In this scenario, you will learn how to enforce custom policies with OPA over the S3 API to the Ceph Storage Cluster which applications use to put and get data.
Ceph
Ceph is a highly scalable distributed storage solution that uniquely delivers object, block, and file storage in one unified system. You can enforce fine-grained authorization over Ceph's Object Storage using OPA. Ceph's Object Storage essentially consists of a Ceph Storage Cluster and a Ceph Object Gateway.
The Ceph Object Gateway
is an object storage interface built on top of librados to provide applications with a RESTful gateway to Ceph Storage Clusters.
OPA is integrated with the Ceph Object Gateway daemon (RGW)
, which is an HTTP server that interacts with a Ceph Storage Cluster
and provides interfaces compatible with OpenStack Swift
and Amazon S3
.
When the Ceph Object Gateway
gets a request, it checks with OPA whether the request should be allowed or not. OPA makes a decision (allow
or deny
) based on the policies and data it has access to and sends the decision back to the Ceph Object Gateway
for enforcement.
This tutorial uses Rook to run Ceph inside a Kubernetes cluster.
OPA
OPA is a lightweight general-purpose policy engine that can be co-located with your service. You can integrate OPA as a sidecar, host-level daemon, or library.
Services offload policy decisions to OPA by executing queries. OPA evaluates policies and data to produce query results (which are sent back to the client). Policies are written in a high-level declarative language and can be loaded into OPA via the filesystem or well-defined APIs.
More details can be found at https://www.openpolicyagent.org/.
This scenario showed how OPA can be used to enforce custom policies over the S3 API to the Ceph Storage Cluster. You can modify OPA's polices to get greater control over the actions performed on the Ceph Object Storage without making any changes to Ceph.
This tutorial also showed how OPA can seamlessly work with Rook without any modifications to Rook's components.
For more OPA tutorials see https://www.openpolicyagent.org/docs/get-started.html.

Steps
Ceph Authorization with OPA (Open Policy Agent)
Step 1 - Deploy the Rook Operator
Deploy the Rook system components, which include the Rook agent
and Rook operator
pods.
kubectl create -f operator.yaml
Verify that rook-ceph-operator
, rook-ceph-agent
, and rook-discover
pods are Running
.
watch kubectl -n rook-ceph-system get pod
When all pods show status Running
, hit clear
to ctrl-c and clear the screen.
You’ll love Katacoda

Guided Path
Knowing what you need to know is the hardest part. Our guided pathways help build your knowledge around real-world scenarios.

Learn By Doing
The best way to learn is by doing. All our tutorials are interactive with pre-configured live environments ready for you to use.

Stay up-to-date
It's a competitive industry. Your skills need to keep up with the latest approaches. Katacoda keeps your skills up-to-date.
You’ll love Katacoda

Guided Path
Knowing what you need to know is the hardest part. Our guided pathways help build your knowledge around real-world scenarios.

Learn By Doing
The best way to learn is by doing. All our tutorials are interactive with pre-configured live environments ready for you to use.

Stay up-to-date
It's a competitive industry. Your skills need to keep up with the latest approaches. Katacoda keeps your skills up-to-date.