Bug 1901857

Summary: [RFE] Implement (OpenStack/Keystone) Secure RBAC within RGW
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Giulio Fidente <gfidente>
Component: RGWAssignee: Pete Zaitcev <zaitcev>
Status: CLOSED ERRATA QA Contact: Yogev Rabl <yrabl>
Severity: high Docs Contact: Akash Raj <akraj>
Priority: high    
Version: 4.1CC: akraj, aoconnor, cbodley, ceph-eng-bugs, gcharot, igarciam, johfulto, kbader, mbenjamin, mkasturi, mwatts, pdiazbou, pgrist, prsrivas, seamurph, tchandra, tserlin, uboppana, yrabl, zaitcev
Target Milestone: ---Keywords: FutureFeature
Target Release: 5.2Flags: seamurph: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-16.2.8-14.el8cp Doc Type: Enhancement
Doc Text:
.A read-only administrative role is added to the Ceph Block Device With this release, a read-only administrative role is added to Ceph Block Device for better integration with OpenStack and a safe RBAC initiative. The same roles defined previously in OpenStack Swift in `proxy-server.conf` in the `system_reader_roles` setting, might be listed in `ceph.conf` in `rgw_keystone_accepted_reader_roles` setting to enable Ceph Object Gateway to authorize these roles in a compatible way.
 Story Points: ---
Clone Of:
: 2240909 (view as bug list) Environment:
Last Closed: 2022-08-09 17:35:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1228474    
Bug Blocks: 1820257, 1901691, 2076150, 2122298, 2240909    

Description Giulio Fidente 2020-11-26 09:29:07 UTC 
This bug was initially created as a copy of Bug #1326393, which is the equivalent for OpenStack Swift.

The goal is to implement RBAC in all OpenStack services in Wallaby (expected for release around march/april 2021 upstream). This RFE for RGW aims at having feature parity in Pacific adding a read-only admin role in RHCS5.

For Swift (and RGW) this means supporting, in addition to the existing polcies, at least one more admin read-only role. The orginal RFE for Swift is as follows:

1. Proposed title of this feature request  
  Need swift policy to be configured to include a read-only admin role .
  
3. What is the nature and description of the request?  
  Customer has requirement of read-only admin role for all core services .

4. Why does the customer need this? (List the business requirements here)  
  A read-only admin user is necessary for customer environment .
  
Additional info:

The following bug is raised for keystone to add role https://bugzilla.redhat.com/show_bug.cgi?id=1228474

This role can be configured in policy file .

https://blueprints.launchpad.net/keystone/+spec/admin-readonly-role
Comment 11 Yaniv Kaul 2021-11-01 13:59:46 UTC 
Matt, can you provide an update on this feature status upstream?
Comment 24 Yogev Rabl 2022-06-28 13:29:20 UTC 
Yes, we will verify it ASAP
Comment 33 errata-xmlrpc 2022-08-09 17:35:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage Security, Bug Fix, and Enhancement Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5997
Comment 35 Red Hat Bugzilla 2023-09-15 01:31:23 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days