Feature #6568
openceph-rest-api authentication
0%
Description
Hi All,
When using the radosgw admin API, I have to provide an AWS authorization header to requests and also ensure that the user I've built the header with has the necessary capabilities. Using the ceph-rest-api on the other hand, I am able to make requests without providing an authorization header.
Whilst I can run ceph-rest-api through Apache (or similar) and have that perform authentication, it would be nice to use the same user database that exists for radosgw. Also, the ceph-rest-api exposes a lot of destructive capabilities, so having it locked down by default would probably be advantageous.
Are there any existing plans to include authorization into the ceph-rest-api, and if not can we get this added to your feature backlog?
Thank you in advance for your assistance.
Regards,
Matt
Updated by Dan Mick over 10 years ago
I'm not aware of any such plans, no, Matt; we sort of look at the ceph-rest-api as
a way of allowing internal-net access to the cluster, where you have the same rights
and permissions as someone running a CLI command (which is equally as dangerous).
Certainly more authentication could be provided with middleware too; as ceph-rest-api
is a WSGI app, assembling a middleware stack, and providing a real web service (say,
uwsgi/nginx, or mod_wsgi/Apache) is doable. Flask itself provides the possibility
of adding middleware directly to to code too.