Hi, Your DMZ is S3 protocol. Access to buckets will be provided via S3 keys Just create as much users as much you need If you need definitely different "fake S3", I think create another pools and RGW instances is a way to achieve "real DMZ" Cheers, k Sent from my iPhone > On 23 Sep 2021, at 22:58, Manuel Holtgrewe <zyklenfrei@xxxxxxxxx> wrote: > Dear all, > > Is it possible to achieve the following with rgw and the S3 protocol? > > I have a central Ceph cluster with rgw/S3 in my organisation and I have an > internal network zone and a DMZ. Access from the internal network to Ceph > is of course allowed. > > I want to expose certain parts of the Ceph in the DMZ. The easiest solution > would be to simply put a reverse proxy in the DMZ and allow the reverse > proxy to access my rgws via HTTP(S) in the firewall. > > However, this provides access to ALL of my S3 data also from the DMZ. > > Is there a built-in feature in Ceph/rgw that would allow me to limit access > to certain buckets only when they come from the DMZ? > > Of course, I could use the multi-tenancy feature OR even use user prefixes > to limit access to a "public" tenant or users with prefix "public-". This > would be fairly simply to configure with nginx, for example, to forward > "everything '/public:*'" to "https://s3.example.com/public:*";. > > Best wishes, > Manuel > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |