Hi,
I'm restarting to work on this issue and after a deeper look I stil
don't see how to prevent a user from using some RGWs (accessing the
associated pools). In particular the files in the meta pool of each RGW
mentioned in the previous email are used to track who is using what in
the associated pools, not to control access if I'm right.
When having several RGWs attached to different pools (for potentially
different use cases), it's seem desirable to be able to control who can
access which pool. I'm still interesting to hear how it can be done as I
don't find anything that seems related to this.
Best regards,
Michel
Le 08/07/2025 à 09:04, Wissem MIMOUNA - Ceph Users a écrit :
Hi ,
On a Zone there are a list of configured pools the contains users
information ( users_keys_pool , user_uid_pool , ...) so the user
information is stored on pools attached to a zone .
Regards
On 7/7/25 18:54, Michel Jouvin wrote:
Hi Wissem,
Your first answer is a good approach too. It's true that I was
looking at a way to bind users to a realm, zonegroup or zone but I
don't see one. I don't think users are bound to zone in fact as there
is no related attribute I'm the user info if I'm right.
Michel
Sent from my mobile
Le 7 juillet 2025 18:25:31 Wissem MIMOUNA - Ceph Users
<ceph-us...@ik.me> a écrit :
I miss understood your question (first):
As I understand a user belong to a zone ( and zone belong to zone group
and zone group to realm ) , so it's not possible to restrict users to
realm ( because each user belong to the realm where it was created in )
, unless you try to migrate all pools ( and user metadata and data ) to
one realm ( I don't know if it's possible !?
ceph doc say this
"A realm is a globally unique namespace that consists of one or more
zonegroups. Zonegroups contain one or more zones. Zones contain
buckets.
Buckets contain objects."
Regards
On 7/7/25 17:35, Wissem MIMOUNA - Ceph Users wrote:
Hi Michel,
By default each user is isolated on its namespace ( buckets of one
user cannot be accessed by other users , unless you allow that ) , for
the accounts it's different as an account it's an isolated namespaces
that can have multiple users ( inside the same account - see aws
iam ) .
Each RGW zone has a 'realm_id' attached to it , so if you want that
some users use a specific realm for storage ( creating buckets ... ) ,
then modifiy users property 'default_placement' to use the one from
the zone ( the zone that has the relam_id you want ) .
Regards
On 7/7/25 17:19, Michel Jouvin wrote:
Hi,
We have several RGW realms hosted in the same Ceph cluster. Looking
at how to restrict access to one realm to some users (among all
existing ones), I don't find the information. Looking at
user/realm/zonegroup/zone parameters, I don't see anything that would
allow this. I saw in
https://docs.ceph.com/en/latest/radosgw/account/#radosgw-account a
few words about tenant isolation but it is not clear for me if it is
the same thing and how you achieve it.
Thanks in advance for any hint!
Best regards,
Michel
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
