STS in Ceph Object Storage
- Track: Software Defined Storage devroom
- Room: H.1308 (Rolin)
- Day: Sunday
- Start: 09:00
- End: 09:30
Ceph is an open source, highly scalable, software defined storage that provides object, file and block interfaces under a unified system. Ceph Object Storage Gateway (RGW) provides a RESTful object storage interface to the Ceph Storage cluster. It provides an interface that is compatible with a large subset of AWS S3 APIs.
In this talk we discuss the implementation of a subset of the APIs of AWS Secure Token Service (STS). AWS STS is a web service which enables identity federation and cross-account access by providing temporary security credentials.
Ceph Object Storage Gateway now supports some APIs of AWS STS particularly related to web identity federation and cross-account access. The advantages of these temporary credentials are that they automatically expire after a certain duration, provide limited access (via IAM policies) to resources, are provided to the user upon request, and obviate the need for users/ applications to save permanent security credentials thereby removing a potential security loophole.
As an example consider a web application that has users and needs access to RGW S3 buckets to read/ write large files. The application can delegate identity management to a trusted third party identity provider(IDP). It can get temporary credentials from STS after authenticating with the IDP and access the required RGW S3 buckets.
Outline of the talk:
- Introduction to Ceph and Ceph Object Storage Gateway
- Current authentication mechanisms in Ceph Object Storage Gateway
- AWS Secure Token Service
- STS APIs implemented in Ceph Object Storage
- Advantages of using STS
- Example
- Future Work
Speakers
Pritha Srivastava |