obs objectstore logic is insecure

[poblin-orange]

Testing the broker for obs bucket creation. The security model seems broken. After creating the service instance, and binding, the end-users receives bucket url and SHARED access key/secrets keys. This means one can access ANY bucket provisionned by the service broker, not just the one they provision.

Broker should generate per bucket access key/secrets for secure use.

cc / @gberche-orange

[poblin-orange]

@edisonxiang any feedback on this issue ?

[regismarg]

Hello huaweicloud,
This problem of security is blocking more than 40 projects on our PaaS.
Not good for the OBS and huawei business.
We can not onboard projetct because we are not able to provide them S3 buckets securised
Please, we need an update about this limitation
We wait for a solution on this problem to go on on huawei cloud consumption

[edisonxiang]

Hey @poblin-orange @regismarg @WayneFromHuawei
sorry to reply late.
Currently the 3rd-party PaaS like openshift and cloudfoundry,
they have their self tenants or namespaces or accounts.
but these tenants or namespaces or accounts are not managed by huaweicloud.
Since huaweicloud does not know about more informations about that,
So that it is a problem to provide resources by the tenants or namespaces or accounts of 3rd-party PaaS.

Any suggestions are welcome. Thanks very much.