====== [CEPH] Public bucket basic knowledge ======
^ Documentation ^|
^Name:| [CEPH] Public bucket basic knowledge |
^Description:| Basic information about publishing a bucket to the internet |
^Modification date :| 03/02/2020|
^Owner:|dodger|
^Notify changes to:|Owner |
^Tags:|ceph, object storage |
^Scalate to:|The_fucking_bofh|
====== Pre-Requirements ======
* Know what are the [[https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods|HTTP verbs]]
* Know the name of our ceph
====== What you should know ======
Our ceph/s3 object storage can be publicly accessed but is very restricted, the more restricted the higher security.\\
\\
So what is open?
* HTTP verb GET
* Any bucket that has been requested to be open to the internet (you still must give explicit access to the objects)
\\
\\
What is **NOT** open:
* All the rest HTTP verbs (PUT/HEAD/DELETE/POST...)
* All the rest of buckets that are not explicitly requested to be opened.
* All the objects in a **published bucket** not explicitly published as public/timed/hashed.
\\
====== What you'll be able to do from internet ======
Just 1 thing:
curl http://larry.ciberterminal.net/monguitest/status.txt
That is:
* you should know the name of the file that you want to access.
* the file must be public or have //any// ACL setup that allow access to it without authentication (public, timed public, hash key based acces...)
\\
====== What we desire that you do with the objects ======
digraph c{
compound=true;
privatebucketobject [shape=cylinder,label="Private bucket\nPrivate Object",style=filled];
timedobject [shape=cylinder,label="Private bucket\nTimed access for Object (object still private)",style=filled,fillcolor=green];
publicobject [shape=cylinder,label="Private bucket\nPublic Object",style=filled,fillcolor=darkorange];
publicbucket [shape=cylinder,label="Public bucket\nPublic Object",style=filled,fillcolor=red];
avoid [shape=none,label="Never use!"];
avoidaspossible [shape=none,label="Limited use cases, should be avoided!"];
preferred [shape=none,label="Preferred use case!"];
default [shape=none,label="Default setup"];
{rank=same; publicbucket, avoid}
{rank=same; publicobject, avoidaspossible}
{rank=same; timedobject, preferred}
{rank=same; privatebucketobject, default}
privatebucketobject->timedobject;
timedobject->publicobject;
publicobject->publicbucket;
publicbucket->avoid [dir=back];
publicobject->avoidaspossible [dir=back];
timedobject->preferred [dir=back];
privatebucketobject->default [dir=back];
}
====== Access explained Graphically ======
===== From Internet =====
digraph c{
compound=true;
client [label="Client on internet"];
clover [shape=hexagon,label="clover.ciberterminal.net\nPublic load balancers"];
bucket [shape=cylinder,label="/bucketname\nhas been published?",style=filled,fillcolor=coral];
denied [label="Access\nDenied",style=filled,fillcolor=red];
object [shape=paralellogram,label="objectname\nhas been allowed to access?",style=filled,fillcolor=lightblue];
allowed [label="Access\nALLOWED",style=filled,fillcolor=green];
firewall [label="F5 Firewall & load balancer", style=filled, shape=box3d, fillcolor=chocolate];
client-> firewall [label="GET /bucketname/objectname"];
firewall -> clover;
clover->bucket [label="checks"];
bucket->denied [label="Not published"];
bucket->object [label="Published"];
object->denied [label="Not publish"];
object->allowed [label="Access has been granted"] ;
}
===== From ciberterminal =====
digraph c{
compound=true;
client [label="Client on VOXEL"];
clover [shape=hexagon,label="clover.ciberterminal.net\nPrivate load balancers"];
bucket [shape=cylinder,label="/bucketname",style=filled,fillcolor=coral];
denied [label="Access\nDenied",style=filled,fillcolor=red];
allowed [label="Access\nALLOWED",style=filled,fillcolor=green];
client-> clover [label="GET /bucketname/objectname
PUT /bucketname/objectname
POST /bucketname/objectname
DELETE /bucketname/objectname
HEAD /bucketname"];
clover->bucket [label="Owner?"];
bucket->denied [label="NO"];
bucket->allowed [label="YES"];
}
====== Remember ======
* Only **GET** is available you won't be able to:
* ''bucket.list'' as it uses HTTP/HEAD.
* ''bucket.delete'' as it uses HTTP/DELETE.
* Any other operation :-)
* You'll still have to manage the object ACL so anyone can access it, by default all the objects inside the bucket are **private**.