Insofar our testing of S3A has been by simply providing the two configuration options for the management of S3 Access credentials: fs.s3a.access.key fs.s3a.secret.key Hortonworks documentation outlines a number of alternative authentication mechanisms that we need to verify with Ceph RADOS gateway. 1. AWS Session Tokens with S3A 2. S3A with Credentials File * More secure way of managing keys 3. Per bucket access keys * When access is required for plural buckets with distinct access credentials) 4. IAM instances for OpenStack? * I'm not sure we can do this, but perhaps there is a way to do something similar by extending Keystone or similar? I would prioritize 1,2,3. Doing 4 likely requires collaboration with the OSP folks. The folks relevant to this work would are probably engineers working on keystone and sahara.
I think this should be part of rhcs 3.0 trello card instead of bz so that it can get the right priority and planning.
We should definitely put these BZs and/or the tracking BZ #1473188 to the RHCS 3.0 Trello planning.
https://hortonworks.github.io/hdp-aws/s3-security/index.html
#1 will not be possible without STS.
I have closed this issue because it has been inactive for some time now. If you feel this still deserves attention feel free to reopen it.