3. Use the PUT command to set an IP restriction for a particular user
4. Use the GET command to get or view the restriction set for a user
5. To EDIT a restriction that was previously set for a user, edit the xml file with the IPs and do a PUT
6. To DELETE a restriction that was previously set, remove the <ip_restrictions>127.127.127.127</ip_restrictions> from the xml file and do a PUT

Sample xml file when IP restriction is set: (only these two IPs have access to CAS user access_user)

cat new.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions_param>
<ip_restrictions>127.127.127.127</ip_restrictions>
<ip_restrictions>127.128.128.128 </ip_restrictions>
<user_name>access_user</user_name>
</user_ip_restrictions_param>

Below are the REST commands with PUT, GET, LIST, and DELETE operations, An access token must be used for root user.

Example:

admin@ecsnode1:~> TOK=$(curl -iks https://localhost:4443/login -u root:*** | grep X-SDS-AUTH-TOKEN); echo $TOK
X-SDS-AUTH-TOKEN: BAAcc1pZcEkxK3MyUU4xZy9ocEdnUXp0MHl2aTk0PQMAjAQASHVybjpzdG9yYWdlb3M6VmlydHVhbERhdGFDZW50ZXJEYXRhOjdlNWQ0YzFkLTkzNjEtNDBkNS1iMWE4LTUwNzE5NDEwODRiZQIADTE2ODQ4MjYzOTk5OTIDAC51cm46VG9rZW46ODYzMzEyZDEtYzA3NC00MWFjLThlMjAtZDUzZmQ3Njk2MjVhAgAC0A8=
admin@ecsnode1:~> 

To set user IP restrictions:

PUT /object/user-cas/ip-restrictions/{namespace_name}/{user_name}

Example:

curl -ks -H 'Accept:application/xml' -H 'Content-Type:application/xml' -X PUT -d @new.xml -H "$TOK" https://10.245.xx.xx:4443/object/user-cas/ip-restrictions/cas_access/access_user

Response body example 1: (by default when there is no IP restriction set for the user)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions>
<user_name>access_user</user_name>
</user_ip_restrictions>

Response body example 2: (only the below provided client IP has access to the user)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions_param>
<ip_restrictions>128.128.128.128</ip_restrictions>
<ip_restrictions>127.127.127.127</ip_restrictions>
<user_name>access_user</user_name>
</user_ip_restrictions_param>

To get user IP restrictions:

GET /object/user-cas/ip-restrictions/{namespace_name}/{user_name}

Example:

curl -ks -H "$TOK" -H "Content-Type: application/json" https://10.245.xx.xx:4443/object/user-cas/ip-restrictions/cas_access/access_user | xmllint -format -

Response body example: (only the below provided client IP has access to the user)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions>
<ip_restrictions>127.127.127.127</ip_restrictions>
<user_name>access_user</user_name>
</user_ip_restrictions>

Response body example 2: (GET for a user by default when there is no IP restriction set)

curl -ks -H "$TOK" -H "Content-Type: application/json" https://10.245.xx.xx:4443/object/user-cas/ip-restrictions/cas_access/access_user | xmllint -format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions>
<user_name>access_user</user_name>

To list IP restrictions with users:

GET /object/user-cas/ip-restrictions/

Example: (lists the IP restrictions for each user)

curl -ks -H "$TOK" -H "Content-Type: application/json" https://10.245.xx.xx:4443/object/user-cas/ip-restrictions | xmllint -format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions_list>
<userIpRestriction>
<user_name>tsouser</user_name>
</userIpRestriction>
<userIpRestriction>
<user_name>tsouser2</user_name>
</userIpRestriction>
<userIpRestriction>
<ip_restrictions>10.245.xx.xx</ip_restrictions>
<ip_restrictions>10.247.xx.xx</ip_restrictions>
<ip_restrictions>10.245.xx.xx</ip_restrictions>
<ip_restrictions>10.247.xx.xx</ip_restrictions>
<ip_restrictions>10.243.xx.xx</ip_restrictions>
<user_name>clientuser</user_name>                >>>these are the restrictions set for this user
</userIpRestriction>
<userIpRestriction>
<user_name>gctest</user_name>
</userIpRestriction>
<userIpRestriction>
<user_name>casgcuser2</user_name>
</userIpRestriction>
<userIpRestriction>
<user_name>user2</user_name>
</userIpRestriction>
<userIpRestriction>
<user_name>gcu2</user_name>
</userIpRestriction>
<userIpRestriction>
<user_name>casgcuser1</user_name>               >>>all these users doesn't have any restrictions set 
</userIpRestriction>
</user_ip_restrictions_list>

To delete IP restrictions set for a user:

Remove the IP restriction entries from the .xml and do a PUT

cat new.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions_param>
<user_name>clientuser</user_name>
</user_ip_restrictions_param>

Command:

curl -ks -H 'Accept:application/xml' -H 'Content-Type:application/xml' -X PUT -d @new.xml -H "$TOK" https://10.245.130.65:4443/object/user-cas/ip-restrictions/clientns/clientuser

Response body example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions>
<user_name>clientuser</user_name>
</user_ip_restrictions>

Below example shows the behavior of the feature during PUT, and GET, and access to a user with and without restriction:

cat new.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions_param>
<ip_restrictions>127.127.127.127</ip_restrictions>
<user_name>access_user</user_name>
</user_ip_restrictions_param>

PUT:

curl -ks -H 'Accept:application/xml' -H 'Content-Type:application/xml' -X PUT -d @new.xml -H "$TOK" https://10.245.xx.xx:4443/object/user-cas/ip-restrictions/cas_access/access_user

GET:

curl -ks -H "$TOK" -H "Content-Type: application/json" https://10.245.xx.xx:4443/object/user-cas/ip-restrictions/cas_access/access_user | xmllint -format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_ip_restrictions>
<ip_restrictions>127.127.127.127</ip_restrictions>
<user_name>access_user</user_name>
</user_ip_restrictions>

Using JCASS, tried to access the pool from 127.127.127.127 and could access:

CASScript>po 10.245.xx.xx?name=access_user,secret=centera@1234

Attempting to connect to: 10.245.xx.xx?name=access_user,secret=centera@1234

Connected to: 10.245.xx.xx?name=access_user,secret=centera@1234

CASPool Properties:
Connection String: 10.245.xx.xx?name=access_user,secret=centera@1234
Cluster Time: 2020.07.07 06:32:24 GMT
Buffer Size: 16384
Prefetch Buffer Size: 32768
Connection Timeout: 120000
Multi-Cluster Failover Enabled: True
Collision Avoidance Enabled: False

Tried to access the pool from an IP which is not in the IP restriction list (which is an allowed list). Access to the pool should fail with the below error:

CASScript>po 10.245.xx.xx?name=access_user,secret=centera@1234

Attempting to connect to: 10.245.xx.xx?name=access_user,secret=centera@1234

SDK Error Occurred:

     Error Number: -10153
     System Error: 0
     Error:        FP_AUTHENTICATION_FAILED_ERR
     Error Class:  null
     Trace:        HPPAuthCRTransaction.run<FPConnection::authenticate<Cluster.authenticate<Cluster::updateClusterInfo()<ClusterCloud::updateClusterInfo(e9f1a3c9-5cb1-3a76-a589-f639de9ad2e4)<ClusterCloud::getClusterInfo(0,ClusterInformation&,2)<FPPool::Open(10.245.130.64?name=access_user,secret=centera@1234)<_FPPool_Open(10.245.130.64?name=access_user,secret=centera@1234)<FPPool_Open8(10.245.130.64?name=access_user,secret=centera@1234)