With bucket policy user A can get access to user B for putting object on bucket C. So if this policy sent to Ceph and OPA integration is enabled it will be discard because this policy isn’t sent to OPA server to be updated.
Here is a documentation for bucket policy:
With this PR when user set bucket policy, the data of that policy will sent to OPA server to be applied and so OPA can get access to user that gets access to bucket via bucket policy.
On Fri, Jan 17, 2020 at 8:24 PM Ash Narkar <firstname.lastname@example.org
The OPA integration is with the RGW and the intent is to check if an authenticated user is allowed to perform a particular action on a particular resource. For example, can Bob delete a bucket based on some attribute like his location. I am not familiar with the internals of Ceph's bucket policy command. It would be great to get some context here and discuss if the bucket policy can be authorized with OPA which is the intent of your PR I believe.
So when OPA integration is enabled the bucket policy from users will not work!
I think it’s about Ceph architecture not OPA because OPA is for authorizing the requests and bucket policy is one of the authorizing methods that OPA should support.
As I wrote in a comment on your PR, my current intuition is that what
you're doing here isn't consistent with the original intent of the OPA
integration we currently have, nor with the OPA model in general.
That said, I'd really like some feedback from OPA architects, CC'd.
On Thu, Jan 16, 2020 at 5:04 AM Seena Fallah <email@example.com> wrote:
> Hi all. In OPA integration from Ceph there is no integration for bucket policy.
> When user is setting bucket policy to his/her bucket the OPA server won't get who get's access to that bucket so after that if the request is coming from the user (that gets access to that bucket via bucket policy) to access that bucket (PUT, GET,...), OPA will reject that because of no data in database.
> I have create a pull request for this problem so if user creates a bucket policy for his/her bucket, the policy data will send to OPA server to be update on the database.
> I think the main idea of having OPA is to have all authorization in OPA and Ceph don't authorize any request by it self.
> Here is the pull request and I would be thankful to hear about your comments.
> Dev mailing list -- firstname.lastname@example.org
> To unsubscribe send an email to email@example.com
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103