So when OPA integration is enabled the bucket policy from users will not
work!
I think it’s about Ceph architecture not OPA because OPA is for authorizing
the requests and bucket policy is one of the authorizing methods that OPA
should support.
On Fri, Jan 17, 2020 at 5:56 PM Matt Benjamin <mbenjami(a)redhat.com> wrote:
Hi Seena,
As I wrote in a comment on your PR, my current intuition is that what
you're doing here isn't consistent with the original intent of the OPA
integration we currently have, nor with the OPA model in general.
That said, I'd really like some feedback from OPA architects, CC'd.
regards,
Matt
On Thu, Jan 16, 2020 at 5:04 AM Seena Fallah <seenafallah(a)gmail.com>
wrote:
Hi all. In OPA integration from Ceph there is no integration for bucket
policy.
When user is setting bucket policy to his/her
bucket the OPA server
won't get who get's access to that bucket so after
that if the request is
coming from the user (that gets access to that bucket via bucket policy) to
access that bucket (PUT, GET,...), OPA will reject that because of no data
in database.
I have create a pull request for this problem so
if user creates a
bucket policy for his/her bucket, the policy data will send to
OPA server
to be update on the database.
I think the main idea of having OPA is to have
all authorization in OPA
and Ceph don't authorize any request by it self.
Here is the pull request and I would be thankful
to hear about your
comments.
https://github.com/ceph/ceph/pull/32294
Thanks.
_______________________________________________
Dev mailing list -- dev(a)ceph.io
To unsubscribe send an email to dev-leave(a)ceph.io
--
Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103
http://www.redhat.com/en/technologies/storage
tel. 734-821-5101
fax. 734-769-8938
cel. 734-216-5309