Hi Florian, Both integrations will coexist. As noted, RGW provides a native implementation for authenticating against external OIDC providers that leverages a subset of the AWS IAM/STS API.
Following this model offers significant advantages: - Granular Control: Enables robust RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control). - Enhanced Security: Inherits the security benefits of the STS (Security Token Service) model, such as temporary credentials. - Ecosystem Compatibility: By adhering to AWS standards, we ensure seamless integration with the broader ecosystem, including Backup & Restore tools and Iceberg REST API catalogs, without additional configuration. Agreed, the initial setup for an RGW OIDC provider is a bit complex. We are looking to simplify this by integrating the setup workflow directly into the Ceph Dashboard soon. Regarding the *mgmt-gateway + oauth2-proxy*: In theory(not something I have tested), oauth2-proxy can act as the OIDC provider for RGW. By using AssumeRoleWithWebIdentity, users can authenticate to RGW using a JWT provided by oauth2-proxy. If your proxy is already linked to an IDP, it effectively bridges that identity to RGW. Not sure if this is a good idea, as you create dependencies, and the users for the dashboard (admins) and RGW (end users) are completely different. Also, how the attributes are minted in the JWT by oauth2-proxy for RGW to use would need to be checked. Regards. _______________________________________________ ceph-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
