Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1811323 - [RFE] OCS independent Mode Multi-tenancy. Add the option to use a non-admin ceph key to connect to a external ceph cluster in rook
Summary: [RFE] OCS independent Mode Multi-tenancy. Add the option to use a non-admin c...
Alias: None
Product: Red Hat OpenShift Container Storage
Classification: Red Hat
Component: rook
Version: 4.3
Hardware: All
OS: All
Target Milestone: ---
: OCS 4.5.0
Assignee: Sébastien Han
QA Contact: Shrivaibavi Raghaventhiran
Depends On:
TreeView+ depends on / blocked
Reported: 2020-03-07 15:50 UTC by daniel parkes
Modified: 2020-09-15 10:16 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-09-15 10:16:04 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github rook rook issues 4917 0 None closed rook-ceph: Ceph External Cluster Multi-tenancy. Removing the need for using the Ceph external cluster admin key. 2021-01-18 16:39:25 UTC
Github rook rook pull 5227 0 None closed ceph: make admin key optional for external cluster 2021-01-18 16:39:25 UTC
Red Hat Product Errata RHBA-2020:3754 0 None None None 2020-09-15 10:16:45 UTC

Description daniel parkes 2020-03-07 15:50:16 UTC
Description of problem:

Currently we need to configure the Ceph external Admin key in the Rook deployment to be able to connect to a external Ceph cluster.

If we wanted to run in a multi-tenant fashion were several OCS/OCP clusters wanted to connect to the same external RHCS cluster, each OCS/OCP deployment would have the access to the External RHCS Admin key and could potentially access or delete the Data from pools that belong to other OCS/OCP Clusters.

If we could remove the need to use the external RHCS ceph admin key, we could then configure a specific user for each OCS/OCP deployment with a delimited set of caps that would only allow to access their data pools achieving data isolation per OCS/OCP deployment.

Just a example of a use case:

OSP deployments, and RHCS deployments, typically belong to central IT departments or public cloud operators. Shift on Stack deployments belong to tenants who rent (or who have grants for) infrastructure belonging to the cental IT department or cloud operator. Shift admins are regular OSP users without admin credentials, If they deploy OCS in Independent Mode they would require the admin RHCS credentials from the Central IT department which would be a show stopper.

Comment 5 Sébastien Han 2020-03-09 14:15:02 UTC
Moving to 4.4, we won't be able to accomplish this during the 4.3 timeframe.

Comment 6 Sébastien Han 2020-03-09 14:53:14 UTC
As discussed, moving to 4.5.

Comment 7 Sébastien Han 2020-04-20 13:40:58 UTC
Merged with this resync https://github.com/openshift/rook/pull/43.
It will be part of Rook 1.3.2 and OCS 4.5

Comment 15 Sébastien Han 2020-08-05 13:33:22 UTC
Hi Erin, I'd prefer to hide that implementation detail.

Comment 18 errata-xmlrpc 2020-09-15 10:16:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenShift Container Storage 4.5.0 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.