Limit ECS operations with vTM rules

Limit ECS operations with vTM rulesSometimes we need very granular level of control on what ECS REST APIs are allowed to be requested. We can do that using rules on Brocade vTM Load Balancers.

As an example I’m going to test the rule to forbidden S3 versions deletion operation.

Let’s prepare the environment first.

  • Create a bucket and apply versioning.
# ./s3curl.pl --id=ecs_profile -- -X PUT -ks https://10.0.0.1:9021/newbucket10
# ./s3curl.pl --id=ecs_profile -- -X PUT -d @EnableVersioning.txt -ks https://10.0.0.1:9021/newbucket10?versioning
# ./s3curl.pl --id=ecs_profile -- -ks https://10.0.0.1:9021/newbucket10?versioning |xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
   <Status>Enabled</Status>
</VersioningConfiguration>
  • Create 3x versions of the object.
# ./s3curl.pl --id=ecs_profile -- -X PUT -T file -ks https://10.0.0.1:9021/newbucket10/file
# ./s3curl.pl --id=ecs_profile -- -X PUT -T file -ks https://10.0.0.1:9021/newbucket10/file
# ./s3curl.pl --id=ecs_profile -- -X PUT -T file -ks https://10.0.0.1:9021/newbucket10/file

# ./s3curl.pl --id=ecs_profile -- -ks https://10.0.0.1:9021/newbucket10?versions | xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ListVersionsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Name>newbucket10</Name>
<MaxKeys>1000</MaxKeys>
<IsTruncated>false</IsTruncated>
<Version>
   <Key>file</Key>
   <VersionId>1493053214942</VersionId>
   <IsLatest>true</IsLatest>
...
</Version>

<Version>
   <Key>file</Key>
   <VersionId>1493053165905</VersionId>
   <IsLatest>false</IsLatest>
...
</Version>

<Version>
   <Key>file</Key>
   <VersionId>1493053164182</VersionId>
   <IsLatest>false</IsLatest>
...
</Version>
</ListVersionsResult>
  • Delete one of the versions.
  • It is works fine now because the rule is not applied yet.
# ./s3curl.pl --id=ecs_profile -- -X DELETE -ks https://10.0.0.1:9021/newbucket10/file?versionId=1493053164182
# ./s3curl.pl --id=ecs_profile -- -ks https://10.0.0.1:9021/newbucket10?versions | xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ListVersionsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Name>newbucket10</Name>
<MaxKeys>1000</MaxKeys>
<IsTruncated>false</IsTruncated>
<Version>
   <Key>file</Key>
   <VersionId>1493053214942</VersionId>
   <IsLatest>true</IsLatest>
...
</Version>

<Version>
   <Key>file</Key>
   <VersionId>1493053165905</VersionId>
   <IsLatest>false</IsLatest>
...
</Version>

<Version>
   <Key>file</Key>
   <VersionId>1493053164182</VersionId>
   <IsLatest>false</IsLatest>
...
</Version>
</ListVersionsResult>
  • Apply the rule which forbidden deletion of versions.
  • Navigate to Virtual Server > Rules

Limit ECS operations with vTM rules-1

  • Configure the rule shown below.
if( http.getmethod() == "DELETE"
    && string.contains( http.getquerystring(), "versionId" ) ){
      log.warn( "Somebody is trying to delete an object version" );
      connection.discard();
 }

Note: please check the documentation as the reference for rule syntax https://www.brocade.com/content/dam/common/documents/content-types/user-guide/brocade-vtm-10.1-tscript.pdf

  • The rule is applied to the Virtual Server

Limit ECS operations with vTM rules

  • Let’s check if we can delete a version now?
# ./s3curl.pl --id=ecs_profile -- -X DELETE -kv https://10.0.0.1:9021/newbucket10/file?versionId=1493053164182
* About to connect() to 10.0.0.1 port 9021 (#0)
*   Trying 10.0.0.1... connected
* Connected to 10.0.0.1 (10.0.0.1) port 9021 (#0)
* successfully set certificate verify locations:
*   CAfile: none
CApath: /etc/ssl/certs/
...
> DELETE /newbucket10/file?versionId=1493053164182 HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.3 libidn/1.10
> Host: 10.0.0.1:9021
> Accept: */*
> Date: Mon, 24 Apr 2017 17:03:17 +0000
> Authorization: AWS newuser:VWJN...jc=
> 
* SSLv3, TLS alert, Client hello (1):
* Empty reply from server
* Connection #0 to host 10.0.0.1 left intact
curl: (52) Empty reply from server
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

vTM rule doesn’t allow us to delete a version because corresponding request is just rejected by the Load Balancer.

Works as expected !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s