Chapter 4. Identity and Access Management
Red Hat Ceph Storage provides identity and access management for:
- Ceph Storage Cluster User Access
- Ceph Object Gateway User Access
- Ceph Object Gateway LDAP/AD Authentication
- Ceph Object Gateway OpenStack Keystone Authentication
4.1. Ceph Storage Cluster User Access
To identify users and protect against man-in-the-middle attacks, Ceph provides its
cephx authentication system to authenticate users and daemons. For additional details on
cephx, see User Management.
cephx protocol DOES NOT address data encryption in transport or encryption at rest.
Cephx uses shared secret keys for authentication, meaning both the client and the monitor cluster have a copy of the client’s secret key. The authentication protocol is such that both parties are able to prove to each other they have a copy of the key without actually revealing it. This provides mutual authentication, which means the cluster is sure the user possesses the secret key, and the user is sure that the cluster has a copy of the secret key.
Users are either individuals or system actors such as applications, which use Ceph clients to interact with the Red Hat Ceph Storage cluster daemons.
Ceph runs with authentication and authorization enabled by default. Ceph clients may specify a user name and a keyring containing the secret key of the specified user—usually by using the command line. If the user and keyring are not provided as arguments, Ceph will use the
client.admin administrative user as the default. If a keyring is not specified, Ceph will look for a keyring by using the
keyring setting in the Ceph configuration.
To harden a Ceph cluster, keyrings SHOULD ONLY have read and write permissions for the current user and
root. The keyring containing the
client.admin administrative user key must be restricted to the
4.2. Ceph Object Gateway User Access
The Ceph Object Gateway provides a RESTful API service with its own user management that authenticates and authorizes users to access S3 and Swift APIs containing user data. Authentication consists of:
- S3 User: An access key and secret for a user of the S3 API.
- Swift User: An access key and secret for a user of the Swift API. The Swift user is a subuser of an S3 user. Deleting the S3 'parent' user will delete the Swift user.
- Administrative User: An access key and secret for a user of the administrative API. Administrative users should be created sparingly, as the administrative user will be able to access the Ceph Admin API and execute its functions, such as creating users, and giving them permissions to access buckets or containers and their objects among other things.
The Ceph Object Gateway stores all user authentication information in Ceph Storage cluster pools. Additional information may be stored about users including names, email addresses, quotas and usage.
4.3. Ceph Object Gateway LDAP/AD Authentication
Red Hat Ceph Storage supports Light-weight Directory Access Protocol (LDAP) servers for authenticating Ceph Object Gateway users. When configured to use LDAP or Active Directory, Ceph Object Gateway defers to an LDAP server to authenticate users of the Ceph Object Gateway.
Ceph Object Gateway controls whether to use LDAP. However, once configured, it is the LDAP server that is responsible for authenticating users.
To secure communications between the Ceph Object Gateway and the LDAP server, Red Hat recommends deploying configurations with LDAP Secure or LDAPS.
When using LDAP, ensure that access to the
rgw_ldap_secret = <path-to-secret> secret file is secure.
For additional details, see the Ceph Object Gateway with LDAP/AD Guide.
4.4. Ceph Object Gateway OpenStack Keystone Authentication
Red Hat Ceph Storage supports using OpenStack Keystone to authenticate Ceph Object Gateway Swift API users. The Ceph Object Gateway can accept a Keystone token, authenticate the user and create a corresponding Ceph Object Gateway user. When Keystone validates a token, the Ceph Object Gateway considers the user authenticated.
Ceph Object Gateway controls whether to use OpenStack Keystone for authentication. However, once configured, it is the OpenStack Keystone service that is responsible for authenticating users.
Configuring the Ceph Object Gateway to work with Keystone requires converting the OpenSSL certificates that Keystone uses for creating the requests to the
nss db format.
See Using Keystone to Authenticate Ceph Object Gateway Users for details.