Hi ,
On a Zone there are a list of configured pools the contains users
information ( users_keys_pool , user_uid_pool , ...) so the user
information is stored on pools attached to a zone .
Regards
On 7/7/25 18:54, Michel Jouvin wrote:
Hi Wissem,
Your first answer is a good approach too. It's true that I was looking
at a way to bind users to a realm, zonegroup or zone but I don't see
one. I don't think users are bound to zone in fact as there is no
related attribute I'm the user info if I'm right.
Michel
Sent from my mobile
Le 7 juillet 2025 18:25:31 Wissem MIMOUNA - Ceph Users
<ceph-us...@ik.me> a écrit :
I miss understood your question (first):
As I understand a user belong to a zone ( and zone belong to zone group
and zone group to realm ) , so it's not possible to restrict users to
realm ( because each user belong to the realm where it was created in )
, unless you try to migrate all pools ( and user metadata and data ) to
one realm ( I don't know if it's possible !?
ceph doc say this
"A realm is a globally unique namespace that consists of one or more
zonegroups. Zonegroups contain one or more zones. Zones contain buckets.
Buckets contain objects."
Regards
On 7/7/25 17:35, Wissem MIMOUNA - Ceph Users wrote:
Hi Michel,
By default each user is isolated on its namespace ( buckets of one
user cannot be accessed by other users , unless you allow that ) , for
the accounts it's different as an account it's an isolated namespaces
that can have multiple users ( inside the same account - see aws iam ) .
Each RGW zone has a 'realm_id' attached to it , so if you want that
some users use a specific realm for storage ( creating buckets ... ) ,
then modifiy users property 'default_placement' to use the one from
the zone ( the zone that has the relam_id you want ) .
Regards
On 7/7/25 17:19, Michel Jouvin wrote:
Hi,
We have several RGW realms hosted in the same Ceph cluster. Looking
at how to restrict access to one realm to some users (among all
existing ones), I don't find the information. Looking at
user/realm/zonegroup/zone parameters, I don't see anything that would
allow this. I saw in
https://docs.ceph.com/en/latest/radosgw/account/#radosgw-account a
few words about tenant isolation but it is not clear for me if it is
the same thing and how you achieve it.
Thanks in advance for any hint!
Best regards,
Michel
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
