Hi, thanks for the answer. After studying the documentation a bit more (Ceph has a pretty steep learning curve) and reading your email, I figured out that it's probably best to have a separate "dmz" realm with separate RGWs on different ports and using a separate load balancing IP to partition the system. Cheers, Manuel On Tue, Sep 28, 2021 at 12:27 PM Konstantin Shalygin <k0ste@xxxxxxxx> wrote: > Hi, > > Your DMZ is S3 protocol. Access to buckets will be provided via S3 keys > Just create as much users as much you need > > If you need definitely different "fake S3", I think create another pools > and RGW instances is a way to achieve "real DMZ" > > > Cheers, > k > Sent from my iPhone > > > On 23 Sep 2021, at 22:58, Manuel Holtgrewe <zyklenfrei@xxxxxxxxx> wrote: > > Dear all, > > > > Is it possible to achieve the following with rgw and the S3 protocol? > > > > I have a central Ceph cluster with rgw/S3 in my organisation and I have > an > > internal network zone and a DMZ. Access from the internal network to Ceph > > is of course allowed. > > > > I want to expose certain parts of the Ceph in the DMZ. The easiest > solution > > would be to simply put a reverse proxy in the DMZ and allow the reverse > > proxy to access my rgws via HTTP(S) in the firewall. > > > > However, this provides access to ALL of my S3 data also from the DMZ. > > > > Is there a built-in feature in Ceph/rgw that would allow me to limit > access > > to certain buckets only when they come from the DMZ? > > > > Of course, I could use the multi-tenancy feature OR even use user > prefixes > > to limit access to a "public" tenant or users with prefix "public-". This > > would be fairly simply to configure with nginx, for example, to forward > > "everything '/public:*'" to "https://s3.example.com/public:*";. > > > > Best wishes, > > Manuel > > _______________________________________________ > > ceph-users mailing list -- ceph-users@xxxxxxx > > To unsubscribe send an email to ceph-users-leave@xxxxxxx > > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |