RADOSGW Keystone integration - S3 bucket policies targeting not just other tenants / projects ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hallo Ceph-Users,

I've been wondering about the state of OpenStack Keystone Auth in RADOSGW.
1) Even though the general documentation on RADOSGW S3 bucket policies is a little "misleading" https://docs.ceph.com/en/latest/radosgw/bucketpolicy/#creation-and-removal in showing users being referred as Principal, the documentation about Keystone integration at https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone clearly states, that "A Ceph Object Gateway user is mapped into a Keystone <tenant>"||.
In the keystone authentication code it strictly only takes the project from the authenticating user:
 * https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L127  * https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L515
This is rather unfortunate as this renders the usually powerful S3 bucket policies to be rather basic with granting access to all users (with a certain role) of a project or more importantly all users of another project / tenant, as in using 

  arn:aws:iam::$OS_REMOTE_PROJECT_ID:root

as principal.
Or am I just misreading anything here or is this really all that can be done if using native keystone auth?
2) There is a PR open implementing generic external authentication https://github.com/ceph/ceph/pull/34093
Apparently this seems to also address the lack of support for subusers for Keystone - if I understand this correctly I could then grant access to users 

  arn:aws:iam::$OS_REMOTE_PROJECT_ID:$user
Are there any plans on the roadmap to extend the functionality in regards to keystone as authentication backend?
I know a similar question as been asked before (https://lists.ceph.io/hyperkitty/list/ceph-users@xxxxxxx/thread/GY7VUKCQ5QUMDYSFUJE233FKBRADXRZK/#GY7VUKCQ5QUMDYSFUJE233FKBRADXRZK) 
but unfortunately with no discussion / responses then.



Regards


Christian

_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux