RepoMirrors
/
ceph
mirror of https://github.com/ceph/ceph
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ceph/doc/radosgw/iam.rst

189 lines
10 KiB
ReStructuredText
Raw Blame History

=============================
Ceph Object Gateway IAM API
=============================
.. versionadded:: Squid
The Ceph Object Gateway supports a subset of the `Amazon IAM API`_ for
the RESTful management of account users, roles, and associated policies.
This REST API is served by the same HTTP endpoint as the
`Ceph Object Gateway S3 API`_.
Authorization
=============
By default, only :ref:`Account Root Users <radosgw-account-root-user>` are
authorized to use the IAM API, and can only see the resources under their own
account. The account root user can use policies to delegate these permissions
to other users or roles in the account.
Feature Support
===============
The following tables describe the currently supported IAM actions.
Users
-----
+------------------------------+---------------------------------------------+
| Action | Remarks |
+==============================+=============================================+
| **CreateUser** | |
+------------------------------+---------------------------------------------+
| **GetUser** | |
+------------------------------+---------------------------------------------+
| **UpdateUser** | |
+------------------------------+---------------------------------------------+
| **DeleteUser** | |
+------------------------------+---------------------------------------------+
| **ListUsers** | |
+------------------------------+---------------------------------------------+
| **CreateAccessKey** | |
+------------------------------+---------------------------------------------+
| **UpdateAccessKey** | |
+------------------------------+---------------------------------------------+
| **DeleteAccessKey** | |
+------------------------------+---------------------------------------------+
| **ListAccessKeys** | |
+------------------------------+---------------------------------------------+
| **PutUserPolicy** | |
+------------------------------+---------------------------------------------+
| **GetUserPolicy** | |
+------------------------------+---------------------------------------------+
| **DeleteUserPolicy** | |
+------------------------------+---------------------------------------------+
| **ListUserPolicies** | |
+------------------------------+---------------------------------------------+
| **AttachUserPolicies** | |
+------------------------------+---------------------------------------------+
| **DetachUserPolicy** | |
+------------------------------+---------------------------------------------+
| **ListAttachedUserPolicies** | |
+------------------------------+---------------------------------------------+
Groups
------
+-------------------------------+--------------------------------------------+
| Action | Remarks |
+===============================+============================================+
| **CreateGroup** | |
+-------------------------------+--------------------------------------------+
| **GetGroup** | |
+-------------------------------+--------------------------------------------+
| **UpdateGroup** | |
+-------------------------------+--------------------------------------------+
| **DeleteGroup** | |
+-------------------------------+--------------------------------------------+
| **ListGroups** | |
+-------------------------------+--------------------------------------------+
| **AddUserToGroup** | |
+-------------------------------+--------------------------------------------+
| **RemoveUserFromGroup** | |
+-------------------------------+--------------------------------------------+
| **ListGroupsForUser** | |
+-------------------------------+--------------------------------------------+
| **PutGroupPolicy** | |
+-------------------------------+--------------------------------------------+
| **GetGroupPolicy** | |
+-------------------------------+--------------------------------------------+
| **DeleteGroupPolicy** | |
+-------------------------------+--------------------------------------------+
| **ListGroupPolicies** | |
+-------------------------------+--------------------------------------------+
| **AttachGroupPolicies** | |
+-------------------------------+--------------------------------------------+
| **DetachGroupPolicy** | |
+-------------------------------+--------------------------------------------+
| **ListAttachedGroupPolicies** | |
+-------------------------------+--------------------------------------------+
Roles
-----
+------------------------------+---------------------------------------------+
| Action | Remarks |
+==============================+=============================================+
| **CreateRole** | |
+------------------------------+---------------------------------------------+
| **GetRole** | |
+------------------------------+---------------------------------------------+
| **UpdateRole** | |
+------------------------------+---------------------------------------------+
| **UpdateAssumeRolePolicy** | |
+------------------------------+---------------------------------------------+
| **DeleteRole** | |
+------------------------------+---------------------------------------------+
| **ListRoles** | |
+------------------------------+---------------------------------------------+
| **TagRole** | |
+------------------------------+---------------------------------------------+
| **UntagRole** | |
+------------------------------+---------------------------------------------+
| **ListRoleTags** | |
+------------------------------+---------------------------------------------+
| **PutRolePolicy** | |
+------------------------------+---------------------------------------------+
| **GetRolePolicy** | |
+------------------------------+---------------------------------------------+
| **DeleteRolePolicy** | |
+------------------------------+---------------------------------------------+
| **ListRolePolicies** | |
+------------------------------+---------------------------------------------+
| **AttachRolePolicies** | |
+------------------------------+---------------------------------------------+
| **DetachRolePolicy** | |
+------------------------------+---------------------------------------------+
| **ListAttachedRolePolicies** | |
+------------------------------+---------------------------------------------+
OpenIDConnectProvider
---------------------
+---------------------------------+------------------------------------------+
| Action | Remarks |
+=================================+==========================================+
| **CreateOpenIDConnectProvider** | |
+---------------------------------+------------------------------------------+
| **GetOpenIDConnectProvider** | |
+---------------------------------+------------------------------------------+
| **DeleteOpenIDConnectProvider** | |
+---------------------------------+------------------------------------------+
| **ListOpenIDConnectProviders** | |
+---------------------------------+------------------------------------------+
Managed Policies
----------------
The following managed policies are available for use with ``AttachGroupPolicy``,
``AttachRolePolicy`` and ``AttachUserPolicy``:
IAMFullAccess
:Arn: ``arn:aws:iam::aws:policy/IAMFullAccess``
:Version: v2 (default)
IAMReadOnlyAccess
:Arn: ``arn:aws:iam::aws:policy/IAMReadOnlyAccess``
:Version: v4 (default)
AmazonSNSFullAccess
:Arn: ``arn:aws:iam::aws:policy/AmazonSNSFullAccess``
:Version: v1 (default)
AmazonSNSReadOnlyAccess
:Arn: ``arn:aws:iam::aws:policy/AmazonSNSReadOnlyAccess``
:Version: v1 (default)
AmazonS3FullAccess
:Arn: ``arn:aws:iam::aws:policy/AmazonS3FullAccess``
:Version: v2 (default)
AmazonS3ReadOnlyAccess
:Arn: ``arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess``
:Version: v3 (default)
.. _Amazon IAM API: https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html
.. _Ceph Object Gateway S3 API: ../s3/
Reference in New Issue View Git Blame Copy Permalink