Create Ceph Object Storage users

Ceph Object Storage users can create Amazon S3 buckets and bucket policies that grant access to other users.

This section describes how to create two Ceph Object Storage users and configure their S3 credentials.

To create and configure Ceph Object Storage users:

  1. Open the KaaSCephCluster CR:

    kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> edit kaascephcluster
    

    Substitute <managementKubeconfig> with a management cluster kubeconfig file and <managedClusterProject> with a managed cluster project name.

  2. In the cephClusterSpec section, add new Ceph Object Storage users.

    Caution

    For user name, apply the UUID format with no capital letters.

    For example:

    spec:
      cephClusterSpec:
        objectStorage:
          rgw:
            objectUsers:
            - name: user-b
              displayName: user-a
              capabilities:
                bucket: "*"
                user: read
            - name: user-t
              displayName: user-t
              capabilities:
                bucket: "*"
                user: read
    
  3. Verify that rgwUserSecrets are created for both users:

    kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> get kaascephcluster -o yaml
    

    Substitute <managementKubeconfig> with a management cluster kubeconfig file and <managedClusterProject> with a managed cluster project name.

    Example of a positive system response:

    status:
      miraCephSecretsInfo:
        secretInfo:
          rgwUserSecrets:
          - name: user-a
            secretName: <user-aCredSecretName>
            secretNamespace: <user-aCredSecretNamespace>
          - name: user-t
            secretName: <user-tCredSecretName>
            secretNamespace: <user-tCredSecretNamespace>
    
  4. Obtain S3 user credentials from the cluster secrets. Specify an access key and a secret key for both users:

    kubectl --kubeconfig <managedKubeconfig> -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d
    kubectl --kubeconfig <managedKubeconfig> -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d
    kubectl --kubeconfig <managedKubeconfig> -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d
    kubectl --kubeconfig <managedKubeconfig> -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d
    

    Substitute <managementKubeconfig> with a management cluster kubeconfig and specify the corresponding secretNamespace and secretName for both users.

  5. Obtain Ceph Object Storage public endpoint from the KaaSCephCluster status:

    kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> get kaascephcluster -o yaml | grep PublicEndpoint
    

    Substitute <managementKubeconfig> with a management cluster kubeconfig file and <managedClusterProject> with a managed cluster project name.

    Example of a positive system response:

    objectStorePublicEndpoint: https://object-storage.mirantis.example.com
    
  6. Obtain the CA certificate to use an HTTPS endpoint:

    kubectl --kubeconfig <managedKubeconfig> -n rook-ceph get secret $(kubectl -n rook-ceph get ingress -o jsonpath='{.items[0].spec.tls[0].secretName}{"\n"}') -o jsonpath='{.data.ca\.crt}' | base64 -d; echo
    

    Save the output to ca.crt.