Hey Trey. Sounds great, we were discussing the same kind of requirements and couldn't agree on/find something "useful"... so THANK YOU for sharing!!! It would be great if you could provide some more details or an example how you configure the "bucket user" and sub-users and all that stuff. Even more interesting for me, how do the "different ppl or services" access that buckets/objects afterwards?! I mean via which tools (s3cmd, boto, cyberduck, mix of some, ...) and are there any ACLs set/in use as well?! (sorry if this all sounds somehow dumb but I'm a just a novice ;) ) best Anton Gesendet: Dienstag, 11. April 2017 um 00:17 Uhr Von: "Trey Palmer" <trey@xxxxxxxxxxxxx> An: ceph-users@xxxxxxxx Betreff: Question about RadosGW subusers Probably a question for @yehuda : We have fairly strict user accountability requirements. The best way we have found to meet them with S3 object storage on Ceph is by using RadosGW subusers. If we set up one user per bucket, then set up subusers to provide separate individual S3 keys and access rights for different people or services using that bucket, then we can track who did what via access key in the RadosGW logs (at debug_rgw = 10/10). Of course, this is not a documented use case for subusers. I'm wondering if Yehuda or anyone else could estimate our risk of future incompatibility if we implement user/key management around subusers in this manner? Thanks, Trey_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |