Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1473190

Summary: Test various S3 authentication mechanisms added to S3a in Hadoop 2.8.0
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Kyle Bader <kbader>
Component: RGWAssignee: Matt Benjamin (redhat) <mbenjamin>
Status: CLOSED NOTABUG QA Contact: ceph-qe-bugs <ceph-qe-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 3.0CC: anharris, cbodley, ceph-eng-bugs, flucifre, kbader, kdreyer, mbenjamin, nlevine, scohen, sweil, tchandra, uboppana, vakulkar
Target Milestone: rc   
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-20 14:31:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1473188    

Description Kyle Bader 2017-07-20 08:19:11 UTC 
Insofar our testing of S3A has been by simply providing the two configuration options for the management of S3 Access credentials:

fs.s3a.access.key
fs.s3a.secret.key

Hortonworks documentation outlines a number of alternative authentication mechanisms that we need to verify with Ceph RADOS gateway.

1. AWS Session Tokens with S3A
2. S3A with Credentials File
   * More secure way of managing keys
3. Per bucket access keys
   * When access is required for plural buckets with distinct access credentials)
4. IAM instances for OpenStack?
   * I'm not sure we can do this, but perhaps there is a way to do something similar by extending Keystone or similar?

I would prioritize 1,2,3. Doing 4 likely requires collaboration with the OSP folks. The folks relevant to this work would are probably engineers working on keystone and sahara.
Comment 2 Vasu Kulkarni 2017-07-20 19:55:29 UTC 
I think this should be part of rhcs 3.0 trello card instead of bz so that it can get the right priority and planning.
Comment 4 Kyle Bader 2017-07-26 16:53:33 UTC 
We should definitely put these BZs and/or the tracking BZ #1473188 to the RHCS 3.0 Trello planning.
Comment 6 Kyle Bader 2017-08-02 14:30:46 UTC 
https://hortonworks.github.io/hdp-aws/s3-security/index.html
Comment 9 Kyle Bader 2017-11-09 14:18:49 UTC 
#1 will not be possible without STS.
Comment 19 Drew Harris 2019-02-20 14:31:39 UTC 
I have closed this issue because it has been inactive for some time now. If you feel this still deserves attention feel free to reopen it.