Manage CIDR-based security policies

Manage CIDR-based security policies to control access to WEKA clusters based on client IP address ranges, enhancing security and simplifying administration.

Overview

-based policies enable administrators to control access to WEKA clusters by setting rules that allow or deny connections based on client IP address ranges. This network-based restriction provides greater control over which servers or devices can access the cluster, offering a more flexible alternative to traditional user authentication. Policies are managed at the organization level, ensuring only authorized clients can connect.

Key benefits:

Enhanced security: Restrict access to the cluster by controlling which clients can connect based on their IP addresses.
No authentication required: Secure access through network-level restrictions, simplifying management for trusted environments.
Simplified management: Centralized control over client access without needing user credentials.

Guidelines and considerations

When implementing CIDR-based security policies in WEKA, consider the following:

Role requirement: Only users with the Cluster Admin role can manage security policies, ensuring that access control remains in the hands of authorized administrators.
Applicable to all organizations: CIDR-based security policies apply to all organizations, ensuring centralized control across the cluster.
Active mounts remain unaffected: Client revocation is disabled, meaning any changes to policies do not impact active mounts. This ensures ongoing connections remain stable until they are manually disconnected.
Policy order matters: The order in which policies are attached determines the filtering sequence. For example, if the first policy denies access from IP1 and IP2, and the second policy allows IP1, the first policy takes precedence, overriding subsequent policies. Always review the order to ensure the desired access control.
Default access behavior: Clients without a related policy are allowed by default. To secure your organization, always include a final policy that denies access to all other IPs after attaching the necessary policies.
Policy capacity:
- 16 policies can be assigned per organization.
- 8 policies are allowed per client or backend join.
- Each policy supports up to 32 IP address ranges.
- A total of 5,120 policies can be defined system-wide.

Manage security policies using the CLI

Create and manage security policies so that you can apply them on the organization. You can perform the following:

List security policies defined in the WEKA cluster.
Display information about a specific security policy.
Create a new security policy.
Delete a security policy.
Duplicate an existing security policy, creating a new one.
Update the settings of an existing security policy.
Simulate the effect of one or more security policies.
List security policies applied when joining containers.
Set security policies for joining cluster, replacing the existing set of policies.
Attach a security policy when joining cluster.
Detach a security policy when joining cluster.
Remove all security policies applied when joining cluster

List security policies

Command: weka security policy list

Use the following command line to list security policies defined in the WEKA cluster.

weka security policy list [--action action] [--roles roles]...[--ips ips]...

Parameters

Parameter Description

Parameter	Description
`action`	Lists security policies that match a specific action. (format: `allow` or `deny`)
`roles`...	Lists security policies that include specific roles. (format: `clusteradmin`, `orgadmin`, `regular`, `readonly` or `s3`, may be repeated or comma-separated)
`ips`...	Lists security policies that include specific IP address ranges. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

action

Lists security policies that match a specific action. (format: allow or deny)

roles...

Lists security policies that include specific roles. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

ips...

Lists security policies that include specific IP address ranges. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

Display information of a security policy

Command: weka security policy show

Displays information about a specific security policy.

weka security policy show <policy>

Parameters

Parameter Description

Parameter	Description
`policy`*	Name or ID of security policy.

policy*

Name or ID of security policy.

Create a new security policy

Command: weka security policy create

Use the following command line to create a new security policy.

weka security policy create <name> [--description description] [--action action]
[--ips ips]...[--roles roles]...

Parameters

Parameter Description

Parameter	Description
`name`*	Name of the new security policy. (up to 64 alphanumeric characters, hyphens (-), underscores (_), and periods (.), starting with a letter)
`description`	Description of the security policy. (up to 256 characters)
`action`	Whether access is granted or denied when the security policy matches. (format: `allow` or '`deny`)
`ips`...	IP address ranges to which the security policy applies. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)
`roles`...	User roles to which the security policy applies. (format: `clusteradmin`, `orgadmin`, `regular`, `readonly` or `s3`, may be repeated or comma-separated)

name*

Name of the new security policy. (up to 64 alphanumeric characters, hyphens (-), underscores (_), and periods (.), starting with a letter)

description

Description of the security policy. (up to 256 characters)

action

Whether access is granted or denied when the security policy matches. (format: allow or 'deny)

ips...

IP address ranges to which the security policy applies. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

roles...

User roles to which the security policy applies. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

Example:

weka security policy create admin_network --action allow --ips 10.1.0.0/16,10.2.1.0/24 --role clusteradmin

Delete a security policy

Command: weka security policy delete

Use the following command line to delete a security policy.

weka security policy delete <policy>

Parameters

Parameter Description

Parameter	Description
`policy`*	Name or ID of security policy.

policy*

Name or ID of security policy.

Duplicate an existing security policy

Command: weka security policy duplicate

Use the following command line to duplicate an existing security policy, creating a new one.

weka security policy duplicate <policy> <name>

Parameters

Parameter Description

Parameter	Description
`policy`*	Name or ID of the security policy to duplicate.
`name`*	Name of the new security policy. (up to 64 alphanumeric characters, hyphens (-), underscores (_), and periods (.), starting with a letter)

policy*

Name or ID of the security policy to duplicate.

name*

Name of the new security policy. (up to 64 alphanumeric characters, hyphens (-), underscores (_), and periods (.), starting with a letter)

Example:

weka security policy duplicate sourcePolicy newPolicyName

Update security policy settings

Command: weka security policy update

Use the following command line to update the settings of an existing security policy.

weka security policy update <policy> [--description description] [--action action] [--new-name new-name] [--roles roles]... [--add-roles add-roles]... [--remove-roles remove-roles]... [--ips ips]... [--add-ips add-ips]... [--remove-ips remove-ips]...

Parameters

Parameter Description

Parameter	Description
`policy`*	Name or ID of security policy.
`--description`	Updates the description of the security policy. (up to 256 characters)
`--action`	Changes whether access is granted when the security policy matches. (format: `allow` or `deny`)
`--new-name`	New name of the security policy. (up to 64 alphanumeric characters, hyphens (-), underscores (_), and periods (.), starting with a letter)
`--roles`...	User roles to which the security policy applies. (format: `clusteradmin`, `orgadmin`, `regular`, `readonly` or `s3`, may be repeated or comma-separated)
`--add-roles`...	User roles to append to the security policy. (format: `clusteradmin`, `orgadmin`, `regular`, `readonly` or `s3`, may be repeated or comma-separated)
`--remove-roles`...	User roles to remove from the security policy. (format: `clusteradmin`, `orgadmin`, `regular`, `readonly` or `s3`, may be repeated or comma-separated)
`ips`	IP address ranges to which the security policy applies. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)
`add-ips`	IP address ranges to append to the security policy. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)
`remove-ips`	IP address ranges to remove from the security policy. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

policy*

Name or ID of security policy.

--description

Updates the description of the security policy. (up to 256 characters)

--action

Changes whether access is granted when the security policy matches. (format: allow or deny)

--new-name

New name of the security policy. (up to 64 alphanumeric characters, hyphens (-), underscores (_), and periods (.), starting with a letter)

--roles...

User roles to which the security policy applies. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

--add-roles...

User roles to append to the security policy. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

--remove-roles...

User roles to remove from the security policy. (format: clusteradmin, orgadmin, regular, readonly or s3, may be repeated or comma-separated)

ips

IP address ranges to which the security policy applies. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

add-ips

IP address ranges to append to the security policy. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

remove-ips

IP address ranges to remove from the security policy. (format: IP or IP/CIDR or IP1-IP2 or A.B.C.D-E, may be repeated or comma-separated)

Example:

weka security policy update admin-net --add-roles clusteradmin --description "Limit Cluster Admin Access to HQ Network"

Simulate the effect of one or more security policies

Command: weka security policy test

Use the following command line to simulates the effect of one or more security policies.

weka security policy test [--role role] [--ip ip] [--join] [<policy>]...

Parameters

Parameter Description

Parameter	Description
`policy`...	Policies to evaluate, with access verified in the order listed.
`role`	Simulate effect of policies on API access from the given user role. (format: `clusteradmin`, `orgadmin`, `regular`, `readonly` or `s3`)
`ip`	IP address to evaluate as the source address.
`join`	Simulate effect of policies when joining the cluster.

policy...

Policies to evaluate, with access verified in the order listed.

role

Simulate effect of policies on API access from the given user role. (format: clusteradmin, orgadmin, regular, readonly or s3)

ip

IP address to evaluate as the source address.

join

Simulate effect of policies when joining the cluster.

Example:

weka security policy test policy1 policy2 policy3 --ip 10.2.1.0 --role clusteradmin

List security policies applied when joining containers

Command: weka security policy join list

Use the following command line to list security policies applied when joining containers.

weka security policy join list [--client] [--backend]

Parameters

Parameter Description

Parameter	Description
`client`	List policies for clients.
`backend`	List policies for backends.

client

List policies for clients.

backend

List policies for backends.

Set security policies for joining cluster

Command: weka security policy join set

Use the following command line to set security policies for joining cluster, replacing the existing set of policies.

weka security policy join set [--client] [--backend] [<policies>]...

Parameters

Parameter Description

Parameter	Description
`policies`...	Security policy names or IDs applied to cluster join process.
`client`	Apply policies to clients.
`backend`	Apply policies to backends.

policies...

Security policy names or IDs applied to cluster join process.

client

Apply policies to clients.

backend

Apply policies to backends.

Attach a security policy when joining cluster

Command: weka security policy join attach

Use the following command line to attach security policies applied when joining cluster, adding them to the existing policies.

weka security policy join attach [--client] [--backend] [<policies>]...

Parameters

Parameter Description

Parameter	Description
`policies`...	Security policy names or IDs to attach to cluster join process.
`client`	Apply policies to clients.
`backend`	Apply policies to backends.

policies...

Security policy names or IDs to attach to cluster join process.

client

Apply policies to clients.

backend

Apply policies to backends.

Detach a security policy when joining cluster

Command: weka security policy join detach

Use the following command line to remove security policies applied when joining cluster.

weka security policy join detach [--client] [--backend]  [<policies>]...

Parameters

Parameter Description

Parameter	Description
`policies`...	Security policy names or IDs to remove from cluster join proces
`client`	Apply policies to clients.
`backend`	Apply policies to backends.

policies...

Security policy names or IDs to remove from cluster join proces

client

Apply policies to clients.

backend

Apply policies to backends.

Remove all security policies applied when joining cluster

Command: weka security policy join reset

Use the following command line to remove all security policies applied when joining cluster.

weka security policy join reset [--client] [--backend]

Parameters

Parameter Description

Parameter	Description
`client`	Apply policies to clients.
`backend`	Apply policies to backends.

client

Apply policies to clients.

backend

Apply policies to backends.

Manage organization security policies using the CLI

Once security policies are defined, you can perform the following tasks at the organization level:

List security policies for a specified organization.
Set security policies for a specified organization.
Remove all security policies from a specified organization.
Attach new security policies to a specified organization.
Detach security policies from a specified organization.

List the organization security policies

Command: weka org security policy list

Use the following command to list the security policies of a specified organization.

weka org security policy list <org>

The command weka org also displays the attached policies for each organization.

Parameters

Parameter Description

Parameter	Description
`org`*	Organization name or ID.

org*

Organization name or ID.

Set security policies for an organization

Command: weka org security policy set

Use the following command to set security policies for an organization, replacing the existing list of policies.

weka org security policy set <org> [<policies>]...

Parameters

Parameter Description

Parameter	Description
`org`*	Organization name or ID.
`policies`...	Security policy names or IDs to assign to the organization.

org*

Organization name or ID.

policies...

Security policy names or IDs to assign to the organization.

Remove all security policies from an organization

Command: weka org security policy reset

Use the following command to removes all security policies from an organization.

weka org security policy reset <org>

Parameters

Parameter Description

Parameter	Description
`org`*	Organization name or ID.

org*

Organization name or ID.

Attach new security policies to an organization

Command: weka org security policy attach

Use the following command to attach new security policies to an organization, adding them to the existing policies.

weka org security policy attach <org> [<policies>]...

Parameters

Parameter Description

Parameter	Description
`org`*	Organization name or ID.
`policies`...	Security policy names or IDs to attach to the organization.

org*

Organization name or ID.

policies...

Security policy names or IDs to attach to the organization.

Detach security policies from an organization

Command: weka org security policy detach

Use the following command to detach (remove) security policies from an organization.

weka org security policy detach <org>[<policies>]...

Parameters

Parameter Description

Parameter	Description
`org`*	Organization name or ID.
`policies`...	Security policy names or IDs to remove from the organization.

org*

Organization name or ID.

policies...

Security policy names or IDs to remove from the organization.

PreviousManage Cross-Origin Resource Sharing NextUser management

Last updated 15 days ago