Search

Chapter 5. Securing Multicloud Object Gateway

download PDF

5.1. Changing the default account credentials to ensure better security in the Multicloud Object Gateway

Change and rotate your Multicloud Object Gateway (MCG) account credentials using the command-line interface to prevent issues with applications, and to ensure better account security.

5.1.1. Resetting the noobaa account password

Prerequisites

Procedure

  • To reset the noobaa account password, run the following command:

    $ noobaa account passwd <noobaa_account_name> [options]
    $ noobaa account passwd
    FATA[0000] ❌ Missing expected arguments: <noobaa_account_name>
    
    Options:
        --new-password='': New Password for authentication - the best practice is to omit this flag, in that
        case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in t
         he shell history
        --old-password='': Old Password for authentication - the best practice is to omit this flag, in that
        case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in
        the shell history
        --retype-new-password='': Retype new Password for authentication - the best practice is to omit this flag, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid
        leaking secrets in the shell history
    
    
    Usage:
        noobaa account passwd <noobaa-account-name> [flags] [options]
    
    Use "noobaa options" for a list of global command-line options (applies to all commands).

    Example:

    $ noobaa account passwd admin@noobaa.io

    Example output:

    Enter old-password: [got 24 characters]
    Enter new-password: [got 7 characters]
    Enter retype-new-password: [got 7 characters]
    INFO[0017] ✅ Exists: Secret "noobaa-admin"
    INFO[0017] ✅ Exists: NooBaa "noobaa"
    INFO[0017] ✅ Exists: Service "noobaa-mgmt"
    INFO[0017] ✅ Exists: Secret "noobaa-operator"
    INFO[0017] ✅ Exists: Secret "noobaa-admin"
    INFO[0017] ✈️  RPC: account.reset_password() Request: {Email:admin@noobaa.io VerificationPassword:* Password:*}
    WARN[0017] RPC: GetConnection creating connection to wss://localhost:58460/rpc/ 0xc000402ae0
    INFO[0017] RPC: Connecting websocket (0xc000402ae0) &{RPC:0xc000501a40 Address:wss://localhost:58460/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0
    Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>}
    INFO[0017] RPC: Connected websocket (0xc000402ae0) &{RPC:0xc000501a40 Address:wss://localhost:58460/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0
    Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>}
    INFO[0020] ✅ RPC: account.reset_password() Response OK: took 2907.1ms
    INFO[0020] ✅ Updated:  "noobaa-admin"
    INFO[0020] ✅ Successfully reset the password for the account "admin@noobaa.io"
    Important

    To access the admin account credentials run the noobaa status command from the terminal:

    --------------------
    - Mgmt Credentials -
    --------------------
    
    email    : admin@noobaa.io
    password : ***

5.1.2. Regenerating the S3 credentials for the accounts

Prerequisites

Procedure

  1. Get the account name.

    For listing the accounts, run the following command:

    $ noobaa account list

    Example output:

    NAME           DEFAULT_RESOURCE               PHASE   AGE
    account-test   noobaa-default-backing-store   Ready   14m17s
    test2          noobaa-default-backing-store   Ready   3m12s

    Alternatively, run the oc get noobaaaccount command from the terminal:

    $ oc get noobaaaccount

    Example output:

    NAME           PHASE   AGE
    account-test   Ready   15m
    test2          Ready   3m59s
  2. To regenerate the noobaa account S3 credentials, run the following command:

    $ noobaa account regenerate <noobaa_account_name> [options]
    $ noobaa account regenerate
    FATA[0000] ❌ Missing expected arguments: <noobaa-account-name>
    
    Usage:
        noobaa account regenerate <noobaa-account-name> [flags] [options]
    
    Use "noobaa options" for a list of global command-line options (applies to all commands).
  3. Once you run the noobaa account regenerate command it will prompt a warning that says "This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials.", and ask for confirmation:

    Example:

    $ noobaa account regenerate account-test

    Example output:

    INFO[0000] You are about to regenerate an account's security credentials.
    INFO[0000] This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials.
    INFO[0000] are you sure? y/n
  4. On approving, it will regenerate the credentials and eventually print them:

    INFO[0015] ✅ Exists: Secret "noobaa-account-account-test"
    Connection info:
    AWS_ACCESS_KEY_ID      : ***
    AWS_SECRET_ACCESS_KEY  : ***

5.1.3. Regenerating the S3 credentials for the OBC

Prerequisites

Procedure

  1. To get the OBC name, run the following command:

    $ noobaa obc list

    Example output:

    NAMESPACE   NAME       BUCKET-NAME                                     STORAGE-CLASS       BUCKET-CLASS                  PHASE
    default     obc-test   obc-test-35800e50-8978-461f-b7e0-7793080e26ba   default.noobaa.io   noobaa-default-bucket-class   Bound

    Alternatively, run the oc get obc command from the terminal:

    $ oc get obc

    Example output:

    NAME       STORAGE-CLASS       PHASE   AGE
    obc-test   default.noobaa.io   Bound   38s
  2. To regenerate the noobaa OBC S3 credentials, run the following command:

    $ noobaa obc regenerate <bucket_claim_name> [options]
    $ noobaa obc regenerate
    FATA[0000] ❌ Missing expected arguments: <bucket-claim-name>
    
    Usage:
       noobaa obc regenerate <bucket-claim-name> [flags] [options]
    
    Use "noobaa options" for a list of global command-line options (applies to all commands).
  3. Once you run the noobaa obc regenerate command it will prompt a warning that says "This will invalidate all connections between the S3 clients and noobaa which are connected using the current credentials.", and ask for confirmation:

    Example:

    $ noobaa obc regenerate obc-test

    Example output:

    INFO[0000] You are about to regenerate an OBC's security credentials.
    INFO[0000] This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials.
    INFO[0000] are you sure? y/n
  4. On approving, it will regenerate the credentials and eventually print them:

    INFO[0022] ✅ RPC: bucket.read_bucket() Response OK: took 95.4ms
    
    ObjectBucketClaim info:
      Phase                  : Bound
      ObjectBucketClaim      : kubectl get -n default objectbucketclaim obc-test
      ConfigMap              : kubectl get -n default configmap obc-test
      Secret                 : kubectl get -n default secret obc-test
      ObjectBucket           : kubectl get objectbucket obc-default-obc-test
      StorageClass           : kubectl get storageclass default.noobaa.io
      BucketClass            : kubectl get -n default bucketclass noobaa-default-bucket-class
    
    Connection info:
     BUCKET_HOST            : s3.default.svc
     BUCKET_NAME            : obc-test-35800e50-8978-461f-b7e0-7793080e26ba
        BUCKET_PORT            : 443
        AWS_ACCESS_KEY_ID      : ***
        AWS_SECRET_ACCESS_KEY  : ***
    
    Shell commands:
      AWS S3 Alias           : alias s3='AWS_ACCESS_KEY_ID=***
    AWS_SECRET_ACCESS_KEY=*** aws s3 --no-verify-ssl --endpoint-url ***'
    
    Bucket status:
      Name                   : obc-test-35800e50-8978-461f-b7e0-7793080e26ba
      Type                   : REGULAR
      Mode                   : OPTIMAL
      ResiliencyStatus       : OPTIMAL
      QuotaStatus            : QUOTA_NOT_SET
      Num Objects            : 0
      Data Size              : 0.000 B
      Data Size Reduced      : 0.000 B
      Data Space Avail       : 13.261 GB
      Num Objects Avail      : 9007199254740991

5.2. Enabling secured mode deployment for Multicloud Object Gateway

You can specify a range of IP addresses that should be allowed to reach the Multicloud Object Gateway (MCG) load balancer services to enable secure mode deployment. This helps to control the IP addresses that can access the MCG services.

Note

You can disable the MCG load balancer usage by setting the disableLoadBalancerService variable in the storagecluster CRD while deploying OpenShift Data Foundation using the command line interface. This helps to restrict MCG from creating any public resources for private clusters and to disable the MCG service EXTERNAL-IP. For more information, see the Red Hat Knowledgebase article Install Red Hat OpenShift Data Foundation 4.X in internal mode using command line interface. For information about disabling MCG load balancer service after deploying OpenShift Data Foundation, see Disabling Multicloud Object Gateway external service after deploying OpenShift Data Foundation.

Prerequisites

  • A running OpenShift Data Foundation cluster.
  • In case of a bare metal deployment, ensure that the load balancer controller supports setting the loadBalancerSourceRanges attribute in the Kubernetes services.

Procedure

  • Edit the NooBaa custom resource (CR) to specify the range of IP addresses that can access the MCG services after deploying OpenShift Data Foundation.

    $ oc edit noobaa -n openshift-storage noobaa
    noobaa
    The NooBaa CR type that controls the NooBaa system deployment.
    noobaa

    The name of the NooBaa CR.

    For example:

    ...
    spec:
      ...
      loadBalancerSourceSubnets:
        s3: ["10.0.0.0/16", "192.168.10.0/32"]
        sts:
          - "10.0.0.0/16"
          - "192.168.10.0/32"
    ...
    loadBalancerSourceSubnets

    A new field that can be added under spec in the NooBaa CR to specify the IP addresses that should have access to the NooBaa services.

    In this example, all the IP addresses that are in the subnet 10.0.0.0/16 or 192.168.10.0/32 will be able to access MCG S3 and security token service (STS) while the other IP addresses are not allowed to access.

Verification steps

  • To verify if the specified IP addresses are set, in the OpenShift Web Console, run the following command and check if the output matches with the IP addresses provided to MCG:

    $ oc get svc -n openshift-storage <s3 | sts> -o=go-template='{{ .spec.loadBalancerSourceRanges }}'
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.