2012-05-30 17:14:30 +00:00
|
|
|
=========================
|
|
|
|
Authentication and ACLs
|
|
|
|
=========================
|
|
|
|
|
|
|
|
Requests to the RADOS Gateway (RGW) can be either authenticated or
|
|
|
|
unauthenticated. RGW assumes unauthenticated requests are sent by an anonymous
|
|
|
|
user. RGW supports canned ACLs.
|
2012-04-25 21:46:51 +00:00
|
|
|
|
|
|
|
Authentication
|
|
|
|
--------------
|
2012-05-30 17:14:30 +00:00
|
|
|
Authenticating a request requires including an access key and a Hash-based
|
|
|
|
Message Authentication Code (HMAC) in the request before it is sent to the
|
|
|
|
RGW server. RGW uses an S3-compatible authentication approach.
|
2012-04-25 21:46:51 +00:00
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
HTTP/1.1
|
|
|
|
PUT /buckets/bucket/object.mpeg
|
|
|
|
Host: cname.domain.com
|
|
|
|
Date: Mon, 2 Jan 2012 00:01:01 +0000
|
2012-05-30 17:14:30 +00:00
|
|
|
Content-Encoding: mpeg
|
2012-04-25 21:46:51 +00:00
|
|
|
Content-Length: 9999999
|
|
|
|
|
|
|
|
Authorization: AWS {access-key}:{hash-of-header-and-secret}
|
|
|
|
|
2012-05-30 17:14:30 +00:00
|
|
|
In the foregoing example, replace ``{access-key}`` with the value for your access
|
|
|
|
key ID followed by a colon (``:``). Replace ``{hash-of-header-and-secret}`` with
|
|
|
|
a hash of the header string and the secret corresponding to the access key ID.
|
2012-04-25 21:46:51 +00:00
|
|
|
|
|
|
|
To generate the hash of the header string and secret, you must:
|
|
|
|
|
2012-05-30 17:14:30 +00:00
|
|
|
#. Get the value of the header string.
|
|
|
|
#. Normalize the request header string into canonical form.
|
|
|
|
#. Generate an HMAC using a SHA-1 hashing algorithm.
|
|
|
|
See `RFC 2104`_ and `HMAC`_ for details.
|
|
|
|
#. Encode the ``hmac`` result as base-64.
|
2012-04-25 21:46:51 +00:00
|
|
|
|
2012-05-30 17:14:30 +00:00
|
|
|
To normalize the header into canonical form:
|
2012-05-03 17:15:21 +00:00
|
|
|
|
2012-05-30 17:14:30 +00:00
|
|
|
#. Get all fields beginning with ``x-amz-``.
|
|
|
|
#. Ensure that the fields are all lowercase.
|
|
|
|
#. Sort the fields lexicographically.
|
|
|
|
#. Combine multiple instances of the same field name into a
|
|
|
|
single field and separate the field values with a comma.
|
|
|
|
#. Replace white space and line breaks in field values with a single space.
|
|
|
|
#. Remove white space before and after colons.
|
|
|
|
#. Append a new line after each field.
|
|
|
|
#. Merge the fields back into the header.
|
2012-04-25 21:46:51 +00:00
|
|
|
|
|
|
|
Replace the ``{hash-of-header-and-secret}`` with the base-64 encoded HMAC string.
|
|
|
|
|
2018-11-12 12:49:15 +00:00
|
|
|
Authentication against OpenStack Keystone
|
|
|
|
-----------------------------------------
|
|
|
|
|
|
|
|
In a radosgw instance that is configured with authentication against
|
|
|
|
OpenStack Keystone, it is possible to use Keystone as an authoritative
|
|
|
|
source for S3 API authentication. To do so, you must set:
|
|
|
|
|
|
|
|
* the ``rgw keystone`` configuration options explained in :doc:`../keystone`,
|
|
|
|
* ``rgw s3 auth use keystone = true``.
|
|
|
|
|
|
|
|
In addition, a user wishing to use the S3 API must obtain an AWS-style
|
|
|
|
access key and secret key. They can do so with the ``openstack ec2
|
|
|
|
credentials create`` command::
|
|
|
|
|
|
|
|
$ openstack --os-interface public ec2 credentials create
|
|
|
|
+------------+---------------------------------------------------------------------------------------------------------------------------------------------+
|
|
|
|
| Field | Value |
|
|
|
|
+------------+---------------------------------------------------------------------------------------------------------------------------------------------+
|
|
|
|
| access | c921676aaabbccdeadbeef7e8b0eeb2c |
|
|
|
|
| links | {u'self': u'https://auth.example.com:5000/v3/users/7ecbebaffeabbddeadbeefa23267ccbb24/credentials/OS-EC2/c921676aaabbccdeadbeef7e8b0eeb2c'} |
|
|
|
|
| project_id | 5ed51981aab4679851adeadbeef6ebf7 |
|
|
|
|
| secret | ******************************** |
|
|
|
|
| trust_id | None |
|
|
|
|
| user_id | 7ecbebaffeabbddeadbeefa23267cc24 |
|
|
|
|
+------------+---------------------------------------------------------------------------------------------------------------------------------------------+
|
|
|
|
|
|
|
|
The thus-generated access and secret key can then be used for S3 API
|
|
|
|
access to radosgw.
|
|
|
|
|
|
|
|
.. note:: Consider that most production radosgw deployments
|
|
|
|
authenticating against OpenStack Keystone are also set up
|
|
|
|
for :doc:`../multitenancy`, for which special
|
|
|
|
considerations apply with respect to S3 signed URLs and
|
|
|
|
public read ACLs.
|
|
|
|
|
2012-04-25 21:46:51 +00:00
|
|
|
Access Control Lists (ACLs)
|
|
|
|
---------------------------
|
|
|
|
|
|
|
|
RGW supports S3-compatible ACL functionality. An ACL is a list of access grants
|
|
|
|
that specify which operations a user can perform on a bucket or on an object.
|
2012-05-30 17:14:30 +00:00
|
|
|
Each grant has a different meaning when applied to a bucket versus applied to
|
|
|
|
an object:
|
2012-04-25 21:46:51 +00:00
|
|
|
|
|
|
|
+------------------+--------------------------------------------------------+----------------------------------------------+
|
|
|
|
| Permission | Bucket | Object |
|
|
|
|
+==================+========================================================+==============================================+
|
|
|
|
| ``READ`` | Grantee can list the objects in the bucket. | Grantee can read the object. |
|
|
|
|
+------------------+--------------------------------------------------------+----------------------------------------------+
|
|
|
|
| ``WRITE`` | Grantee can write or delete objects in the bucket. | N/A |
|
|
|
|
+------------------+--------------------------------------------------------+----------------------------------------------+
|
|
|
|
| ``READ_ACP`` | Grantee can read bucket ACL. | Grantee can read the object ACL. |
|
|
|
|
+------------------+--------------------------------------------------------+----------------------------------------------+
|
|
|
|
| ``WRITE_ACP`` | Grantee can write bucket ACL. | Grantee can write to the object ACL. |
|
|
|
|
+------------------+--------------------------------------------------------+----------------------------------------------+
|
|
|
|
| ``FULL_CONTROL`` | Grantee has full permissions for object in the bucket. | Grantee can read or write to the object ACL. |
|
2012-05-03 17:15:21 +00:00
|
|
|
+------------------+--------------------------------------------------------+----------------------------------------------+
|
2012-05-30 17:14:30 +00:00
|
|
|
|
|
|
|
.. _RFC 2104: http://www.ietf.org/rfc/rfc2104.txt
|
2017-10-23 11:26:28 +00:00
|
|
|
.. _HMAC: https://en.wikipedia.org/wiki/HMAC
|