-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow provisioning subuser for bucket access #36
base: master
Are you sure you want to change the base?
Conversation
@shaxbee Thanks for the PR and very good code clean up. Please update the documentation and examples as well But I have few questions regarding this feature : Whom should create the "Parent" user? Do we expect end-user to create it or ceph-cosi-driver? If ceph cosi driver creates the user, do we need to store the credentials Currently, all the buckets are created using the credentials from the secret referred to here. Do you think the Parent user to create the buckets for those BucketClass for management purposes? |
Hello @thotz Parent is optional and defined in same secret as used by bucketaccess. We expect the user who provisions bucket access class to populate the Parent if applicable. I’d like to have ability to have different parents for different classes. Speaking about tests - I was thinking about using https://github.com/dnaeon/go-vcr in replay only mode with prerecorded sanitized responses instead of mocking http client. WDYT? Regards, |
I do understand Parent is an optional parameter. What I meant let For Example, If I have two bucketclass BC1 and BC2 which have owner1 and owner2 as the parent users Now if create bucketclaims p1..p5 in BC1 and q1..q10 in BC2. The owner1 owns five buckets p{1..5} and owner2 owns ten buckets q{1..10}. If two bucketaccessclass BA1 pointing to p1 and BA2 pointing to p2. Then there will be two subusers for owner1 in access granted to p1 and p2 respectively Drawback here even though we create the user owner1 and owner2, deletion part currently out of hands. We may be check the bucketclasses creation/deletion. I am a bit worried about policies involving sub-user with parent user does not have any permissions on the bucket, seems logically sounds inappropriate to me. Another question do you know the limitation for sub-user count for rgw user? In the latest version, I found out that both bucketclass and bucketaccessclass can modified post creation which might be not suitable for this feature
Sounds good to me.
|
@thotz I'm not aware of limit on subusers.
Would the |
Allow creation/deletion of subuser if
Parent
is specified inobjectStoreUserSecret
.This enables better management of quota and reduces the capabilities required for ceph-cosi user.