Securing S3

To access an S3 bucket, users need AWS access key ID and AWS secret. Both of these are generated by going to AWS website. When you use Ozone’s S3 protocol, you need the same AWS access key and secret.

Under Ozone, the clients can download the access key directly from Ozone. The user needs to kinit first and once they have authenticated via kerberos they can download the S3 access key ID and AWS secret. Just like AWS S3, both of these are secrets that needs to be protected by the client since it gives full access to the S3 buckets.

Obtain Secrets

  • S3 clients can get the secret access id and user secret from OzoneManager.
ozone s3 getsecret
  • Or by sending request to /secret S3 REST endpoint.
curl -X PUT --negotiate -u : https://localhost:9879/secret

This command will talk to ozone, validate the user via Kerberos and generate the AWS credentials. The values will be printed out on the screen. You can set these values up in your .aws file for automatic access while working against Ozone S3 buckets.

  • Now you can proceed to setup these secrets in aws configs:
aws configure set default.s3.signature_version s3v4
aws configure set aws_access_key_id ${accessId}
aws configure set aws_secret_access_key ${secret}
aws configure set region us-west-1

Please refer to AWS S3 documentation on how to use S3 via command line or via S3 API.

Revoking Secrets via REST API

To invalidate/revoke the secret, use ozone s3 revokesecret command. Alternatively, you can use the REST API endpoint to revoke the secret. Ozone now provides a REST API endpoint that allows administrators to revoke S3 access secrets. This operation invalidates a secret, ensuring it can no longer be used for authentication.

Endpoint Details

  • URL: http://localhost:9879/secret
  • HTTP Method: DELETE

Authentication

The API leverages SPNEGO (Kerberos) authentication. The following curl options are used:

  • --negotiate enables SPNEGO.
  • -u : uses the current Kerberos ticket (an empty username is provided).

Example 1: Revoke Secret for the Current User

This command revokes the secret for the currently authenticated user:

curl -X DELETE --negotiate -u : -v http://localhost:9879/secret

Example 2: Revoke Secret by Username

This command revokes the secret for a specific user by appending the username as a query parameter. Replace testuser with the desired username:

curl -X DELETE --negotiate -u : -v "http://localhost:9879/secret?username=testuser"

Response

  • Success: Returns HTTP 200 OK along with a confirmation message in JSON format.
  • Failure: Returns an appropriate HTTP error status and message if there are issues (e.g., authentication failures).

Testing and Verification

For a working example of these operations, refer to the Secret Revoke Robot Test. This test demonstrates both the default secret revocation and the revocation by username.

Note: Ensure your Kerberos authentication is correctly configured, as secret revocation is a privileged operation.

Next >>