feat: allow provisioning subuser for bucket access

[shaxbee]

Allow creation/deletion of subuser if Parent is specified in objectStoreUserSecret.
This enables better management of quota and reduces the capabilities required for ceph-cosi user.

[thotz]

@shaxbee Thanks for the PR and very good code clean up.

Please update the documentation and examples as well

But I have few questions regarding this feature :

Whom should create the "Parent" user? Do we expect end-user to create it or ceph-cosi-driver? If ceph cosi driver creates the user, do we need to store the credentials

Currently, all the buckets are created using the credentials from the secret referred to here. Do you think the Parent user to create the buckets for those BucketClass for management purposes?

[shaxbee]

Hello @thotz

Parent is optional and defined in same secret as used by bucketaccess. We expect the user who provisions bucket access class to populate the Parent if applicable. I’d like to have ability to have different parents for different classes.

Speaking about tests - I was thinking about using https://github.com/dnaeon/go-vcr in replay only mode with prerecorded sanitized responses instead of mocking http client. WDYT?

Regards,
Zibi

[thotz]

Hello @thotz

Parent is optional and defined in same secret as used by bucketaccess. We expect the user who provisions bucket access class to populate the Parent if applicable. I’d like to have ability to have different parents for different classes.

I do understand Parent is an optional parameter. What I meant let parent be part of BucketClass, CephCOSI drivers will create that user if does not exist. All the buckets created by that BucketClass, owner will be this Parent user(we don't use the generic admin user for that). Each user-created part of the BucketAccess request will be the sub-user for the Parent user.

For Example, If I have two bucketclass BC1 and BC2 which have owner1 and owner2 as the parent users

Now if create bucketclaims p1..p5 in BC1 and q1..q10 in BC2. The owner1 owns five buckets p{1..5} and owner2 owns ten buckets q{1..10}. If two bucketaccessclass BA1 pointing to p1 and BA2 pointing to p2. Then there will be two subusers for owner1 in access granted to p1 and p2 respectively

Drawback here even though we create the user owner1 and owner2, deletion part currently out of hands. We may be check the bucketclasses creation/deletion.

I am a bit worried about policies involving sub-user with parent user does not have any permissions on the bucket, seems logically sounds inappropriate to me.

Another question do you know the limitation for sub-user count for rgw user?

In the latest version, I found out that both bucketclass and bucketaccessclass can modified post creation which might be not suitable for this feature

Speaking about tests - I was thinking about using https://github.com/dnaeon/go-vcr in replay only mode with prerecorded sanitized responses instead of mocking http client. WDYT?

Sounds good to me.

Regards, Zibi

[shaxbee]

@thotz I'm not aware of limit on subusers.

I do understand Parent is an optional parameter. What I meant let parent be part of BucketClass, CephCOSI drivers will create that user if does not exist. All the buckets created by that BucketClass, owner will be this Parent user(we don't use the generic admin user for that). Each user-created part of the BucketAccess request will be the sub-user for the Parent user.

Would the Parent parameter for BucketClass/BucketAccessClass be required then?