Support #20253
Ceph RGW Users (rgw keystone implicit tenants)
0%
Description
Apologies, I am not 100% sure if this expected behaviour or a bug, Happy to re-write as feature request if needed.
To pre-empt confusion, OpenStack Project = OpenStack Tenant.
With RGW configured with 'rgw keystone implicit tenants = true' and associated keystone options set, we tell RGW to check a Keystone endpoint to manage user access. Thats works well, the user gets created on the first request to RGW and you can check this with 'radosgw-admin user list'.
This shows the RGW users identified by Keystone UUID's (project:project). This is not quite what I was expecting, I had imagined this would be project:user, making way for per user per project permissions etc.
For example, project user 1 (non admin) may wish to create a container that is read only for two user 2 (non admin), they would expect to set associated read-acls to enable this on a per container basis, however in the current situation user 2 actually already has full access as there is no differentiation between the users.
This means that every user inside a tenant gets (in swift terms) 'account level access' which is essentially a project admin.
It seems that to support container level access, the concept of project:user is needed, it also seems reasonable to suggest a configurable option to specify an account level admin role extending this 'rgw keystone accepted roles' (i.e 'swift_proj_owner' role to the 'admin' for each tenant, and a 'swift_proj_user' for normal users.). There may well be a much better way to implement this!
Appreciate any feedback as to whether this is expected behaviour or not, and whether its possible to implement further support.
History
#1 Updated by Nathan Cutler almost 7 years ago
- Tracker changed from Bug to Support
- Project changed from Ceph to rgw
- Category deleted (
22)
#2 Updated by Ross Martyn over 6 years ago
This ticket has been resisted at http://tracker.ceph.com/issues/20570 and improved for clarity. please close this duplicate.