Project

General

Profile

Actions
Copy link

Feature #49602

open

RGW does not support Keystone Application Credential access rules

Added by Joseph Marsden about 3 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

As per the title. The Keystone TokenEngine needs to support them.

Actions
Copy link
 #1

Updated by Matt Benjamin about 3 years ago

There is work planned to enforce https://docs.openstack.org/patrole/latest/rbac-overview.html, is this in any way related?

Matt

Actions
Copy link
 #2

Updated by Joseph Marsden about 3 years ago

Matt Benjamin wrote:

There is work planned to enforce https://docs.openstack.org/patrole/latest/rbac-overview.html, is this in any way related?

Matt

Seems like that'd be a prerequisite to implement this, after that's done I believe what would need to be done is to pass the "OpenStack-Identity-Access-Rules" header in and then match the access rules in the decoded token against the API paths.

Actions
Copy link
 #3

Updated by Matt Benjamin about 3 years ago

Thanks, Joseph. Just to clarify, are you planning to implement this?

Matt

Actions
Copy link
 #4

Updated by Joseph Marsden about 3 years ago

Matt Benjamin wrote:

Thanks, Joseph. Just to clarify, are you planning to implement this?

Matt

I will give it a try but I am quite new to the Ceph project, so will see how it goes.

Actions
Copy link
 #5

Updated by Matt Benjamin about 3 years ago

We welcome the help. Remember that there are 4 upstream RGW developer standups you're invited to attend (basically mornings M, T, R, F), and there's also a more in-depth meeting ("rgw refactoring") on Wed. at 11:30 eastern, if you get stuck or would like to discuss design. Most info is on community calendar (https://ceph.io/contribute/).

regards,

Matt

Actions
Copy link

Also available in: Atom PDF