Bug 1901857 - [RFE] Implement (OpenStack/Keystone) Secure RBAC within RGW [NEEDINFO]
Summary: [RFE] Implement (OpenStack/Keystone) Secure RBAC within RGW
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 4.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 5.2
Assignee: Pete Zaitcev
QA Contact: Yogev Rabl
Akash Raj
URL:
Whiteboard:
Depends On: 1228474
Blocks: 1820257 1901691 2076150 2122298
TreeView+ depends on / blocked
 
Reported: 2020-11-26 09:29 UTC by Giulio Fidente
Modified: 2022-08-29 17:52 UTC (History)
20 users (show)

Fixed In Version: ceph-16.2.8-14.el8cp
Doc Type: Enhancement
Doc Text:
.A read-only administrative role is added to the Ceph Block Device With this release, a read-only administrative role is added to Ceph Block Device for better integration with OpenStack and a safe RBAC initiative. The same roles defined previously in OpenStack Swift in `proxy-server.conf` in the `system_reader_roles` setting, might be listed in `ceph.conf` in `rgw_keystone_accepted_reader_roles` setting to enable Ceph Object Gateway to authorize these roles in a compatible way.
Clone Of:
Environment:
Last Closed: 2022-08-09 17:35:53 UTC
Embargoed:
seamurph: needinfo+
akraj: needinfo? (pdiazbou)
tchandra: needinfo? (yrabl)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ceph ceph pull 45469 0 None open RGW: Add a reader feature 2022-04-11 15:11:03 UTC
Red Hat Product Errata RHSA-2022:5997 0 None None None 2022-08-09 17:36:30 UTC

Description Giulio Fidente 2020-11-26 09:29:07 UTC 
This bug was initially created as a copy of Bug #1326393, which is the equivalent for OpenStack Swift.

The goal is to implement RBAC in all OpenStack services in Wallaby (expected for release around march/april 2021 upstream). This RFE for RGW aims at having feature parity in Pacific adding a read-only admin role in RHCS5.

For Swift (and RGW) this means supporting, in addition to the existing polcies, at least one more admin read-only role. The orginal RFE for Swift is as follows:

1. Proposed title of this feature request  
  Need swift policy to be configured to include a read-only admin role .
  
3. What is the nature and description of the request?  
  Customer has requirement of read-only admin role for all core services .

4. Why does the customer need this? (List the business requirements here)  
  A read-only admin user is necessary for customer environment .
  
Additional info:

The following bug is raised for keystone to add role https://bugzilla.redhat.com/show_bug.cgi?id=1228474

This role can be configured in policy file .

https://blueprints.launchpad.net/keystone/+spec/admin-readonly-role
Comment 11 Yaniv Kaul 2021-11-01 13:59:46 UTC 
Matt, can you provide an update on this feature status upstream?
Comment 24 Yogev Rabl 2022-06-28 13:29:20 UTC 
Yes, we will verify it ASAP
Comment 33 errata-xmlrpc 2022-08-09 17:35:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage Security, Bug Fix, and Enhancement Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5997
Note You need to log in before you can comment on or make changes to this bug.