I think I have been able to verify that a user associated with a realm
(--rgw-realm used at user creation time) can be used to access another
realm. So it seems to answer my concerns. Confirmation welcome!
Michel
Le 21/07/2025 à 16:20, Michel Jouvin a écrit :
Answering to myself... It seems that I'm wrong: if you create a user
with --rgw-realm, it will be listed only under this realm. If you
don't specify --rgw-realm, they seem global and it looks possible to
use them in all realms. Am I right? Are users created "attached" to a
realm usable only to access pools attached to this realm?
Michel
Le 21/07/2025 à 16:00, Michel Jouvin a écrit :
Hi,
I'm restarting to work on this issue and after a deeper look I stil
don't see how to prevent a user from using some RGWs (accessing the
associated pools). In particular the files in the meta pool of each
RGW mentioned in the previous email are used to track who is using
what in the associated pools, not to control access if I'm right.
When having several RGWs attached to different pools (for potentially
different use cases), it's seem desirable to be able to control who
can access which pool. I'm still interesting to hear how it can be
done as I don't find anything that seems related to this.
Best regards,
Michel
Le 08/07/2025 à 09:04, Wissem MIMOUNA - Ceph Users a écrit :
Hi ,
On a Zone there are a list of configured pools the contains users
information ( users_keys_pool , user_uid_pool , ...) so the user
information is stored on pools attached to a zone .
Regards
On 7/7/25 18:54, Michel Jouvin wrote:
Hi Wissem,
Your first answer is a good approach too. It's true that I was
looking at a way to bind users to a realm, zonegroup or zone but I
don't see one. I don't think users are bound to zone in fact as
there is no related attribute I'm the user info if I'm right.
Michel
Sent from my mobile
Le 7 juillet 2025 18:25:31 Wissem MIMOUNA - Ceph Users
<ceph-us...@ik.me> a écrit :
I miss understood your question (first):
As I understand a user belong to a zone ( and zone belong to zone
group
and zone group to realm ) , so it's not possible to restrict users to
realm ( because each user belong to the realm where it was created
in )
, unless you try to migrate all pools ( and user metadata and data
) to
one realm ( I don't know if it's possible !?
ceph doc say this
"A realm is a globally unique namespace that consists of one or more
zonegroups. Zonegroups contain one or more zones. Zones contain
buckets.
Buckets contain objects."
Regards
On 7/7/25 17:35, Wissem MIMOUNA - Ceph Users wrote:
Hi Michel,
By default each user is isolated on its namespace ( buckets of one
user cannot be accessed by other users , unless you allow that )
, for
the accounts it's different as an account it's an isolated
namespaces
that can have multiple users ( inside the same account - see aws
iam ) .
Each RGW zone has a 'realm_id' attached to it , so if you want that
some users use a specific realm for storage ( creating buckets
... ) ,
then modifiy users property 'default_placement' to use the one from
the zone ( the zone that has the relam_id you want ) .
Regards
On 7/7/25 17:19, Michel Jouvin wrote:
Hi,
We have several RGW realms hosted in the same Ceph cluster. Looking
at how to restrict access to one realm to some users (among all
existing ones), I don't find the information. Looking at
user/realm/zonegroup/zone parameters, I don't see anything that
would
allow this. I saw in
https://docs.ceph.com/en/latest/radosgw/account/#radosgw-account a
few words about tenant isolation but it is not clear for me if
it is
the same thing and how you achieve it.
Thanks in advance for any hint!
Best regards,
Michel
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
