New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: Add subuser to RemoteApplier for Keystone #33210
Conversation
9aa8e4d
to
23c2f80
Compare
a0ffbb4
to
d72dfb5
Compare
When can a remote user have subusers? |
@pritha-srivastava In case of using project in Keystone we can have multiple users in project so we can have user for project in radosgw and users in project can be subuser for better management on access and stats usage. |
Does Openstack Keystone allow creation of such users? Are you talking about Swift use cases? |
@pritha-srivastava We can have both S3 and swift subuser. And we can have users in project for Keystone. |
In case of Remote users, subusers will be created (according to the code you added) only when the incoming user has subusers, so can an incoming Keystone user have subusers? |
@pritha-srivastava No users in Keystone can't have subusers but projects in Keystone has subusers. |
Ok |
@pritha-srivastava Are you agree with these changes? |
How about rgw::auth::RemoteApplier::is_identity() method - doesn't it need checks for subusers? |
8ba231a
to
2d56aa5
Compare
@pritha-srivastava Yes you are right. Done. |
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
What are the permissions of a subuser with respect to the project? Are we going to give FULL_CONTROL to the subusers also? |
@pritha-srivastava I have added AuthInfo perm_mask to subuser. So we will set permission that AuthInfo have to subuser. Sorry for this mistake. |
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
9b34e10
to
847e570
Compare
jenkins test make check |
@pritha-srivastava Are you okay with this now? |
Ping @pritha-srivastava :) |
Ping @mdw-at-linuxbox |
@@ -129,6 +129,7 @@ TokenEngine::get_creds_info(const TokenEngine::token_envelope_t& token, | |||
rgw_user(token.get_project_id()), | |||
/* User's display name (aka real name). */ | |||
token.get_project_name(), | |||
token.get_user_name(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about the perm_mask here? It returns RGW_PERM_FULL_CONTROL here, will the subuser also have RGW_PERM_FULL_CONTROL? @cbodley @mattbenjamin : Radoslaw has left a comment that 'Keystone doesn't support RGW's subuser concept' (see below) Any idea why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes because in Keystone response we don't have any field that represent permission for users we give RGW_PERM_FULL_CONTROL
to all keystone subusers and here we set the AuthInfo perm_mask to RGWSubUser perm_mask.
@cbodley @mattbenjamin Would you mind to review this please? |
@clwluvw pritha expressed concern that this PR defines "subuser" for keystone when keystone does not have subusers. Could someone fill in the rationale for this change specifically? What does it fix? |
@mattbenjamin Keystone doesn't specifically has subuser but you can have project in Keystone and users in that project can be subuser here. So we can have this structure in radosgw to support subuser. |
@mdw-at-linuxbox can you weigh in here? |
@mattbenjamin Any alternative can weigh in here? :) |
@mattbenjamin Sorry for mentioning you again but can we weight up this? I think this could be really good feature that support radosgw subuser with external auth like Keystone. subuser in radosgw is really wonderful feature for user managing and it will so amazing to have it through Keystone auth, too. |
@mattbenjamin We can also use domain as a user instead of project but I see this sentence in project description that matches to radosgw subuser concept I think.
I think if we use project as a user we can have user management like keystone do. Do you have any idea on this work? :) |
Ping @mattbenjamin :) |
Ping @mdw-at-linuxbox |
@mattbenjamin It's about 1 month we have requested @mdw-at-linuxbox to review this PR. Can we get help from someone else? |
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
This pull request has been automatically closed because there has been no activity for 90 days. Please feel free to reopen this pull request (or open a new one) if the proposed change is still appropriate. Thank you for your contribution! |
Fixes: https://tracker.ceph.com/issues/44147
Signed-off-by: Seena Fallah seenafallah@gmail.com