[
https://issues.apache.org/jira/browse/HDDS-8132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699192#comment-17699192
]
Ritesh Shukla commented on HDDS-8132:
-------------------------------------
Given that we now have a Kerberos principal for S3 Gateway, for performance and
scale, it might make more sense for S3Gateway to fetch the secret securely from
the remote store directly and validate the headers before sending the request
over to OM. This can be done as a separate step post extracting the secret out
of OM.
> Secure S3 keys management
> -------------------------
>
> Key: HDDS-8132
> URL: https://issues.apache.org/jira/browse/HDDS-8132
> Project: Apache Ozone
> Issue Type: Improvement
> Reporter: Maksim Myskov
> Assignee: Maksim Myskov
> Priority: Major
> Labels: pull-request-available
> Attachments: Secure S3 keys management.pdf
>
>
> While attempting to get Ozone to production, we found several security flaws
> regarding S3 auth.
> Some of them we have already done (HDDS-7191, HDDS-7815), some of them are in
> progress (HDDS-8050,HDDS-7814), and some are to be implemented.
> This Jira has several purposes:
> # To be an umbrella Jira for work regarding improving S3 security
> # To share our vision regarding S3 security
> I attached a design document that describes all the security flaws we have
> found. Eliminating them will drastically increase Ozone S3 security.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
