Ceph RADOSGW Keystone integration - S3 bucket policies targeting not just whole projects but particular users?

Christian Rohmann christian.rohmann at inovex.de
Mon Jun 21 10:39:13 UTC 2021


Hallo Openstack-Users,
(this is somewhat of a cross-port with the ceph-users ML, I just did not 
know where to ask about this best)


I've been wondering about the state of OpenStack Keystone Auth in 
RADOSGW, especially in regards to the abilities to utilize bucket 
policies restricting access to only those users and only those objects 
which are required.


1) Even though the general documentation on RADOSGW S3 bucket policies 
is a little "misleading" 
https://docs.ceph.com/en/latest/radosgw/bucketpolicy/#creation-and-removal 
in showing users being referred as Principal,
the documentation about Keystone integration at 
https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone 
clearly states, that "A Ceph Object Gateway user is mapped into a 
Keystone <tenant>"||.

In the keystone authentication code it strictly only takes the project 
from the authenticating user:

  * 
https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L127
  * 
https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L515


This is rather unfortunate as this renders the usually powerful S3 
bucket policies to be rather basic with granting access to all users 
(with a certain role) of a project or more importantly all users of 
another project / tenant, as in using

   arn:aws:iam::$OS_REMOTE_PROJECT_ID:root

as principal.

Or am I just misreading anything here or is this really all that can be 
done if using native keystone auth?
Apparently I was not the only one wondering ... 
https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/7MXUZ63DEH7EQIZNXOYGZ5QDJ36EATYO/


2) There is a PR open implementing generic external authentication 
https://github.com/ceph/ceph/pull/34093

Apparently this seems to also address the lack of support for subusers 
for Keystone - if I understand this correctly I could then grant access 
to users

   arn:aws:iam::$OS_REMOTE_PROJECT_ID:$user



* Are there any plans on the roadmap to extend the functionality in 
regards to keystone as authentication backend?
* Is anybody using another (custom) solution to allow a more 
fine-grained user and access management when utilizing Ceph for their 
object storage? Are you potentially not using Keystone directly and use 
a central database such as an LDAP and have Ceph and Keystone use that 
independently?




Regards


Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210621/62bc49b6/attachment.html>


More information about the openstack-discuss mailing list