diff --git a/docs/Ranger-2way-ssl.md b/docs/Ranger-2way-ssl.md index 79b9e493..78ecbcef 100644 --- a/docs/Ranger-2way-ssl.md +++ b/docs/Ranger-2way-ssl.md @@ -47,14 +47,14 @@ keytool -export -keystore ranger-admin-keystore.jks -alias rangeradmin -file ran * Create Client keystore and export certificate ``` -keytool -genkey -keyalg RSA -alias gargoyles3plugin -keystore ranger-plugin-keystore.jks -storepass securep -validity 360 -keysize 2048 -keytool -export -keystore ranger-plugin-keystore.jks -alias gargoyles3plugin -file gargoyles3plugin.cer -storepass securep +keytool -genkey -keyalg RSA -alias airlocks3plugin -keystore ranger-plugin-keystore.jks -storepass securep -validity 360 -keysize 2048 +keytool -export -keystore ranger-plugin-keystore.jks -alias airlocks3plugin -file airlocks3plugin.cer -storepass securep ``` * Cross import certificates (create truststores) ``` -keytool -import -file gargoyles3plugin.cer -alias gargoyles3plugin -keystore ranger-admin-truststore.jks -storepass securep +keytool -import -file airlocks3plugin.cer -alias airlocks3plugin -keystore ranger-admin-truststore.jks -storepass securep keytool -import -file rangeradmin.cer -alias rangeradmin -keystore ranger-plugin-truststore.jks -storepass securep ``` diff --git a/docs/What_is_airlock.md b/docs/What_is_airlock.md index 5ad75751..76e8cad1 100644 --- a/docs/What_is_airlock.md +++ b/docs/What_is_airlock.md @@ -1,6 +1,6 @@ -# What is Gargoyle? +# What is Airlock? -Gargoyle is a security layer on top of an S3 interface. It ensures authentication and authorisation for any S3 capable +Airlock is a security layer on top of an S3 interface. It ensures authentication and authorisation for any S3 capable storage solution. It is originally developed to provide blob storage security for a Data Analytics Platform (DAP). ## Why @@ -16,14 +16,14 @@ security features CEPH provides are insufficient for our team. Things we found l ## How -Gargoyle filters and proxies requests to the S3 Api and implements part of the AWS IAM/STS api. This allows for +Airlock filters and proxies requests to the S3 Api and implements part of the AWS IAM/STS api. This allows for interoperability with existing tools that support S3. We make use of the following services: - Keycloak for Multi-factor authentication - Apache Ranger for authorisation - Apache Atlas for data lineage -Gargoyle exists of the following services and capabilities: +Airlock exists of the following services and capabilities: - STS. The Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate. The following @@ -39,26 +39,26 @@ This results in the following architecture picture: ![alt text](./img/architecture.png) 1. **User** goes to Keycloak and is requested to authenticate him/herself using MFA. -2. **User** requests a short term token with the Gargoyle STS service for the type of access he requires to S3 (e.g. +2. **User** requests a short term token with the Airlock STS service for the type of access he requires to S3 (e.g. assume a certain role or access to his own resources). This request includes the token received from Keycloak. -3. **Gargoyle STS** verifies the token with Keycloak and potentially verifies whether a user is allowed to +3. **Airlock STS** verifies the token with Keycloak and potentially verifies whether a user is allowed to assume a certain role. If verified it returns a new short term token to the user. -4. **User** sends the request to the Gargoyle proxy with the STS token. -5. **Gargoyle Proxy** verifies the STS token with Gargoyle STS and retrieves the user corresponding to the AWS +4. **User** sends the request to the Airlock proxy with the STS token. +5. **Airlock Proxy** verifies the STS token with Airlock STS and retrieves the user corresponding to the AWS credentials. -6. **Gargoyle Proxy** verifies authorisation of the request with Apache Ranger and writes audit log to Apache Ranger. -7. **Gargoyle Proxy** passes through the request to CEPH if the STS and Apache Ranger checks both succeeded. +6. **Airlock Proxy** verifies authorisation of the request with Apache Ranger and writes audit log to Apache Ranger. +7. **Airlock Proxy** passes through the request to CEPH if the STS and Apache Ranger checks both succeeded. >If needed the proxy will automatically create the user on CEPH using the user info from the STS service. This user will only have rights for his own buckets initially, and should stil manually be made a system user to access other buckets he has rights for in Apache Ranger. 8. **CEPH** validates the request to ensure it hasn't been tampered with. -9. **Gargoyle Proxy** logs lineage data with Apache Atlas. +9. **Airlock Proxy** logs lineage data with Apache Atlas. ### Technologies -The Gargoyle project is written entirely in Scala 2.12.6. +The Airlock project is written entirely in Scala 2.12.8. To be determined: - KV store