Securing S3
To access an S3 bucket, users need AWS access key ID and AWS secret. Both of these are generated by going to AWS website. When you use Ozone’s S3 protocol, you need the same AWS access key and secret.
Under Ozone, the clients can download the access key directly from Ozone. The user needs to kinit
first and once they have authenticated via kerberos they can download the S3 access key ID and AWS secret. Just like AWS S3, both of these are secrets that needs to be protected by the client since it gives full access to the S3 buckets.
- S3 clients can get the secret access id and user secret from OzoneManager.
ozone s3 getsecret
- Or by sending request to /secret S3 REST endpoint.
curl -X PUT --negotiate -u : https://localhost:9879/secret
This command will talk to ozone, validate the user via Kerberos and generate the AWS credentials. The values will be printed out on the screen. You can set these values up in your .aws file for automatic access while working against Ozone S3 buckets.
Please note: These S3 credentials are like your Kerberos passwords that give complete access to your buckets.
- Now you can proceed to setup these secrets in aws configs:
aws configure set default.s3.signature_version s3v4
aws configure set aws_access_key_id ${accessId}
aws configure set aws_secret_access_key ${secret}
aws configure set region us-west-1
Please refer to AWS S3 documentation on how to use S3 via command line or via S3 API.