IpAddress condition of an RGW bucket policy doesn't work for access via ha-proxy
This document (000019874) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Enterprise Storage 6
SUSE Enterprise Storage 7
SUSE Enterprise Storage 7
Situation
An IpAddress access condition of an RGW bucket policy, for example configured as
"Condition" : {
"IpAddress" : {
"aws:SourceIp": [ "192.0.2.0/24" ]
}
}
does not match for access via an HTTP load balancing proxy.
"Condition" : {
"IpAddress" : {
"aws:SourceIp": [ "192.0.2.0/24" ]
}
}
does not match for access via an HTTP load balancing proxy.
Resolution
As the RGW receives the request from the proxy, aws:SourceIp by default is that of the proxy. If all requests are handled by the proxy (i.e., no direct requests to RGW), adding
rgw remote addr param = HTTP_X_FORWARDED_FOR
to the [client.rgw.INSTANCE] section in ceph.conf, followed by a restart of the RGW, changes the semantics of aws:SourceIp to contain the value of the specified HTTP header, in this case HTTP_X_FORWARDED_FOR.
As an alternative, access control can also be implemented by proxy configuration.
rgw remote addr param = HTTP_X_FORWARDED_FOR
to the [client.rgw.INSTANCE] section in ceph.conf, followed by a restart of the RGW, changes the semantics of aws:SourceIp to contain the value of the specified HTTP header, in this case HTTP_X_FORWARDED_FOR.
As an alternative, access control can also be implemented by proxy configuration.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019874
- Creation Date: 11-Feb-2021
- Modified Date:16-Feb-2021
-
- SUSE Enterprise Storage
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
