Bug 1811323

Summary: [RFE] OCS independent Mode Multi-tenancy. Add the option to use a non-admin ceph key to connect to a external ceph cluster in rook
Product: [Red Hat Storage] Red Hat OpenShift Container Storage Reporter: daniel parkes <dparkes>
Component: rookAssignee: Sébastien Han <shan>
Status: CLOSED ERRATA QA Contact: Shrivaibavi Raghaventhiran <sraghave>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.3CC: dparkes, edonnell, hnallurv, madam, nberry, ocs-bugs, pgrist, shan, tbarron
Target Milestone: ---Keywords: FutureFeature
Target Release: OCS 4.5.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-15 10:16:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description daniel parkes 2020-03-07 15:50:16 UTC 
Description of problem:


Currently we need to configure the Ceph external Admin key in the Rook deployment to be able to connect to a external Ceph cluster.

If we wanted to run in a multi-tenant fashion were several OCS/OCP clusters wanted to connect to the same external RHCS cluster, each OCS/OCP deployment would have the access to the External RHCS Admin key and could potentially access or delete the Data from pools that belong to other OCS/OCP Clusters.

If we could remove the need to use the external RHCS ceph admin key, we could then configure a specific user for each OCS/OCP deployment with a delimited set of caps that would only allow to access their data pools achieving data isolation per OCS/OCP deployment.


Just a example of a use case:

OSP deployments, and RHCS deployments, typically belong to central IT departments or public cloud operators. Shift on Stack deployments belong to tenants who rent (or who have grants for) infrastructure belonging to the cental IT department or cloud operator. Shift admins are regular OSP users without admin credentials, If they deploy OCS in Independent Mode they would require the admin RHCS credentials from the Central IT department which would be a show stopper.
Comment 5 Sébastien Han 2020-03-09 14:15:02 UTC 
Moving to 4.4, we won't be able to accomplish this during the 4.3 timeframe.
Comment 6 Sébastien Han 2020-03-09 14:53:14 UTC 
As discussed, moving to 4.5.
Comment 7 Sébastien Han 2020-04-20 13:40:58 UTC 
Merged with this resync https://github.com/openshift/rook/pull/43.
It will be part of Rook 1.3.2 and OCS 4.5
Comment 15 Sébastien Han 2020-08-05 13:33:22 UTC 
Hi Erin, I'd prefer to hide that implementation detail.
Thanks
Comment 18 errata-xmlrpc 2020-09-15 10:16:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenShift Container Storage 4.5.0 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3754