Feature #53646
openImplement restrictions on key usage
0%
Description
This technically would moreso be in CephX, I suppose, but I didn't see a Project listing for it.
Currently, anyone with a valid key in CephFS (via CephX specifically) has access to everything tied with that key.
This may be fine for infrastructure, but presents security issues when trying to provide native CephFS access to potentially untrusted clients (e.g. Storage-as-a-Service or directly to VM guests in "cloud" or VPS provider contexts). This also presents issues during the event of key leakage.
As such, I am requesting that support for IP address and MAC address (for same-LAN clients, obviously) restrictions be added to a key.
While admittedly it would not guarantee unauthorized usage of the key, it does provide a context to the key rather than a simple have-key-get-access, and raises the barrier of entry for potential malicious actors.
If implemented, this restriction should obviously be optional for backwards-compatibility with existing keyrings/clusters.
Updated by brent s. over 2 years ago
Sorry, that should read "support for IP address (and/or address prefix/CIDR) ... restrictions".
Updated by Venky Shankar over 2 years ago
- Project changed from CephFS to Ceph
- Category deleted (
Security Model)
Moving this to "ceph" project.