ceph/doc/radosgw/iam.rst

=============================
 Ceph Object Gateway IAM API
=============================

.. versionadded:: Squid

The Ceph Object Gateway supports a subset of the `Amazon IAM API`_ for
the RESTful management of account users, roles, and associated policies.

This REST API is served by the same HTTP endpoint as the
`Ceph Object Gateway S3 API`_.

Authorization
=============

By default, only :ref:`Account Root Users <radosgw-account-root-user>` are
authorized to use the IAM API, and can only see the resources under their own
account. The account root user can use policies to delegate these permissions
to other users or roles in the account.

Feature Support
===============

The following tables describe the currently supported IAM actions.

Users
-----

+------------------------------+---------------------------------------------+
| Action                       | Remarks                                     |
+==============================+=============================================+
| **CreateUser**               |                                             |
+------------------------------+---------------------------------------------+
| **GetUser**                  |                                             |
+------------------------------+---------------------------------------------+
| **UpdateUser**               |                                             |
+------------------------------+---------------------------------------------+
| **DeleteUser**               |                                             |
+------------------------------+---------------------------------------------+
| **ListUsers**                |                                             |
+------------------------------+---------------------------------------------+
| **CreateAccessKey**          |                                             |
+------------------------------+---------------------------------------------+
| **UpdateAccessKey**          |                                             |
+------------------------------+---------------------------------------------+
| **DeleteAccessKey**          |                                             |
+------------------------------+---------------------------------------------+
| **ListAccessKeys**           |                                             |
+------------------------------+---------------------------------------------+
| **PutUserPolicy**            |                                             |
+------------------------------+---------------------------------------------+
| **GetUserPolicy**            |                                             |
+------------------------------+---------------------------------------------+
| **DeleteUserPolicy**         |                                             |
+------------------------------+---------------------------------------------+
| **ListUserPolicies**         |                                             |
+------------------------------+---------------------------------------------+
| **AttachUserPolicies**       |                                             |
+------------------------------+---------------------------------------------+
| **DetachUserPolicy**         |                                             |
+------------------------------+---------------------------------------------+
| **ListAttachedUserPolicies** |                                             |
+------------------------------+---------------------------------------------+

Groups
------

+-------------------------------+--------------------------------------------+
| Action                        | Remarks                                    |
+===============================+============================================+
| **CreateGroup**               |                                            |
+-------------------------------+--------------------------------------------+
| **GetGroup**                  |                                            |
+-------------------------------+--------------------------------------------+
| **UpdateGroup**               |                                            |
+-------------------------------+--------------------------------------------+
| **DeleteGroup**               |                                            |
+-------------------------------+--------------------------------------------+
| **ListGroups**                |                                            |
+-------------------------------+--------------------------------------------+
| **AddUserToGroup**            |                                            |
+-------------------------------+--------------------------------------------+
| **RemoveUserFromGroup**       |                                            |
+-------------------------------+--------------------------------------------+
| **ListGroupsForUser**         |                                            |
+-------------------------------+--------------------------------------------+
| **PutGroupPolicy**            |                                            |
+-------------------------------+--------------------------------------------+
| **GetGroupPolicy**            |                                            |
+-------------------------------+--------------------------------------------+
| **DeleteGroupPolicy**         |                                            |
+-------------------------------+--------------------------------------------+
| **ListGroupPolicies**         |                                            |
+-------------------------------+--------------------------------------------+
| **AttachGroupPolicies**       |                                            |
+-------------------------------+--------------------------------------------+
| **DetachGroupPolicy**         |                                            |
+-------------------------------+--------------------------------------------+
| **ListAttachedGroupPolicies** |                                            |
+-------------------------------+--------------------------------------------+

Roles
-----

+------------------------------+---------------------------------------------+
| Action                       | Remarks                                     |
+==============================+=============================================+
| **CreateRole**               |                                             |
+------------------------------+---------------------------------------------+
| **GetRole**                  |                                             |
+------------------------------+---------------------------------------------+
| **UpdateRole**               |                                             |
+------------------------------+---------------------------------------------+
| **UpdateAssumeRolePolicy**   |                                             |
+------------------------------+---------------------------------------------+
| **DeleteRole**               |                                             |
+------------------------------+---------------------------------------------+
| **ListRoles**                |                                             |
+------------------------------+---------------------------------------------+
| **TagRole**                  |                                             |
+------------------------------+---------------------------------------------+
| **UntagRole**                |                                             |
+------------------------------+---------------------------------------------+
| **ListRoleTags**             |                                             |
+------------------------------+---------------------------------------------+
| **PutRolePolicy**            |                                             |
+------------------------------+---------------------------------------------+
| **GetRolePolicy**            |                                             |
+------------------------------+---------------------------------------------+
| **DeleteRolePolicy**         |                                             |
+------------------------------+---------------------------------------------+
| **ListRolePolicies**         |                                             |
+------------------------------+---------------------------------------------+
| **AttachRolePolicies**       |                                             |
+------------------------------+---------------------------------------------+
| **DetachRolePolicy**         |                                             |
+------------------------------+---------------------------------------------+
| **ListAttachedRolePolicies** |                                             |
+------------------------------+---------------------------------------------+

OpenIDConnectProvider
---------------------

+---------------------------------+------------------------------------------+
| Action                          | Remarks                                  |
+=================================+==========================================+
| **CreateOpenIDConnectProvider** |                                          |
+---------------------------------+------------------------------------------+
| **GetOpenIDConnectProvider**    |                                          |
+---------------------------------+------------------------------------------+
| **DeleteOpenIDConnectProvider** |                                          |
+---------------------------------+------------------------------------------+
| **ListOpenIDConnectProviders**  |                                          |
+---------------------------------+------------------------------------------+

.. _Amazon IAM API: https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html
.. _Ceph Object Gateway S3 API: ../s3/
doc/radosgw: start on iam/account docs Signed-off-by: Casey Bodley <cbodley@redhat.com> 2023-12-20 03:11:05 +00:00			`=============================`
			`Ceph Object Gateway IAM API`
			`=============================`

			`.. versionadded:: Squid`

			The Ceph Object Gateway supports a subset of the `Amazon IAM API`_ for
			`the RESTful management of account users, roles, and associated policies.`

			`This REST API is served by the same HTTP endpoint as the`
			`Ceph Object Gateway S3 API`_.

			`Authorization`
			`=============`

			By default, only :ref:`Account Root Users <radosgw-account-root-user>` are
			`authorized to use the IAM API, and can only see the resources under their own`
			`account. The account root user can use policies to delegate these permissions`
			`to other users or roles in the account.`

			`Feature Support`
			`===============`

			`The following tables describe the currently supported IAM actions.`

			`Users`
			`-----`

			`+------------------------------+---------------------------------------------+`
			`\| Action \| Remarks \|`
			`+==============================+=============================================+`
			`\| CreateUser \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| GetUser \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| UpdateUser \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| DeleteUser \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| ListUsers \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| CreateAccessKey \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| UpdateAccessKey \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| DeleteAccessKey \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| ListAccessKeys \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| PutUserPolicy \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| GetUserPolicy \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| DeleteUserPolicy \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| ListUserPolicies \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| AttachUserPolicies \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| DetachUserPolicy \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| ListAttachedUserPolicies \| \|`
			`+------------------------------+---------------------------------------------+`

			`Groups`
			`------`

			`+-------------------------------+--------------------------------------------+`
			`\| Action \| Remarks \|`
			`+===============================+============================================+`
			`\| CreateGroup \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| GetGroup \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| UpdateGroup \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| DeleteGroup \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| ListGroups \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| AddUserToGroup \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| RemoveUserFromGroup \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| ListGroupsForUser \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| PutGroupPolicy \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| GetGroupPolicy \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| DeleteGroupPolicy \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| ListGroupPolicies \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| AttachGroupPolicies \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| DetachGroupPolicy \| \|`
			`+-------------------------------+--------------------------------------------+`
			`\| ListAttachedGroupPolicies \| \|`
			`+-------------------------------+--------------------------------------------+`

			`Roles`
			`-----`

			`+------------------------------+---------------------------------------------+`
			`\| Action \| Remarks \|`
			`+==============================+=============================================+`
			`\| CreateRole \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| GetRole \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| UpdateRole \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| UpdateAssumeRolePolicy \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| DeleteRole \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| ListRoles \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| TagRole \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| UntagRole \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| ListRoleTags \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| PutRolePolicy \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| GetRolePolicy \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| DeleteRolePolicy \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| ListRolePolicies \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| AttachRolePolicies \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| DetachRolePolicy \| \|`
			`+------------------------------+---------------------------------------------+`
			`\| ListAttachedRolePolicies \| \|`
			`+------------------------------+---------------------------------------------+`

			`OpenIDConnectProvider`
			`---------------------`

			`+---------------------------------+------------------------------------------+`
			`\| Action \| Remarks \|`
			`+=================================+==========================================+`
			`\| CreateOpenIDConnectProvider \| \|`
			`+---------------------------------+------------------------------------------+`
			`\| GetOpenIDConnectProvider \| \|`
			`+---------------------------------+------------------------------------------+`
			`\| DeleteOpenIDConnectProvider \| \|`
			`+---------------------------------+------------------------------------------+`
			`\| ListOpenIDConnectProviders \| \|`
			`+---------------------------------+------------------------------------------+`

			`.. _Amazon IAM API: https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html`
			`.. _Ceph Object Gateway S3 API: ../s3/`