Hallo Openstack-Users, (this is somewhat of a cross-port with the ceph-users ML, I just did not know where to ask about this best) I've been wondering about the state of OpenStack Keystone Auth in RADOSGW, especially in regards to the abilities to utilize bucket policies restricting access to only those users and only those objects which are required. 1) Even though the general documentation on RADOSGW S3 bucket policies is a little "misleading" https://docs.ceph.com/en/latest/radosgw/bucketpolicy/#creation-and-removal in showing users being referred as Principal, the documentation about Keystone integration at https://docs.ceph.com/en/latest/radosgw/keystone/#integrating-with-openstack-keystone clearly states, that "A Ceph Object Gateway user is mapped into a Keystone <tenant>"||. In the keystone authentication code it strictly only takes the project from the authenticating user: * https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L127 * https://github.com/ceph/ceph/blob/6ce6874bae8fbac8921f0bdfc3931371fc61d4ff/src/rgw/rgw_auth_keystone.cc#L515 This is rather unfortunate as this renders the usually powerful S3 bucket policies to be rather basic with granting access to all users (with a certain role) of a project or more importantly all users of another project / tenant, as in using arn:aws:iam::$OS_REMOTE_PROJECT_ID:root as principal. Or am I just misreading anything here or is this really all that can be done if using native keystone auth? Apparently I was not the only one wondering ... https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/7MXUZ63DEH7EQIZNXOYGZ5QDJ36EATYO/ 2) There is a PR open implementing generic external authentication https://github.com/ceph/ceph/pull/34093 Apparently this seems to also address the lack of support for subusers for Keystone - if I understand this correctly I could then grant access to users arn:aws:iam::$OS_REMOTE_PROJECT_ID:$user * Are there any plans on the roadmap to extend the functionality in regards to keystone as authentication backend? * Is anybody using another (custom) solution to allow a more fine-grained user and access management when utilizing Ceph for their object storage? Are you potentially not using Keystone directly and use a central database such as an LDAP and have Ceph and Keystone use that independently? Regards Christian -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210621/62bc49b6/attachment.html>