AWS
The DuraCloud service runs on Amazon Web Services cloud infrastructure. AWS is the datacenter used to manage all servers running DuraCloud software. Information about AWS security can be found at the following links:
- AWS Cloud Security: https://aws.amazon.com/security/
- AWS Whitepapers (many security-related papers can be found here): https://aws.amazon.com/whitepapers/
Overview
The security approach is divided into two distinct spheres of responsibility
...
- Apache HttpServer is configured to require all requests to the four DuraCloud web applications (/duradmin, /durastore, /duraservice, and /duraboss) go over https.
Below are the https enforcement rules configured in Apache. The X-Forwarded-Proto header is provided by AWS Elastic Load Balancers.
Code Block ### # ensure 'duradmin' uses https ### RewriteEngine On RewriteCond %{REQUEST_URI} /duradmin RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*)$HTTP:X-Forwarded-Proto} !https RewriteRule !/status https://%{SERVER_NAME}$1 [R=301,L] ### # try to require https for 'durastore', 'duraservice', & 'duraboss' for # external requests ### RewriteCond %{REQUEST_URI} ^(/durastore|/duraservice|/duraboss) RewriteCond %{SERVER_PORT} !^443$ RewriteCond %{SERVER_NAME} !^localhost$ RewriteCond %{SERVER_NAME} !^127.0.0.1$ RewriteCond %{REMOTE_HOST} !^127.0.0.1$ RewriteCond ${local-ip-map:%{REMOTE_HOST}} !^localhost$ RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R=301,L] [L,R]
Application Security Implementation
...
DuraCloud leverages Spring's mechanism for wiring AuthN/Z into an application across servlet url patterns.
The following access rules are placed across the durastore and duraservice REST-APIs:
...
| title | Initialization REST Methods - Common across all applications |
|---|
...
Action
...
Role
...
Is Initialized
...
ROLE_ANONYMOUS
...
Initialize
...
Initialize Security Users | ROLE_ROOT | |||||||||||||||||||||||||||||||||||||||||||||||
| Panel | ||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||
| Panel | ||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||
| Panel | ||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||
All ROLE_USER permissions are limited to spaces for which space ACLs permit read and/or write access |
Roles
The fixed set of users/roles listed below are provided in DuraCloud. Each role in the list below represents a super set of the privileges of those above it.
...
- Users are managed via the DuraCloud Management Console. In the Management Console, an account administrator has the ability to:
- Add and remove users to the DuraCloud account
- Create Groups and add users to groups in order to simplify access control
- Access Control is managed at the space level
- Within DuraCloud (via the UI or the REST API), an account administrator has the ability to define which users and groups have access to a space, as well as the type of access (read or write) that is available.