Hello Seena,

The OPA integration is with the RGW and the intent is to check if an authenticated user is allowed to perform a particular action on a particular resource. For example, can Bob delete a bucket based on some attribute like his location. I am not familiar with the internals of Ceph's bucket policy command. It would be great to get some context here and discuss if the bucket policy can be authorized with OPA which is the intent of your PR I believe. 


On Fri, Jan 17, 2020 at 6:33 AM Seena Fallah <seenafallah@gmail.com> wrote:
So when OPA integration is enabled the bucket policy from users will not work!
I think it’s about Ceph architecture not OPA because OPA is for authorizing the requests and bucket policy is one of the authorizing methods that OPA should support.

On Fri, Jan 17, 2020 at 5:56 PM Matt Benjamin <mbenjami@redhat.com> wrote:
Hi Seena,

As I wrote in a comment on your PR, my current intuition is that what
you're doing here isn't consistent with the original intent of the OPA
integration we currently have, nor with the OPA model in general.

That said, I'd really like some feedback from OPA architects, CC'd.



On Thu, Jan 16, 2020 at 5:04 AM Seena Fallah <seenafallah@gmail.com> wrote:
> Hi all. In OPA integration from Ceph there is no integration for bucket policy.
> When user is setting bucket policy to his/her bucket the OPA server won't get who get's access to that bucket so after that if the request is coming from the user (that gets access to that bucket via bucket policy) to access that bucket (PUT, GET,...), OPA will reject that because of no data in database.
> I have create a pull request for this problem so if user creates a bucket policy for his/her bucket, the policy data will send to OPA server to be update on the database.
> I think the main idea of having OPA is to have all authorization in OPA and Ceph don't authorize any request by it self.
> Here is the pull request and I would be thankful to hear about your comments.
> https://github.com/ceph/ceph/pull/32294
> Thanks.
> _______________________________________________
> Dev mailing list -- dev@ceph.io
> To unsubscribe send an email to dev-leave@ceph.io


Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103


tel.  734-821-5101
fax.  734-769-8938
cel.  734-216-5309