Feature #49602
openRGW does not support Keystone Application Credential access rules
0%
Description
As per the title. The Keystone TokenEngine needs to support them.
Updated by Matt Benjamin about 3 years ago
There is work planned to enforce https://docs.openstack.org/patrole/latest/rbac-overview.html, is this in any way related?
Matt
Updated by Joseph Marsden about 3 years ago
Matt Benjamin wrote:
There is work planned to enforce https://docs.openstack.org/patrole/latest/rbac-overview.html, is this in any way related?
Matt
Seems like that'd be a prerequisite to implement this, after that's done I believe what would need to be done is to pass the "OpenStack-Identity-Access-Rules" header in and then match the access rules in the decoded token against the API paths.
Updated by Matt Benjamin about 3 years ago
Thanks, Joseph. Just to clarify, are you planning to implement this?
Matt
Updated by Joseph Marsden about 3 years ago
Matt Benjamin wrote:
Thanks, Joseph. Just to clarify, are you planning to implement this?
Matt
I will give it a try but I am quite new to the Ceph project, so will see how it goes.
Updated by Matt Benjamin about 3 years ago
We welcome the help. Remember that there are 4 upstream RGW developer standups you're invited to attend (basically mornings M, T, R, F), and there's also a more in-depth meeting ("rgw refactoring") on Wed. at 11:30 eastern, if you get stuck or would like to discuss design. Most info is on community calendar (https://ceph.io/contribute/).
regards,
Matt