Skip to content

Commit 716d158

Browse files
cbodleycbodley
authored
Merge pull request ceph#62871 from cbodley/wip-doc-rgw-user-admin-system
doc/rgw: document Admin and System Users Reviewed-by: Seena Fallah <[email protected]> Reviewed-by: Anthony D'Atri <[email protected]>
2 parents 5ac1904 + dc93b88 commit 716d158

File tree

1 file changed

+37
-2
lines changed

1 file changed

+37
-2
lines changed

doc/radosgw/admin.rst

Lines changed: 37 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -364,7 +364,7 @@ To remove a Swift secret key, run a command of the following form:
364364
Add or Remove Admin Capabilities
365365
--------------------------------
366366

367-
The Ceph Storage Cluster provides an administrative API that enables users to
367+
The Ceph Storage Cluster provides an `Admin Ops API`_ that enables users to
368368
execute administrative functions via the REST API. By default, users do NOT
369369
have access to this API. To enable a user to exercise administrative
370370
functionality, provide the user with administrative capabilities.
@@ -397,8 +397,41 @@ following form:
397397
.. prompt:: bash
398398

399399
radosgw-admin caps rm --uid=johndoe --caps={caps}
400-
401400

401+
Admin and System Users
402+
----------------------
403+
404+
Users with the ``--admin`` or ``--system`` flag have global read and write
405+
permissions. These permissions apply to all APIs including S3 and Swift,
406+
unlike Admin Capabilities, and cannot be denied by IAM policy.
407+
408+
The ``--system`` flag should only be used as documented in `Multisite Configuration`_.
409+
410+
The ``--admin`` flag can be useful for troubleshooting and recovery. For
411+
example, if a user accidentally removes their permissions to a bucket or
412+
object, the admin user's credentials can be used to issue the S3/Swift API
413+
requests necessary to restore them.
414+
415+
.. warning:: When not in use, consider deleting the admin user or disabling
416+
its access keys. Do not give admin permissions to untrusted users.
417+
418+
To create an admin user:
419+
420+
.. prompt:: bash
421+
422+
radosgw-admin user create --uid={username} --display-name="{display-name}" --admin
423+
424+
To add the admin flag to an existing user:
425+
426+
.. prompt:: bash
427+
428+
radosgw-admin user modify --uid={username} --admin
429+
430+
To remove the admin flag from an existing user:
431+
432+
.. prompt:: bash
433+
434+
radosgw-admin user modify --uid={username} --admin=0
402435

403436
Quota Management
404437
================
@@ -902,3 +935,5 @@ example commands:
902935
.. _Pool Configuration: ../../rados/configuration/pool-pg-config-ref/
903936
.. _Ceph Object Gateway Config Reference: ../config-ref/
904937
.. _Accounts: ../account/
938+
.. _Admin Ops API: ../adminops/
939+
.. _Multisite Configuration: ../multisite/

0 commit comments

Comments
 (0)