Manage Ceph Object Storage users

Available since 2.23.1 (Cluster release 12.7.0)

The KaaSCephCluster resource allows managing custom Ceph Object Storage users. This section describes how to create, access, and remove Ceph Object Storage users.

For all supported parameters of Ceph Object Storage users, refer to RADOS Gateway parameters.

Create a Ceph Object Storage user

  1. Edit the KaaSCephCluster resource by adding a new Ceph Object Storage user to the spec section:

    kubectl -n <managedClusterProject> edit kaascephcluster
    

    Substitute <managedClusterProject> with the corresponding Container Cloud project where the managed cluster was created.

    Example of adding the Ceph Object Storage user user-a:

    Caution

    For user name, apply the UUID format with no capital letters.

    spec:
      cephClusterSpec:
        objectStorage:
          rgw:
            objectUsers:
            - capabilities:
                bucket: '*'
                metadata: read
                user: read
              displayName: user-a
              name: userA
              quotas:
                maxBuckets: 10
                maxSize: 10G
    
  2. Wait for the created user to become ready in the KaaSCephCluster status:

    kubectl -n <managedClusterProject> get kaascephcluster -o yaml
    

    Example output:

    status:
      fullClusterInfo:
        objectStorageStatus:
          objectStoreUsers:
            user-a:
              present: true
              phase: Ready
    

Access data using a Ceph Object Storage user

  1. Using the KaaSCephCluster status, obtain secretInfo with the Ceph user credentials :

    kubectl -n <managedClusterProject> get kaascephcluster -o yaml
    

    Example output:

    status:
      miraCephSecretsInfo:
        secretInfo:
          rgwUserSecrets:
          - name: user-a
            secretName: rook-ceph-object-user-<objstoreName>-<username>
            secretNamespace: rook-ceph
    

    Substitute <objstoreName> with a Ceph Object Storage name and <username> with a Ceph Object Storage user name.

  2. Use secretName and secretNamespace to access the Ceph Object Storage user credentials from a managed cluster. The secret contains Amazon S3 access and secret keys.

    • To obtain the user S3 access key:

      kubectl --kubeconfig <managedClusterKubeconfig> -n <secretNamespace> get secret <secretName> -o jsonpath='{.data.AccessKey}' | base64 -d; echo
      

      Substitute the following parameters in the commands above and below:

      • <managedClusterKubeconfig> with a managed cluster kubeconfig

      • <secretNamespace> with secretNamespace from the previous step

      • <secretName> with secretName from the previous step

      Example output:

      D49G060HQ86U5COBTJ13
      
    • To obtain the user S3 secret key:

      kubectl --kubeconfig <managedClusterKubeconfig> -n <secretNamespace> get secret <secretName> -o jsonpath='{.data.SecretKey}' | base64 -d; echo
      

      Example output:

      bpuYqIieKvzxl6nzN0sd7L06H40kZGXNStD4UNda
      
  3. Configure the S3 client with the access and secret keys of the created user. You can access the S3 client using various tools such as s3cmd or awscli.

Remove a Ceph Object Storage user

  1. Edit the KaaSCephCluster resource by removing the required Ceph Object Storage user from spec.cephClusterSpec.objectStorage.rgw.objectUsers:

    kubectl -n <managedClusterProject> edit kaascephcluster
    
  2. Wait for the removed user to be removed from the KaaSCephCluster status in status.fullClusterInfo.objectStorageStatus.objectStoreUsers:

    kubectl -n <managedClusterProject> get kaascephcluster -o yaml