[ceph-users] s3 bucket policys

Simon Leinen simon.leinen at switch.ch
Tue Nov 7 02:17:03 PST 2017


Adam C Emerson writes:
> On 03/11/2017, Simon Leinen wrote:
> [snip]
>> Is this supported by the Luminous version of RadosGW?

> Yes! There's a few bugfixes in master that are making their way into
> Luminous, but Luminous has all the features at present.

Does that mean it should basically work in 10.2.1?

>> (Or even Jewel?)

> No!

I see; this will definitely motivate us to speed up our Luminous upgrade!

>> Does this work with Keystone integration, i.e. can we refer to Keystone
>> users as principals?

> In principle probably. I haven't tried it and I don't really know
> much about Keystone at present. It is hooked into the various
> IdentityApplier classes and if RGW thinks a Keystone user is a
> 'user' and you supply whatever RGW thinks its username is, then it
> should work fine. I haven't tried it, though.

Unless someone beats us to it, we'll try as soon as we have our
cluster (with Keystone integration) in Luminous.

>> Let's say there are many read-only users rather than just one.  Would we
>> simply add a new clause under "Statement" for each such user, or is
>> there a better way? (I understand that RadosGW doesn't support groups,
>> which could solve this elegantly and efficiently.)

> If you want to give a large number of users the same permissions, just
> put them all in the Principal array.

Right, thanks for the tip! That makes it more compact.  For our use
case it won't be hundreds of users, I guess, more like dozens at most.
-- 
Simon.


More information about the ceph-users mailing list