Page MenuHomePhabricator
Create Task
Maniphest T396594

Create OpenStack role that allows object storage access only
Closed, ResolvedPublic
Actions

Description

Currently access to radosgw requires project membership. That's more access than most service accounts for reading and writing to object storage need, so there should be a separate role that allows access to Rados but nothing else.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
keystone policy: allow object_storage role to create/delete ec2 credsoperations/puppetproduction+5 -0
Add radosgw access for members of the new 'object_storage' role.operations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

taavi created this task.Jun 11 2025, 12:02 PM
fnegri triaged this task as Medium priority.Jun 11 2025, 1:56 PM
Andrew added a comment.Jun 11 2025, 9:55 PM

In a perfect world this role would be managed with tofu (T396671) but it's trivial to create by hand, and the good bits are going to be in the ceph config.

Stashbot added a comment.Jun 11 2025, 9:58 PM

Mentioned in SAL (#wikimedia-cloud) [2025-06-11T21:58:25Z] <andrewbogott> created new keystone role in eqiad1 and codfw1dev, 'object_storage' T396594

gerritbot added a comment.Jun 11 2025, 10:01 PM

Change #1155775 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] Add radosgw access for members of the new 'object_storage' role.

https://gerrit.wikimedia.org/r/1155775

gerritbot added a project: Patch-For-Review.Jun 11 2025, 10:01 PM
taavi removed a subtask: T396671: Support keystone role management with tofu-infra.Jun 12 2025, 8:20 AM
gerritbot added a comment.Jun 17 2025, 5:12 PM

Change #1155775 merged by Andrew Bogott:

[operations/puppet@production] Add radosgw access for members of the new 'object_storage' role.

https://gerrit.wikimedia.org/r/1155775

Maintenance_bot removed a project: Patch-For-Review.Jun 17 2025, 5:31 PM
taavi closed this task as Resolved.Jun 18 2025, 2:04 PM
taavi assigned this task to Andrew.

I haven't actually tried this out but in theory this is done.

taavi reopened this task as Open.Jun 24 2025, 8:34 AM

Minor problem: this role doesn't have access to create ec2 creds:

taavi@cloudcontrol1007 ~ $  export OS_PASSWORD=...
taavi@cloudcontrol1007 ~ $ openstack --os-auth-url https://keystone.openstack.eqiad1.wikimediacloud.org --os-username toolsbeta-logging --os-domain-id default --os-project-name toolsbeta-logging ec2 credentials create 
You are not authorized to perform the requested action: identity:ec2_create_credential. (HTTP 403) (Request-ID: req-ae61f6c3-affa-4197-a49d-76bbbf2dac38)

The ec2 credential policies are set to rule:admin_or_owner which doesn't include this new role.

gerritbot added a comment.Jun 25 2025, 7:38 PM

Change #1163864 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] keystone policy: allow object_storage role to create/delete ec2 creds

https://gerrit.wikimedia.org/r/1163864

gerritbot added a project: Patch-For-Review.Jun 25 2025, 7:38 PM
gerritbot added a comment.Jul 1 2025, 3:20 PM

Change #1163864 merged by Andrew Bogott:

[operations/puppet@production] keystone policy: allow object_storage role to create/delete ec2 creds

https://gerrit.wikimedia.org/r/1163864

Maintenance_bot removed a project: Patch-For-Review.Jul 1 2025, 3:31 PM
Andrew closed this task as Resolved.Jul 2 2025, 1:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits