<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hallo Openstack-Users,<br>
(this is somewhat of a cross-port with the ceph-users ML, I just
did not know where to ask about this best)</p>
<p><br>
</p>
<p>I've been wondering about the state of OpenStack Keystone Auth in
RADOSGW, especially in regards to the abilities to utilize bucket
policies restricting access to only those users and only those
objects which are required.<br>
</p>
<p><br>
</p>
<p>1) Even though the general documentation on RADOSGW S3 bucket
policies is a little "misleading"
<a class="moz-txt-link-freetext"
href="https://docs.ceph.com/en/latest/radosgw/bucketpolicy/#creation-and-removal">https://docs.ceph.com/en/latest/radosgw/bucketpolicy/#creation-and-removal</a>
in showing users being referred as Principal,<br>
the documentation about Keystone integration at
<a class="moz-txt-link-freetext"
href="https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone">https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone</a>
clearly states, that "A Ceph Object Gateway user is mapped into a
Keystone <tenant>"<code class="docutils literal notranslate"><span
class="pre"></span></code>. </p>
<p>In the keystone authentication code it strictly only takes the
project from the authenticating user:<br>
<br>
*
<a class="moz-txt-link-freetext"
href="https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L127">https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L127</a><br>
*
<a class="moz-txt-link-freetext"
href="https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L515">https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L515</a><br>
</p>
<p><br>
This is rather unfortunate as this renders the usually powerful S3
bucket policies to be rather basic with granting access to all
users (with a certain role) of a project or more importantly all
users of another project / tenant, as in using <br>
</p>
<p> arn:aws:iam::$OS_REMOTE_PROJECT_ID:root<br>
</p>
<p>as principal.<br>
</p>
<p>Or am I just misreading anything here or is this really all that
can be done if using native keystone auth?<br>
Apparently I was not the only one wondering ...
<a class="moz-txt-link-freetext" href="https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/7MXUZ63DEH7EQIZNXOYGZ5QDJ36EATYO/">https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/7MXUZ63DEH7EQIZNXOYGZ5QDJ36EATYO/</a></p>
<p><br>
</p>
<p>2) There is a PR open implementing generic external
authentication <a class="moz-txt-link-freetext"
href="https://github.com/ceph/ceph/pull/34093">https://github.com/ceph/ceph/pull/34093</a></p>
<p>Apparently this seems to also address the lack of support for
subusers for Keystone - if I understand this correctly I could
then grant access to users<br>
</p>
<p> arn:aws:iam::$OS_REMOTE_PROJECT_ID:$user <br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>* Are there any plans on the roadmap to extend the functionality
in regards to keystone as authentication backend?<br>
* Is anybody using another (custom) solution to allow a more
fine-grained user and access management when utilizing Ceph for
their object storage? Are you potentially not using Keystone
directly and use a central database such as an LDAP and have Ceph
and Keystone use that independently?<br>
</p>
<br>
<br>
<p><br>
</p>
<p>Regards</p>
<p><br>
</p>
Christian
</body>
</html>