Bug #20570
closedCeph - Keystone Implicit Tenants
0%
Description
With RGW configured with 'rgw keystone implicit tenants = true' and associated keystone options set, RGW checks a Keystone endpoint to manage user access. The user gets created on the first request to RGW and you can check this with 'radosgw-admin user list'.
{{{
root@mon1:~# radosgw-admin user list
[
"dbdb3cb377b942e2beac64f01385c893$dbdb3cb377b942e2beac64f01385c893"
]
}}}
This shows the RGW users identified by Keystone UUID's (tenant:tenant).
However, for swift ACL functionality to be effective, I would expect tenant:user, making way for per user per tenant permissions.
This means that every user inside a tenant gets (in swift terms) 'account level access' which is effectively a tenant admin.
It seems that to support container level access, the concept of tenant:user is needed, it also seems reasonable to suggest a configurable option to specify an account level admin role extending this 'rgw keystone accepted roles' (i.e 'swift_proj_owner' role to the 'admin' for each tenant, and a 'swift_proj_user' for normal users.).
Note, correct identifier for a 'Tenant' in OpenStack is now 'Project'. Tenant used in ticket for consistency with current implementation.
Updated by Ross Martyn almost 7 years ago
Discussions with a developer at my end suggested it could be possible to use something like the following (based on a very brief introduction to the project):
@static void rgw_set_keystone_token_auth_info(KeystoneToken& token, struct rgw_swift_auth_info *info)
- info->user = token.get_project_id();
+ info->user.tenant = token.get_project_id();
+ info->user.id = token.get_user_id();
info->display_name = token.get_project_name();@
This should allow us to populate the user.id and make this available to validate user access and check ACL's against.
Updated by Ross Martyn almost 7 years ago
Ross Martyn wrote:
Discussions with a developer at my end suggested it could be possible to use something like the following (based on a very brief introduction to the project):
@static void rgw_set_keystone_token_auth_info(KeystoneToken& token, struct rgw_swift_auth_info *info)
- info->user = token.get_project_id();
+ info->user.tenant = token.get_project_id();
+ info->user.id = token.get_user_id();
info->display_name = token.get_project_name();@This should allow us to populate the user.id and make this available to validate user access and check ACL's against.
I looks like the code has been refactored since this was valid! Apologies!