Curious if anyone had any guidance on this question...
On 4/29/23 7:47 AM, Brad House wrote:
I'm in the process of exploring if it is
worthwhile to add RadosGW to
our existing ceph cluster. We've had a few internal requests for
exposing the S3 API for some of our business units, right now we just
use the ceph cluster for VM disk image storage via RBD.
Everything looks pretty straight forward until we hit multitenancy.
The page on multi-tenancy doesn't dive into permission delegation:
The end goal I want is to be able to create a single user per tenant
(Business Unit) which will act as their 'administrator', where they
can then do basically whatever they want under their tenant sandbox
(though I don't think we need more advanced cases like creations of
roles or policies, just create/delete their own users, buckets,
objects). I was hopeful this would just work, and I asked on the ceph
IRC channel on OFTC and was told once I grant a user caps="users=*",
they would then be allowed to create users *outside* of their own
tenant using the Rados Admin API and that I should explore IAM roles.
I think it would make sense to add a feature, such as a flag that can
be set on a user, to ensure they stay in their "sandbox". I'd assume
this is probably a common use-case.
Anyhow, if its possible to do today using iam roles/policies, then
great, unfortunately this is my first time looking at this stuff and
there are some things not immediately obvious.
I saw this online about AWS itself and creating a permissions
boundary, but that's for allowing creation of roles within a boundary:
I'm not sure what "Action" is associated with the Rados Admin API
create user for applying a boundary that the user can only create
users with the same tenant name.
Any guidance on this would be extremely helpful.