Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prepopulating projects in radosgw-backed Swift #73

Open
jtriley opened this issue Nov 28, 2022 · 2 comments
Open

prepopulating projects in radosgw-backed Swift #73

jtriley opened this issue Nov 28, 2022 · 2 comments
Assignees
@jtriley

Comments

@jtriley
Copy link
Contributor

jtriley commented Nov 28, 2022

We're now running a Ceph RadosGW instance with Swift support for object storage within OpenStack. This works fine, however, we've run into an issue when setting quotas from Coldfront on newly created projects:

Account HEAD failed: https://stack.nerc.mghpcc.org:13808/v1/AUTH_$PROJECT_ID_HERE 403 Forbidden

Looking into this, we discovered that projects are lazily created in the radosgw instance whenever a user from a given project successfully auths for the first time. As a consequence, it's not possible to set quotas before a member of the project has successfully auth'd to the Swift endpoint given that the resource doesn't exist yet. This leads to the 403 error above.

Unfortunately using the coldfront application credential is not sufficient to trigger swift account setup as far as I can tell. The only solution we've come up with that works is to create a temporary application credential in the newly created project, use the temp credential to do a swift stat call, then clean up the temporary credential and set the desired quota. This works but unfortunately requires an admin user and password - application credentials cannot create other app credentials in a different project scope it seems.

We have some proof-of-concept code that works but before we make a PR we wanted to discuss in case there's a better way to go about this.

Thoughts?
@knikolla
Copy link
Collaborator

@jtriley So there are 3 approaches that I can think of, in decreasing order of access permissions.

  1. Authenticate as the Keycloak admin and impersonate the user, authenticating and issuing a swift API call.
  2. Switch to username and password for the admin user instead of an application credential to allow the admin user to rescope to a different project (as they have an inherited role assignment and therefore already have access to all projects, but not through the application credential).
  3. Create a temporary user with username and password, authenticate as them to force the project creation in rgw, set the quotas and then delete them.

I guess the one that requires the least amount of work and change is the third option.

@knikolla knikolla assigned jtriley and unassigned knikolla Dec 20, 2022
@knikolla
Copy link
Collaborator

As far as I know, this work is being done by @jtriley. Therefore I unassigned myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jtriley jtriley

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jtriley @knikolla @joachimweyl