Skip to content

Managing Users

Jump to bottom
Hamed Karbasi edited this page Feb 3, 2024 · 4 revisions

Creating, modifying, and deleting the users are all done using the S3UserClaim resource.

Creating a new User

Note: The operator assesses S3 quotas concerning the cluster's resource quota, a process that is facilitated by assigning the team label snappcloud.io/team=<YOUR_TEAM_NAME> to the namespace where you plan to deploy the operator objects. Therefore, it is necessary to add this label to the namespace if it is not already present.

To create a user, apply a manifest like the following with your customizations. The quota is optional and, if not defined, will be set to {"maxSize":"1000", "maxObjects":"5368709120", "maxBuckets": 2}

apiVersion: s3.snappcloud.io/v1alpha1
kind: S3UserClaim
metadata:
  name: s3userclaim-sample
  namespace: s3-operator-test
spec:
  s3UserClass: ceph-default
  readonlySecret: s3-sample-readonly-secret
  adminSecret: s3-sample-admin-secret
  quota:
    maxSize: 5Gi
    maxObjects: 1k
    maxBuckets: 2
  subusers:
    - subuser1
    - subuser2

After creating the resource, the readonlySecret, adminSecret, and quota fields can be modified. You can check the status of the resource to know if the changes have been applied.

Quota fields

There are 3 fields available in the quota:

  • maxObjects: The maximum number of objects in the user's buckets.
  • maxSize: The maximum storage size for the user.
  • maxBuckets The maximum number of buckets the user can create.

Caution: Omitting the whole quota field will set the default values. Missing each field will set 0 as its default value.

Secrets

When creating a user, you should provide two secret names. The operator will create two secrets with the names you provide in the same namespace in which you've made the s3userclaim. The adminSecret will contain the credentials for the desired user with full access. The readonlySecret will contain the credentials for a user with read-only access to the same resources (buckets, ...).

Creating Subusers

You can establish sub-users, allowing you to grant them customized access to the created buckets. You need to define these sub-users as a list. Furthermore, you have the flexibility to add or remove sub-users at any time, even after their initial creation.

Upon successful creation, a unique secret is generated for each sub-user with the format S3UserClaim.Name-SubuserName. For instance, in the given example, it would be s3userclaim-sample-subuser1 and s3userclaim-sample-subuser2.

To specify subusers access, please read subusers access section.

Removing a user

To remove a user, first remove all its buckets objects in the namespace. Then you can query deleting the s3UserClaim object via the oc delete command like:

oc delete s3userclaim s3userclaim-sample

Caution: If you have buckets with deletionPolicy=retain, though the buckets are kept on the S3 Object Storage after removing the s3Bucket objects, they are removed after deleting the s3UserClaim. Hence, check the existing buckets via aws-cli before deleting the s3UserClaim.

Note: After removing a user, its subusers are deleted automatically.

Clone this wiki locally