Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use Jira Cloud for all bug tracking management.

Bug 1473190

Summary: Test various S3 authentication mechanisms added to S3a in Hadoop 2.8.0
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Kyle Bader <kbader>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED NOTABUG QA Contact: ceph-qe-bugs <ceph-qe-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 3.0CC: anharris, cbodley, ceph-eng-bugs, flucifre, kbader, kdreyer, mbenjamin, nlevine, scohen, sweil, tchandra, uboppana, vakulkar
Target Milestone: rc   
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-20 14:31:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1473188    

Description Kyle Bader 2017-07-20 08:19:11 UTC 
Insofar our testing of S3A has been by simply providing the two configuration options for the management of S3 Access credentials:

fs.s3a.access.key
fs.s3a.secret.key

Hortonworks documentation outlines a number of alternative authentication mechanisms that we need to verify with Ceph RADOS gateway.

1. AWS Session Tokens with S3A
2. S3A with Credentials File
   * More secure way of managing keys
3. Per bucket access keys
   * When access is required for plural buckets with distinct access credentials)
4. IAM instances for OpenStack?
   * I'm not sure we can do this, but perhaps there is a way to do something similar by extending Keystone or similar?

I would prioritize 1,2,3. Doing 4 likely requires collaboration with the OSP folks. The folks relevant to this work would are probably engineers working on keystone and sahara.
Comment 2 Vasu Kulkarni 2017-07-20 19:55:29 UTC 
I think this should be part of rhcs 3.0 trello card instead of bz so that it can get the right priority and planning.
Comment 4 Kyle Bader 2017-07-26 16:53:33 UTC 
We should definitely put these BZs and/or the tracking BZ #1473188 to the RHCS 3.0 Trello planning.
Comment 6 Kyle Bader 2017-08-02 14:30:46 UTC 
https://hortonworks.github.io/hdp-aws/s3-security/index.html
Comment 9 Kyle Bader 2017-11-09 14:18:49 UTC 
#1 will not be possible without STS.
Comment 19 Drew Harris 2019-02-20 14:31:39 UTC 
I have closed this issue because it has been inactive for some time now. If you feel this still deserves attention feel free to reopen it.