git.apps.os.sepia.ceph.com Git - ceph-ci.git/commit

author	Pete Zaitcev <zaitcev@kotori.zaitcev.us>
	Thu, 9 Jun 2022 22:31:16 +0000 (17:31 -0500)
committer	Pete Zaitcev <zaitcev@kotori.zaitcev.us>
	Tue, 28 Feb 2023 22:35:27 +0000 (16:35 -0600)
commit	07f947684cce6742fc49528f3665e6a9d839aee5
tree	a2bc487d52d3911738e7ffb7cd3249425ccfe83e	tree \| snapshot
parent	0aef3d9741dfe22982ad4824965d0fb20d74bcd1	commit \| diff

RGW: Add a reader feature

This feature is prompted by a desire to audit contents of
a cluster safely. Currently, such task is done by a privileged
account, which can damage the data by accident. In this
situation, using an account that can only read is an application
of the least privilege.

Note that the reader is a role in RBAC. So, an account can have
both a reader role and a normal user role. The latter allows it to
write the audit report into the cluster, if the operator wants that.

In OpenStack terms, this reader is known as "system reader persona".

Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>

src/common/options/rgw.yaml.in		diff \| blob \| history
src/rgw/rgw_auth_keystone.cc		diff \| blob \| history
src/rgw/rgw_auth_keystone.h		diff \| blob \| history
src/rgw/rgw_keystone.cc		diff \| blob \| history
src/rgw/rgw_keystone.h		diff \| blob \| history