Keystone authentication and the Ceph Object Gateway
Organizations that use OpenStack Keystone to authenticate users can integrate Keystone with the Ceph Object Gateway. The Ceph Object Gateway enables the gateway to accept a Keystone token, authenticate the user, and create a corresponding Ceph Object Gateway user. When Keystone validates a token, the gateway considers the user authenticated.
- Assigning
admin,member, andreaderroles to users with Keystone. - Automatic user creation in the Ceph Object Gateway.
- Managing users with Keystone
- The Ceph Object Gateway queries Keystone periodically for a list of revoked tokens.
Roles for Keystone authentication
admin,
member, and reader. These roles are hierarchical. users with the
admin role inherit the capabilities of the member role and users
with the member role inherit the capabilities of the reader
role.member role’s read permissions only apply to objects of the project
that it belongs to.- admin
-
The admin role is reserved for the highest level of authorization within a particular scope. This usually includes all the create, read, update, or delete operations on a resource or API.
- member
-
The
memberrole is not used directly by default. It provides flexibility during deployments and helps reduce responsibility for administrators.For example, you can override a policy for a deployment by using the default
memberrole and a simple policy override to allow system members to update services and endpoints. This provides a layer of authorization betweenadminandreaderroles. - reader
-
The
readerrole is reserved for read-only operations regardless of the scope.Important: If you use areaderto access sensitive information such as image license keys, administrative image data, administrative volume metadata, application credentials, and secrets, you might unintentionally expose sensitive information. Hence, APIs that expose these resources should carefully consider the impact of thereaderrole and appropriately defer access to thememberandadminroles.