Split rgw user in two

#48

.gitlab-ci.yml

@@ -4,9 +4,11 @@ variables:
   PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
   PYTHONPATH: "$CI_PROJECT_DIR"
   OBJECT_GATEWAY_URI: "http://127.0.0.1:8000"
-  CEPH_ACCESS_KEY: ""
-  CEPH_SECRET_KEY: ""
-  CEPH_USERNAME: ""
+  BUCKET_CEPH_ACCESS_KEY: ""
+  BUCKET_CEPH_SECRET_KEY: ""
+  USER_CEPH_ACCESS_KEY: ""
+  USER_CEPH_SECRET_KEY: ""
+  BUCKET_CEPH_USERNAME: ""
   OIDC_CLIENT_SECRET: ""
   OIDC_CLIENT_ID: ""
   OIDC_BASE_URI: "http://127.0.0.1:8000"

README.md

@@ -21,19 +21,21 @@ user-friendly manner. 👍
 
 ### Mandatory / Recommended Variables
 
-| Variable                               | Default            | Value                           | Description                                         |
-|----------------------------------------|--------------------|---------------------------------|-----------------------------------------------------|
-| `DB_HOST`                              | unset              | <db hostname / IP>              | IP or Hostname Adress of DB                         |
-| `DB_PORT`                              | 3306               | Number                          | Port of the database                                |
-| `DB_USER`                              | unset              | \<db username>                  | Username of the database user                       |
-| `DB_PASSWORD`                          | unset              | \<db password>                  | Password of the database user                       |
-| `DB_DATABASE`                          | unset              | \<db name>                      | Name of the database                                |
-| `OBJECT_GATEWAY_URI`                   | unset              | HTTP URL                        | HTTP URL of the Ceph Object Gateway                 |
-| `CEPH_ACCESS_KEY`                      | unset              | \<access key>                   | Ceph access key with admin privileges               |
-| `CEPH_SECRET_KEY`                      | unset              | \<secret key>                   | Ceph secret key with admin privileges               |
-| `CEPH_USERNAME`                        | unset              | \<ceph username>                | Username in Ceph of the backend user                |
-| `PUBLIC_KEY_VALUE` / `PUBLIC_KEY_FILE` | randomly generated | Public Key / Path to Public Key | Public part of RSA Key in PEM format to verify JWTs |
-| `AUTHZ_ENDPOINT`                       | unset              | HTTP URL                        | HTTP URL to ask the Auth Service for Authorization  |
+| Variable                               | Default            | Value                           | Description                                                                        |
+|----------------------------------------|--------------------|---------------------------------|------------------------------------------------------------------------------------|
+| `DB_HOST`                              | unset              | <db hostname / IP>              | IP or Hostname Adress of DB                                                        |
+| `DB_PORT`                              | 3306               | Number                          | Port of the database                                                               |
+| `DB_USER`                              | unset              | \<db username>                  | Username of the database user                                                      |
+| `DB_PASSWORD`                          | unset              | \<db password>                  | Password of the database user                                                      |
+| `DB_DATABASE`                          | unset              | \<db name>                      | Name of the database                                                               |
+| `OBJECT_GATEWAY_URI`                   | unset              | HTTP URL                        | HTTP URL of the Ceph Object Gateway                                                |
+| `BUCKET_CEPH_ACCESS_KEY`               | unset              | \<access key>                   | Access key for the Ceph Object Gateway user with unlimited buckets.                |
+| `BUCKET_CEPH_SECRET_KEY`               | unset              | \<secret key>                   | Secret key for the Ceph Object Gateway user with unlimited buckets.                |
+| `BUCKET_CEPH_USERNAME`                 | unset              | \<ceph username>                | ID of the user in ceph who owns all the buckets. Owner of `BUCKET_CEPH_ACCESS_KEY` |
+| `USER_CEPH_ACCESS_KEY`                 | unset              | \<access key>                   | Access key for the Ceph Object Gateway user with `user:*` privileges               |
+| `USER_CEPH_SECRET_KEY`                 | unset              | \<secret key>                   | Secret key for the Ceph Object Gateway user with `user:*` privileges.              |
+| `PUBLIC_KEY_VALUE` / `PUBLIC_KEY_FILE` | randomly generated | Public Key / Path to Public Key | Public part of RSA Key in PEM format to verify JWTs                                |
+| `AUTHZ_ENDPOINT`                       | unset              | HTTP URL                        | HTTP URL to ask the Auth Service for Authorization                                 |
 
 ### Optional Variables
 

app/api/endpoints/buckets.py

@@ -142,7 +142,7 @@ async def create_bucket(
                 {
                     "Sid": "ProxyOwnerPerm",
                     "Effect": "Allow",
-                    "Principal": {"AWS": [f"arn:aws:iam:::user/{settings.CEPH_USERNAME}"]},
+                    "Principal": {"AWS": [f"arn:aws:iam:::user/{settings.BUCKET_CEPH_USERNAME}"]},
                     "Action": ["s3:GetObject"],
                     "Resource": [f"arn:aws:s3:::{db_bucket.name}/*"],
                 },

app/ceph/rgw.py

@@ -13,13 +13,13 @@ else:
 s3_resource: ServiceResource = resource(
     service_name="s3",
     endpoint_url=settings.OBJECT_GATEWAY_URI,
-    aws_access_key_id=settings.CEPH_ACCESS_KEY,
-    aws_secret_access_key=settings.CEPH_SECRET_KEY,
-    verify=False,
+    aws_access_key_id=settings.BUCKET_CEPH_ACCESS_KEY,
+    aws_secret_access_key=settings.BUCKET_CEPH_SECRET_KEY,
+    verify=settings.OBJECT_GATEWAY_URI.startswith("https"),
 )
 rgw = RGWAdmin(
-    access_key=settings.CEPH_ACCESS_KEY,
-    secret_key=settings.CEPH_SECRET_KEY,
-    secure=False,
+    access_key=settings.USER_CEPH_ACCESS_KEY,
+    secret_key=settings.USER_CEPH_ACCESS_KEY,
+    secure=settings.OBJECT_GATEWAY_URI.startswith("https"),
     server=settings.OBJECT_GATEWAY_URI.split("://")[-1],
 )

app/core/config.py

@@ -72,9 +72,21 @@ class Settings(BaseSettings):
         return _assemble_db_uri(values, async_flag=False)
 
     OBJECT_GATEWAY_URI: AnyHttpUrl = Field(..., description="URI of the Ceph Object Gateway.")
-    CEPH_ACCESS_KEY: str = Field(..., description="Access key for the Ceph Object Gateway with admin privileges.")
-    CEPH_SECRET_KEY: str = Field(..., description="Secret key for the Ceph Object Gateway with admin privileges.")
-    CEPH_USERNAME: str = Field(..., description="ID of the Proxy user in Ceph.")
+    USER_CEPH_ACCESS_KEY: str = Field(
+        ..., description="Access key for the Ceph Object Gateway with 'user:read,user:write privileges'."
+    )
+    USER_CEPH_SECRET_KEY: str = Field(
+        ..., description="Secret key for the Ceph Object Gateway with 'user:read,user:write privileges'."
+    )
+    BUCKET_CEPH_ACCESS_KEY: str = Field(
+        ..., description="Access key for the Ceph Object Gateway with unlimited buckets."
+    )
+    BUCKET_CEPH_SECRET_KEY: str = Field(
+        ..., description="Secret key for the Ceph Object Gateway with unlimited buckets."
+    )
+    BUCKET_CEPH_USERNAME: str = Field(
+        ..., description="ID of the user in ceph who owns all the buckets. Owner of 'BUCKET_CEPH_ACCESS_KEY'"
+    )
     AUTHZ_ENDPOINT: AnyHttpUrl = Field(..., description="Endpoint of the CloWM Auth service to authorize requests")
 
     class Config: