Skip to content

CephObjectStoreUser CRD

Rook allows creation and customization of object store users through the custom resource definitions (CRDs). The following settings are available for Ceph object store users.

Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
apiVersion: ceph.rook.io/v1
kind: CephObjectStoreUser
metadata:
  name: my-user
  namespace: rook-ceph
spec:
  store: my-store
  displayName: my-display-name
  quotas:
    maxBuckets: 100
    maxSize: 10G
    maxObjects: 10000
  capabilities:
    user: "*"
    bucket: "*"
  opMask:
    - read
    - write
    - delete

Object Store User Settings

Metadata

  • name: The name of the object store user to create, which will be reflected in the secret and other resource names.
  • namespace: The namespace of the Rook cluster where the object store user is created.

Spec

  • store: The object store in which the user will be created. This matches the name of the objectstore CRD.
  • displayName: The display name which will be passed to the radosgw-admin user create command.
  • clusterNamespace: The namespace where the parent CephCluster and CephObjectStore are found. If not specified, the user must be in the same namespace as the cluster and object store. To enable this feature, the CephObjectStore allowUsersInNamespaces must include the namespace of this user.
  • quotas: This represents quota limitation can be set on the user. Please refer here for details.
    • maxBuckets: The maximum bucket limit for the user.
    • maxSize: Maximum size limit of all objects across all the user's buckets.
    • maxObjects: Maximum number of objects across all the user's buckets.
  • capabilities: Ceph allows users to be given additional permissions. Due to missing APIs in go-ceph for updating the user capabilities, this setting can currently only be used during the creation of the object store user. If a user's capabilities need modified, the user must be deleted and re-created. See the Ceph docs for more info. Rook supports adding read, write, read, write, or * permissions for the following resources:
    • user
    • buckets
    • usage
    • metadata
    • zone
    • roles
    • info
    • amz-cache
    • bilog
    • mdlog
    • datalog
    • user-policy
    • odic-provider
    • ratelimit
  • opMask: Internally, RGW labels "operations" on persistent state as RGW_OP_TYPE_READ (read), RGW_OP_TYPE_WRITE (write), or RGW_OP_TYPE_DELETE (delete). All RGW users have an "operation mask", which does not function as mask or filter as is typically implied by the word "mask", but as a set of allowed or permissible "operation" types the user is able to perform. The "operation mask" is applied regardless of the bucket or IAM policy. For example, in order for an RGW user to be able to read an object from a bucket, that user must have both the read "op mask" bit and an IAM/bucket policy that allows s3:GetObject. The default operations allowed are read, write, and delete. Setting the value to [] (an empty YAML sequence) causes all "operations" in the mask to be removed, meaning that the user will not be able to perform any operations. These operation masks are supported:
    • read
    • write
    • delete