Project

General

Profile

Bug #20570

Ceph - Keystone Implicit Tenants

Added by Ross Martyn over 4 years ago. Updated about 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

With RGW configured with 'rgw keystone implicit tenants = true' and associated keystone options set, RGW checks a Keystone endpoint to manage user access. The user gets created on the first request to RGW and you can check this with 'radosgw-admin user list'.

{{{
root@mon1:~# radosgw-admin user list
[
"dbdb3cb377b942e2beac64f01385c893$dbdb3cb377b942e2beac64f01385c893"
]
}}}

This shows the RGW users identified by Keystone UUID's (tenant:tenant).

However, for swift ACL functionality to be effective, I would expect tenant:user, making way for per user per tenant permissions.

This means that every user inside a tenant gets (in swift terms) 'account level access' which is effectively a tenant admin.

It seems that to support container level access, the concept of tenant:user is needed, it also seems reasonable to suggest a configurable option to specify an account level admin role extending this 'rgw keystone accepted roles' (i.e 'swift_proj_owner' role to the 'admin' for each tenant, and a 'swift_proj_user' for normal users.).


Note, correct identifier for a 'Tenant' in OpenStack is now 'Project'. Tenant used in ticket for consistency with current implementation.

History

#1 Updated by Ross Martyn about 4 years ago

Discussions with a developer at my end suggested it could be possible to use something like the following (based on a very brief introduction to the project):

@static void rgw_set_keystone_token_auth_info(KeystoneToken& token, struct rgw_swift_auth_info *info)

- info->user = token.get_project_id();
+ info->user.tenant = token.get_project_id();
+ info->user.id = token.get_user_id();
info->display_name = token.get_project_name();@

This should allow us to populate the user.id and make this available to validate user access and check ACL's against.

#2 Updated by Ross Martyn about 4 years ago

Ross Martyn wrote:

Discussions with a developer at my end suggested it could be possible to use something like the following (based on a very brief introduction to the project):

@static void rgw_set_keystone_token_auth_info(KeystoneToken& token, struct rgw_swift_auth_info *info)

- info->user = token.get_project_id();
+ info->user.tenant = token.get_project_id();
+ info->user.id = token.get_user_id();
info->display_name = token.get_project_name();@

This should allow us to populate the user.id and make this available to validate user access and check ACL's against.

I looks like the code has been refactored since this was valid! Apologies!

Also available in: Atom PDF