Identity and Access Management (IAM) (Epic)

[jhmarina]

Description

Identity and Access Management (IAM) is a mechanism part of Amazon Web Services that allow "securely managing identities and access to AWS services and resources" (AWS docs).

With AIM it is possible which entities have access to which services and resources within AWS, with these finely-grained permissions being centrally managed for all AWS services.

In the context of s3gw, we will not rely on AWS's AIM service, but we intend to support being able to set AIM Policies the same way S3 would support.

To achieve this we will have to support creating and managing Roles, which can be associated with resources. In RGW this is achieved through the radosgw-admin tool (upstream docs); in our case, feature-specific endpoints will have to be created.

This effort also supports generation of temporary credentials for specific resources via Secure Token Service (STS), tracked in a different issue.

Some of these things may already be supported in RGW natively, and thus we may not have to add specific support to SFS. We will still have to add support in the UI, all bits in RGW that enable the UI, and efforts in testing and documentation.

Success criteria

• Creating Roles, Policies, and limiting access to specific resources depending on AIM policies.
• UI support for AIM Policies, Roles, etc.
• The effort is accompanied with necessary tests.
• The resulting features have been properly documented.

More information

Tasks

• [ ] #270
• [ ] #229
• [ ] #260