Bug 1901857 - [RFE] Implement (OpenStack/Keystone) Secure RBAC within RGW
Summary: [RFE] Implement (OpenStack/Keystone) Secure RBAC within RGW
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 4.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 5.2
Assignee: Pete Zaitcev
QA Contact: Yogev Rabl
Akash Raj
URL:
Whiteboard:
Depends On: 1228474
Blocks: 1820257 1901691 2076150 2122298 2240909
TreeView+ depends on / blocked
 
Reported: 2020-11-26 09:29 UTC by Giulio Fidente
Modified: 2023-09-27 08:16 UTC (History)
20 users (show)

Fixed In Version: ceph-16.2.8-14.el8cp
Doc Type: Enhancement
Doc Text:
.A read-only administrative role is added to the Ceph Block Device With this release, a read-only administrative role is added to Ceph Block Device for better integration with OpenStack and a safe RBAC initiative. The same roles defined previously in OpenStack Swift in `proxy-server.conf` in the `system_reader_roles` setting, might be listed in `ceph.conf` in `rgw_keystone_accepted_reader_roles` setting to enable Ceph Object Gateway to authorize these roles in a compatible way.
Clone Of:
: 2240909 (view as bug list)
Environment:
Last Closed: 2022-08-09 17:35:53 UTC
Embargoed:
seamurph: needinfo+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ceph ceph pull 45469 0 None open RGW: Add a reader feature 2022-04-11 15:11:03 UTC
Red Hat Product Errata RHSA-2022:5997 0 None None None 2022-08-09 17:36:30 UTC

Description Giulio Fidente 2020-11-26 09:29:07 UTC 
This bug was initially created as a copy of Bug #1326393, which is the equivalent for OpenStack Swift.

The goal is to implement RBAC in all OpenStack services in Wallaby (expected for release around march/april 2021 upstream). This RFE for RGW aims at having feature parity in Pacific adding a read-only admin role in RHCS5.

For Swift (and RGW) this means supporting, in addition to the existing polcies, at least one more admin read-only role. The orginal RFE for Swift is as follows:

1. Proposed title of this feature request  
  Need swift policy to be configured to include a read-only admin role .
  
3. What is the nature and description of the request?  
  Customer has requirement of read-only admin role for all core services .

4. Why does the customer need this? (List the business requirements here)  
  A read-only admin user is necessary for customer environment .
  
Additional info:

The following bug is raised for keystone to add role https://bugzilla.redhat.com/show_bug.cgi?id=1228474

This role can be configured in policy file .

https://blueprints.launchpad.net/keystone/+spec/admin-readonly-role
Comment 11 Yaniv Kaul 2021-11-01 13:59:46 UTC 
Matt, can you provide an update on this feature status upstream?
Comment 24 Yogev Rabl 2022-06-28 13:29:20 UTC 
Yes, we will verify it ASAP
Comment 33 errata-xmlrpc 2022-08-09 17:35:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage Security, Bug Fix, and Enhancement Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5997
Comment 35 Red Hat Bugzilla 2023-09-15 01:31:23 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days
Note You need to log in before you can comment on or make changes to this bug.