Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Research support for bucket anonymous access modes #83

Open
BlaineEXE opened this issue Jul 25, 2024 · 1 comment
Open

Research support for bucket anonymous access modes #83

BlaineEXE opened this issue Jul 25, 2024 · 1 comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@BlaineEXE
Copy link
Contributor

Enhancement

Is your feature request related to a problem?/Why is this needed

gRPC spec currently has/had this code (below), which is not captured in the KEP. It is a remnant of KEP discussions that were removed from v1alpha1.

enum AnonymousBucketAccessMode {
    UnknownBucketAccessMode = 0;
    // Default, disallow uncredentialed access to the backend storage.
    Private = 1;
    // Read only, uncredentialed users can call ListBucket and GetObject.
    ReadOnly = 2;
    // Write only, uncredentialed users can only call PutObject.
    WriteOnly = 3;
    // Read/Write, uncredentialed users can read objects as well as PutObject.
    ReadWrite = 4;
}

Describe the solution you'd like in detail

COSI will remove this unused proto spec, but we should also consider whether/when to start designing this feature again in the future.

@BlaineEXE remembers 1 Rook user who has mentioned a desire for anonymous access for ObjectBucketClaims.

Describe alternatives you've considered

Alternative that is still possible: if COSI believes this feature is not widely supported and not a good target for the portable API, COSI could recommend that drivers implement this via storage classes, or COSI could suggest instead that all accessors need a BucketAccess, even users external to the k8s cluster.
 
Additional context

Likely, all users of buckets within kubernetes can use a BucketAccess to access any bucket (provided cross-namespace access is set up).

This feature might therefore be more important when considering bucket users outside of the Kubernetes cluster where BucketAccess self-service isn't available.

@BlaineEXE BlaineEXE changed the title Investigate support for bucket anonymous access modes Research support for bucket anonymous access modes Jul 25, 2024
shanduur pushed a commit to shanduur/container-object-storage-interface-api that referenced this issue Aug 2, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

No branches or pull requests

3 participants