Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 6. Securing Multicloud Object Gateway
6.1. Changing the default account credentials to ensure better security in the Multicloud Object Gateway
Change and rotate your Multicloud Object Gateway (MCG) account credentials using the command-line interface to prevent issues with applications, and to ensure better account security.
6.1.1. Resetting the noobaa account password
Prerequisites
- A running OpenShift Data Foundation cluster.
Download the Multicloud Object Gateway (MCG) command-line interface binary from the customer portal and make it executable.
NoteChoose the correct product variant according to your architecture. Available platforms are Linux(x86_64), Windows, and Mac OS.
Procedure
To reset the noobaa account password, run the following command:
$ odf noobaa account passwd <noobaa_account_name> [options]$ odf noobaa account passwd FATA[0000] ❌ Missing expected arguments: <noobaa_account_name> Options: --new-password='': New Password for authentication - the best practice is to omit this flag, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in t he shell history --old-password='': Old Password for authentication - the best practice is to omit this flag, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in the shell history --retype-new-password='': Retype new Password for authentication - the best practice is to omit this flag, in that case the CLI will prompt to prompt and read it securely from the terminal to avoid leaking secrets in the shell history Usage: odf noobaa account passwd <noobaa-account-name> [flags] [options] Use "odf noobaa options" for a list of global command-line options (applies to all commands).Example:
$ odf noobaa account passwd admin@noobaa.ioExample output:
Enter old-password: [got 24 characters] Enter new-password: [got 7 characters] Enter retype-new-password: [got 7 characters] INFO[0017] ✅ Exists: Secret "noobaa-admin" INFO[0017] ✅ Exists: NooBaa "noobaa" INFO[0017] ✅ Exists: Service "noobaa-mgmt" INFO[0017] ✅ Exists: Secret "noobaa-operator" INFO[0017] ✅ Exists: Secret "noobaa-admin" INFO[0017] ✈️ RPC: account.reset_password() Request: {Email:admin@noobaa.io VerificationPassword:* Password:*} WARN[0017] RPC: GetConnection creating connection to wss://localhost:58460/rpc/ 0xc000402ae0 INFO[0017] RPC: Connecting websocket (0xc000402ae0) &{RPC:0xc000501a40 Address:wss://localhost:58460/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0 Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>} INFO[0017] RPC: Connected websocket (0xc000402ae0) &{RPC:0xc000501a40 Address:wss://localhost:58460/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0 Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>} INFO[0020] ✅ RPC: account.reset_password() Response OK: took 2907.1ms INFO[0020] ✅ Updated: "noobaa-admin" INFO[0020] ✅ Successfully reset the password for the account "admin@noobaa.io"ImportantTo access the admin account credentials run the
noobaa statuscommand from the terminal:-------------------- - Mgmt Credentials - -------------------- email : admin@noobaa.io password : ***
6.1.2. Setting Multicloud Object Gateway account credentials using CLI command
You can update and verify the Multicloud Object Gateway (MCG) account credentials manually by using the MCG CLI command.
Prerequisites
Ensure that the following prerequisites are met:
- A running OpenShift Data Foundation cluster.
- Download the Multicloud Object Gateway (MCG) command-line interface binary from the customer portal and make it executable.
Choose the correct product variant according to your architecture. Available platforms are Linux(x86_64), Windows, and Mac OS.
Procedure
To update the MCG account credentials, run the following command:
$ odf noobaa account credentials <noobaa-account-name> [options]Example:
$ odf noobaa account credentials admin@noobaa.ioExample output:
$ odf noobaa account credentials admin@noobaa.io Enter access-key: [got 20 characters] Enter secret-key: [got 40 characters] INFO[0026] ❌ Not Found: NooBaaAccount "admin@noobaa.io" INFO[0026] ✅ Exists: NooBaa "noobaa" INFO[0026] ✅ Exists: Service "noobaa-mgmt" INFO[0026] ✅ Exists: Secret "noobaa-operator" INFO[0026] ✅ Exists: Secret "noobaa-admin" INFO[0026] ✈️ RPC: account.update_account_keys() Request: {Email:admin@noobaa.io AccessKeys:{AccessKey:* SecretKey:}} WARN[0026] RPC: GetConnection creating connection to wss://localhost:33495/rpc/ 0xc000cd9980 INFO[0026] RPC: Connecting websocket (0xc000cd9980) &{RPC:0xc0001655e0 Address:wss://localhost:33495/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0 Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>} INFO[0026] RPC: Connected websocket (0xc000cd9980) &{RPC:0xc0001655e0 Address:wss://localhost:33495/rpc/ State:init WS:<nil> PendingRequests:map[] NextRequestID:0 Lock:{state:1 sema:0} ReconnectDelay:0s cancelPings:<nil>} INFO[0026] ✅ RPC: account.update_account_keys() Response OK: took 42.7ms INFO[0026] ✈️ RPC: account.read_account() Request: {Email:admin@noobaa.io} INFO[0026] ✅ RPC: account.read_account() Response OK: took 2.0ms INFO[0026] ✅ Updated: "noobaa-admin" INFO[0026] ✅ Successfully updated s3 credentials for the account "admin@noobaa.io" INFO[0026] ✅ Exists: Secret "noobaa-admin" Connection info: AWS_ACCESS_KEY_ID : AWS_SECRET_ACCESS_KEY : *Credential complexity requirements:
- Access key
- The account access key must be 20 characters in length and it must contain only alphanumeric characters.
- Secret key
The secret key must be 40 characters in length and it must contain alphanumeric characters and "+", "/".
For example:
$ odf noobaa account credentials my-account --access-key=ABCDEF1234567890ABCD --secret-key=ABCDE12345+FGHIJ67890/KLMNOPQRSTUV123456
To verify the credentials, run the following command:
odf noobaa account status <noobaa-account-name> --show-secrets
You cannot have a duplicate access-key. Each user must have a unique access-key and secret-key.
6.1.3. Regenerating the S3 credentials for the accounts
Prerequisites
- A running OpenShift Data Foundation cluster.
Download the Multicloud Object Gateway (MCG) command-line interface binary from the customer portal and make it executable.
NoteChoose the correct product variant according to your architecture. Available platforms are Linux(x86_64), Windows, and Mac OS.
Procedure
Get the account name.
For listing the accounts, run the following command:
$ odf noobaa account listExample output:
NAME ALLOWED_BUCKETS DEFAULT_RESOURCE PHASE AGE account-test [*] noobaa-default-backing-store Ready 14m17s test2 [first.bucket] noobaa-default-backing-store Ready 3m12sAlternatively, run the
oc get noobaaaccountcommand from the terminal:$ oc get noobaaaccountExample output:
NAME PHASE AGE account-test Ready 15m test2 Ready 3m59sTo regenerate the noobaa account S3 credentials, run the following command:
$ odf noobaa account regenerate <noobaa_account_name> [options]$ odf noobaa account regenerate FATA[0000] ❌ Missing expected arguments: <noobaa-account-name> Usage: odf noobaa account regenerate <noobaa-account-name> [flags] [options] Use "odf noobaa options" for a list of global command-line options (applies to all commands).Once you run the
odf noobaa account regeneratecommand it will prompt a warning that says "This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials.", and ask for confirmation:Example:
$ odf noobaa account regenerate account-testExample output:
INFO[0000] You are about to regenerate an account's security credentials. INFO[0000] This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials. INFO[0000] are you sure? y/nOn approving, it will regenerate the credentials and eventually print them:
INFO[0015] ✅ Exists: Secret "noobaa-account-account-test" Connection info: AWS_ACCESS_KEY_ID : *** AWS_SECRET_ACCESS_KEY : ***
6.1.4. Regenerating the S3 credentials for the OBC
Prerequisites
- A running OpenShift Data Foundation cluster.
Download the Multicloud Object Gateway (MCG) command-line interface binary from the customer portal and make it executable.
NoteChoose the correct product variant according to your architecture. Available platforms are Linux(x86_64), Windows, and Mac OS.
Procedure
To get the OBC name, run the following command:
$ odf noobaa obc listExample output:
NAMESPACE NAME BUCKET-NAME STORAGE-CLASS BUCKET-CLASS PHASE default obc-test obc-test-35800e50-8978-461f-b7e0-7793080e26ba default.noobaa.io noobaa-default-bucket-class BoundAlternatively, run the
oc get obccommand from the terminal:$ oc get obcExample output:
NAME STORAGE-CLASS PHASE AGE obc-test default.noobaa.io Bound 38sTo regenerate the noobaa OBC S3 credentials, run the following command:
$ odf noobaa obc regenerate <bucket_claim_name> [options]$ odf noobaa obc regenerate FATA[0000] ❌ Missing expected arguments: <bucket-claim-name> Usage: odf noobaa obc regenerate <bucket-claim-name> [flags] [options] Use "odf noobaa options" for a list of global command-line options (applies to all commands).Once you run the
odf noobaa obc regeneratecommand it will prompt a warning that says "This will invalidate all connections between the S3 clients and noobaa which are connected using the current credentials.", and ask for confirmation:Example:
$ odf noobaa obc regenerate obc-testExample output:
INFO[0000] You are about to regenerate an OBC's security credentials. INFO[0000] This will invalidate all connections between S3 clients and NooBaa which are connected using the current credentials. INFO[0000] are you sure? y/nOn approving, it will regenerate the credentials and eventually print them:
INFO[0022] ✅ RPC: bucket.read_bucket() Response OK: took 95.4ms ObjectBucketClaim info: Phase : Bound ObjectBucketClaim : kubectl get -n default objectbucketclaim obc-test ConfigMap : kubectl get -n default configmap obc-test Secret : kubectl get -n default secret obc-test ObjectBucket : kubectl get objectbucket obc-default-obc-test StorageClass : kubectl get storageclass default.noobaa.io BucketClass : kubectl get -n default bucketclass noobaa-default-bucket-class Connection info: BUCKET_HOST : s3.default.svc BUCKET_NAME : obc-test-35800e50-8978-461f-b7e0-7793080e26ba BUCKET_PORT : 443 AWS_ACCESS_KEY_ID : *** AWS_SECRET_ACCESS_KEY : *** Shell commands: AWS S3 Alias : alias s3='AWS_ACCESS_KEY_ID=*** AWS_SECRET_ACCESS_KEY=*** aws s3 --no-verify-ssl --endpoint-url ***' Bucket status: Name : obc-test-35800e50-8978-461f-b7e0-7793080e26ba Type : REGULAR Mode : OPTIMAL ResiliencyStatus : OPTIMAL QuotaStatus : QUOTA_NOT_SET Num Objects : 0 Data Size : 0.000 B Data Size Reduced : 0.000 B Data Space Avail : 13.261 GB Num Objects Avail : 9007199254740991
6.2. Enabling secured mode deployment for Multicloud Object Gateway
You can specify a range of IP addresses that should be allowed to reach the Multicloud Object Gateway (MCG) load balancer services to enable secure mode deployment. This helps to control the IP addresses that can access the MCG services.
You can disable the MCG load balancer usage by setting the disableLoadBalancerService variable in the storagecluster custom resource definition (CRD) while deploying OpenShift Data Foundation using the command line interface. This helps to restrict MCG from creating any public resources for private clusters and to disable the MCG service EXTERNAL-IP. For more information, see the Red Hat Knowledgebase article Install Red Hat OpenShift Data Foundation 4.X in internal mode using command line interface. For information about disabling MCG load balancer service after deploying OpenShift Data Foundation, see Disabling Multicloud Object Gateway external service after deploying OpenShift Data Foundation.
Prerequisites
- A running OpenShift Data Foundation cluster.
-
In case of a bare metal deployment, ensure that the load balancer controller supports setting the
loadBalancerSourceRangesattribute in the Kubernetes services.
Procedure
Edit the NooBaa custom resource (CR) to specify the range of IP addresses that can access the MCG services after deploying OpenShift Data Foundation.
$ oc edit noobaa -n openshift-storage noobaanoobaa- The NooBaa CR type that controls the NooBaa system deployment.
noobaaThe name of the NooBaa CR.
For example:
... spec: ... loadBalancerSourceSubnets: s3: ["10.0.0.0/16", "192.168.10.0/32"] sts: - "10.0.0.0/16" - "192.168.10.0/32" ...loadBalancerSourceSubnetsA new field that can be added under
specin the NooBaa CR to specify the IP addresses that should have access to the NooBaa services.In this example, all the IP addresses that are in the subnet 10.0.0.0/16 or 192.168.10.0/32 will be able to access MCG S3 and security token service (STS) while the other IP addresses are not allowed to access.
Verification steps
To verify if the specified IP addresses are set, in the OpenShift Web Console, run the following command and check if the output matches with the IP addresses provided to MCG:
$ oc get svc -n openshift-storage <s3 | sts> -o=go-template='{{ .spec.loadBalancerSourceRanges }}'
6.3. Disabling routes that enable external access to Multicloud Object Gateway
You can disable S3, STS, and noobaa-mgmt routes by setting the following option in the storagecluster CR:
spec:
multiCloudGateway:
disableRoutes: trueThis stops reconciling of all the three routes so that the routes are not recreated when they are deleted.
Procedure
Edit the storagecluster CR in one of the following ways:
Using the
oc patchcommand:oc patch storagecluster ocs-storage -n openshift-storage --type=merge -p '{"spec":{"multiCloudGateway":{"disableRoutes":true}}}'Using the interactive method:
oc edit storagecluster ocs-storage -n openshift-storageAdd the following under
.spec:multiCloudGateway: disableRoutes: true
Verification steps
To verify, delete the existing routes and check if they are listed:
oc delete routes --all -n openshift-storage
oc get routes -n openshift-storage
The S3, STS, and noobaa-mgmt routes are no longer reconciled by the operator.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}