Project

General

Profile

Actions
Copy link

Bug #20570

closed

Ceph - Keystone Implicit Tenants

Added by Ross Martyn almost 7 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
Ceph - v11.2.0
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

With RGW configured with 'rgw keystone implicit tenants = true' and associated keystone options set, RGW checks a Keystone endpoint to manage user access. The user gets created on the first request to RGW and you can check this with 'radosgw-admin user list'.

{{{
root@mon1:~# radosgw-admin user list
[
"dbdb3cb377b942e2beac64f01385c893$dbdb3cb377b942e2beac64f01385c893"
]
}}}

This shows the RGW users identified by Keystone UUID's (tenant:tenant).

However, for swift ACL functionality to be effective, I would expect tenant:user, making way for per user per tenant permissions.

This means that every user inside a tenant gets (in swift terms) 'account level access' which is effectively a tenant admin.

It seems that to support container level access, the concept of tenant:user is needed, it also seems reasonable to suggest a configurable option to specify an account level admin role extending this 'rgw keystone accepted roles' (i.e 'swift_proj_owner' role to the 'admin' for each tenant, and a 'swift_proj_user' for normal users.).

Note, correct identifier for a 'Tenant' in OpenStack is now 'Project'. Tenant used in ticket for consistency with current implementation.

Actions
Copy link

Also available in: Atom PDF