The OPA integration is with the RGW and the intent is to check if an
authenticated user is allowed to perform a particular action on a
particular resource. For example, can Bob delete a bucket based on some
attribute like his location. I am not familiar with the internals of Ceph's
bucket policy command. It would be great to get some context here and
discuss if the bucket policy can be authorized with OPA which is the intent
of your PR I believe.
On Fri, Jan 17, 2020 at 6:33 AM Seena Fallah <seenafallah(a)gmail.com> wrote:
So when OPA integration is enabled the bucket policy
from users will not
I think it’s about Ceph architecture not OPA because OPA is for
authorizing the requests and bucket policy is one of the authorizing
methods that OPA should support.
On Fri, Jan 17, 2020 at 5:56 PM Matt Benjamin <mbenjami(a)redhat.com> wrote:
> Hi Seena,
> As I wrote in a comment on your PR, my current intuition is that what
> you're doing here isn't consistent with the original intent of the OPA
> integration we currently have, nor with the OPA model in general.
> That said, I'd really like some feedback from OPA architects, CC'd.
> On Thu, Jan 16, 2020 at 5:04 AM Seena Fallah <seenafallah(a)gmail.com>
> > Hi all. In OPA integration from Ceph there is no integration for bucket
> > When user is setting bucket policy to his/her bucket the OPA server
> won't get who get's access to that bucket so after that if the request is
> coming from the user (that gets access to that bucket via bucket policy) to
> access that bucket (PUT, GET,...), OPA will reject that because of no data
> in database.
> > I have create a pull request for this problem so if user creates a
> bucket policy for his/her bucket, the policy data will send to OPA server
> to be update on the database.
> > I think the main idea of having OPA is to have all authorization in OPA
> and Ceph don't authorize any request by it self.
> > Here is the pull request and I would be thankful to hear about your
> > https://github.com/ceph/ceph/pull/32294
> > Thanks.
> > _______________________________________________
> > Dev mailing list -- dev(a)ceph.io
> > To unsubscribe send an email to dev-leave(a)ceph.io
> Matt Benjamin
> Red Hat, Inc.
> 315 West Huron Street, Suite 140A
> Ann Arbor, Michigan 48103
> tel. 734-821-5101
> fax. 734-769-8938
> cel. 734-216-5309