Hi Basavaraj,
I would like to add some more points to what Casey has already listed above.
When you say IAM policy, do you mean identity-based policies only; the document you shared implies that you plan to cover IAM policies attached to a user only. In that case src/test/rgw/test_rgw_iam_policy.cc has unit tests related to Bucket Policies and Role Policies only. If you want to look at the usage of User Policies, that is covered in https://github.com/ceph/s3-tests/blob/master/s3tests_boto3/functional/test_sts.py#L157
RGW currently supports the implementation of REST APIs for PutUserPolicy, ListUserPolicies, GetUserPolicy and DeleteUserPolicies, which can be accessed via the s3 endpoint in rgw. There is support only for inline IAM policies (and not for managed or customer managed policies)
I have some questions on the document that you have shared: https://seagate-systems.atlassian.net/wiki/spaces/PUB/pages/942571634/IAM+Policy+Blueprint+Draft
1. IAM Policy grant across tenant doesn't work. - As far as I understand, user policies are not meant to provide cross account (in our case cross tenant) access. We have bucket policies for that and also STS AssumeRole to provide cross tenant access.
2. IAM Policy access control for IAM actions like PutUserPolicy not working - Can you elaborate on this?
Thank You,
Pritha
On Wed, Mar 23, 2022 at 6:37 AM Basavaraj Kirunge <kirunge@xxxxxxxxx> wrote:
______________________________Thanks Casey, this PR https://github.com/ceph/ceph/pull/45528 was created by Mayank from our team to get early feedback.On Tue, Mar 22, 2022, 11:15 PM Casey Bodley <cbodley@xxxxxxxxxx> wrote:thanks, it's good to see more interest here! there was some recent
discussion on https://github.com/ceph/ceph/pull/45528 about how these
IAM APIs are currently exposed. with respect to test coverage, you can
find unit tests for the policy parsing and evaluation in
src/test/rgw/test_rgw_iam_policy.cc. there are also several tests for
these IAM APIs in s3-tests, under
s3tests_boto3/functional/test_sts.py, which we run under the rgw/sts
teuthology suite
On Tue, Mar 22, 2022 at 1:24 PM Basavaraj Kirunge <kirunge@xxxxxxxxx> wrote:
>
> Hi All,
>
> We are exploring IAM Policy feature support in RGW and created this blueprint draft https://seagate-systems.atlassian.net/wiki/spaces/PUB/ pages/942571634/IAM+Policy+ Blueprint
> As we are still updating this with more details, but would like to hear any feedback/comments, also added this as agenda for 23rd March RGW refactoring call for initial review and discussion.
> --
> Thanks and Regards,
>
> B a s a v a r a j K i r u n g e
>
> _______________________________________________
> Dev mailing list -- dev@xxxxxxx
> To unsubscribe send an email to dev-leave@xxxxxxx
_________________
Dev mailing list -- dev@xxxxxxx
To unsubscribe send an email to dev-leave@xxxxxxx
_______________________________________________ Dev mailing list -- dev@xxxxxxx To unsubscribe send an email to dev-leave@xxxxxxx
