From 5fb3a06a742118df922f4f79ae72afa2bcd4f432 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Thu, 17 Apr 2025 17:52:27 -0400 Subject: [PATCH] doc/rgw: document Admin and System Users Signed-off-by: Casey Bodley (cherry picked from commit dc93b888f16793b00390b32d6814f9243b6808e2) --- doc/radosgw/admin.rst | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/doc/radosgw/admin.rst b/doc/radosgw/admin.rst index e772190d375c6..922b5a9595efb 100644 --- a/doc/radosgw/admin.rst +++ b/doc/radosgw/admin.rst @@ -396,8 +396,41 @@ following form: .. prompt:: bash radosgw-admin caps rm --uid=johndoe --caps={caps} - +Admin and System Users +---------------------- + +Users with the ``--admin`` or ``--system`` flag have global read and write +permissions. These permissions apply to all APIs including S3 and Swift, +unlike Admin Capabilities, and cannot be denied by IAM policy. + +The ``--system`` flag should only be used as documented in `Multisite Configuration`_. + +The ``--admin`` flag can be useful for troubleshooting and recovery. For +example, if a user accidentally removes their permissions to a bucket or +object, the admin user's credentials can be used to issue the S3/Swift API +requests necessary to restore them. + +.. warning:: When not in use, consider deleting the admin user or disabling + its access keys. Do not give admin permissions to untrusted users. + +To create an admin user: + +.. prompt:: bash + + radosgw-admin user create --uid={username} --display-name="{display-name}" --admin + +To add the admin flag to an existing user: + +.. prompt:: bash + + radosgw-admin user modify --uid={username} --admin + +To remove the admin flag from an existing user: + +.. prompt:: bash + + radosgw-admin user modify --uid={username} --admin=0 Quota Management ================ @@ -902,3 +935,4 @@ example commands: .. _Ceph Object Gateway Config Reference: ../config-ref/ .. _Accounts: ../account/ .. _Admin Ops API: ../adminops/ +.. _Multisite Configuration: ../multisite/ -- 2.39.5