Re: [RGW] Is there a way for a user to change is secret key or create other keys ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le lundi 9 octobre 2023, 17:12:53 CEST Casey Bodley a écrit :
> On Mon, Oct 9, 2023 at 9:16 AM Gilles Mocellin
> 
> <gilles.mocellin@xxxxxxxxxxxxxx> wrote:
> > Hello Cephers,
> > 
> > I was using Ceph with OpenStack, and users could add, remove credentials
> > with `openstack ec2 credentials` commands.
> > But, we are moving our Object Storage service to a new cluster, and
> > didn't want to tie it with OpenStack.
> > 
> > Is there a way to have a bit of self service for Rados Gateway, at leas
> > for creating, deleting, changing S3 keys ?
> > 
> > It does not seem to be part of S3 APIs.
> 
> right, user/role/key management is part of the IAM service in AWS, not
> S3. IAM exposes APIs like
> https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html
> , etc
> 
> radosgw supports some of the IAM APIs related to roles and role/user
> policy, but not the ones for self-service user/key management. i'd
> love to add those eventually once we have an s3 'account' feature to
> base them on, but development there has been slow
> (https://github.com/ceph/ceph/pull/46373 tracks the most recent
> progress)
> 
> i'd agree that the radosgw admin APIs aren't a great fit because
> they're targeted at admins, rather than delegating self-service
> features to end users

Thank you, glad to see it's something that someone already think about.

I look at other authentication mechanisms, like LDAP, Keycloak, STS...
And I don't think I understand every thing.

As a great target, I'd like to build an IAM service, based on for example 
Keycloak.
But what I understand from the documentation, everything around STS and 
Keycloak seems to be geared toward applications, which can negotiate tokens, 
and use short lived credentials ?
Impossible to use some tools like rclone, restic, s3cmd, or existing apps that 
needs just one pair of static S3 access and secret keys ?

LDAP can do that, but no way to add new keys, just modify the one we have, 
based on the login/password.
It's already one step, but with some not intuitive tricks, to encode the 
login/password into a S3 access key... with an empty S3 secret key...


_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux