6 Authentication #
Ensuring that clients need to authenticate before accessing ressources on SUSE Enterprise Storage is important to the security of the system. Allowing anonymous usage or weak authentication schemes should be avoided.
6.1 Enabling strong authentication #
   Enforce strong authentication whenever possible: cephx works by having a
   secret key shared between the client and the service. This way both sides
   can prove to each other that they are who they claim to be. cephx is the
   default authentication scheme and should not be replaced by weaker methods.
  
   cephx is enabled by default for communication in the cluster itself
   (auth_cluster_required) and for the communication between
   the client and the cluster (auth_service_required). You
   can check this by running the following:
  
cephuser@adm > for option_name in auth_cluster_required auth_service_required auth_client_required ; do
        echo -n "$option_name: "
        ceph config get mon $option_name
      done
    auth_cluster_required: cephx
    auth_service_required: cephx
    auth_client_required: cephx, none
   You can also enable auth_client_required to force the
   SUSE Enterprise Storage cluster to authenticate towards clients to prevent malicious
   actors from impersonating services. This is done by setting
   auth_client_required to cephx only with the
   ceph config set global auth_client_required cephx
   command.
  
   cephx is only concerned with authentication. It does not ensure that the
   data is encrypted when sent to the cluster (in transport) or when stored in
   the cluster (at rest). When chosing a way for clients to access the cluster,
   select a access method that ensures the confidentiality in transport (for
   example, use HTTPS when using RADOS). For more details about cephx, see
   Book “Administration and Operations Guide”, Chapter 30 “Authentication with cephx”, Section 30.1 “Authentication architecture”.
  
   You can enforce message signing to harden the authentication protocol. With
   the ceph config set global cephx_require_signatures true
   command, you can force that signatures are used on all messages between the
   client and the cluster and in between the daemons in the cluster.If you run
   into issue with clients not being able to properly sign their messages you
   can enable it only for use within the cluster with the ceph config
   set global cephx_cluster_require_signatures command.
  
Strong authentication also requires proper key handling from the creation to the destruction of keys. Each client should receive a separate key which shouldn't be reused, at least not for clients with different security properties. With that you can then give the least amount of privileges to each account that is necessary, therefor limiting the risk. Creating users is covered in Book “Administration and Operations Guide”, Chapter 20 “RADOS Block Device”, Section 20.2.1 “Creating a Ceph user account”.
6.2 Ensuring secure storage of keys #
Keys must be stored with safe permissions on the client machine to prevent credential leakage. In most cases this means that only the user and root is able to read the key material. If you have a setup where you need to provide broader access you need to think through the security implications that accidential or malicious leaks of the key material has in your environment.
By default, key material is stored in a safe way on SUSE Enterprise Storage and you need to make sure that you do the same when transferring key material to clients. This means that you use secure transport mechanisms (HTTPs, SSH) to transfer the key and set strict permissions of files storing key material. Depending on your security requirements the use of vault services or hardware security modules might be appropriate.
Also consider your backup scheme to ensure that keys are secure during the whole life cycle. The backup of keys must meet the same security standards as the other systems that store a key dufing its lifetime.
6.3 Account setup #
In the initial configuration, you have administrative accounts that hold all the power. Depending on your regulatory and other requirements, you need to split up these accounts into several accounts that hold different privileges. This allows to assign the least amount of privilege needed to fulfill a task.
You should create a process that regularly reviews the privileges users have and adjust them if necessary. Especially for highly privileged accounts, we recommend this happens on a regular basis and every time a user that could have modified these settings is removed from the settings. For example, if someone changes role and is not the administrator for SUSE Enterprise Storage anymore.