hi Florian, On Thu, Feb 12, 2026 at 11:05 AM Florian Haas via ceph-users <[email protected]> wrote: > > Hi everyone, > > a question about the mgmt-gateway and oauth2-proxy services, because we > want to incorporate one or both of them into our Ceph training course. > > I understand that as of Tentacle, mgmt-gateway exists as an > administrative simplification for access to the Dashboard and the > orchestrated monitoring stack,[0] and that it has OpenID Connect (OIDC) > support via oauth2-proxy. The docs[1] assert that oauth2-proxy serves as > "an advanced method for managing authentication and access control for > Ceph applications". > > We've also had OIDC support in radosgw since Octopus (I believe), > however it is tied to an implementation of a subset of STS[2], > configuration is rather non-trivial[3], and as far as I understand it is > presently not integrated with oauth2-proxy. > > Now my question is: will oauth2-proxy eventually be integrated with > radosgw to replace and remove the STS dependency, or are the two OIDC > integrations expected to coexist in parallel?
i don't know that radosgw has any plans for oidc integration outside of sts and AssumeRoleWithWebIdentity. the benefit of sts for this integration is that it works with unmodified aws clients the user account feature in squid added fine-grained api-based control over oidc providers, roles, and their associated iam policy: https://docs.ceph.com/en/squid/radosgw/account/ if configuration was your main obstacle, i would hope that the aws-compatible tooling like https://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html would make that easier > > Thanks! > > Cheers, > Florian > > [0] https://docs.ceph.com/en/latest/cephadm/services/mgmt-gateway/ > [1] https://docs.ceph.com/en/latest/cephadm/services/oauth2-proxy/ > [2] https://docs.ceph.com/en/latest/radosgw/oidc/ > [3] > https://community.ibm.com/community/user/blogs/deepak-thorat/2024/03/20/ceph-isv-integration-using-open-id-connect > _______________________________________________ > ceph-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > _______________________________________________ ceph-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
