https://github.com/infn-datacloud/webapp-rgw

Web application for uploading and downloading files to RADOS Gateway/Ceph Object Storage
https://github.com/infn-datacloud/webapp-rgw

ceph-radosgw infn infn-cloud object-storage oidc outh2 s3 sts

Last synced: about 1 month ago
JSON representation

Web application for uploading and downloading files to RADOS Gateway/Ceph Object Storage

• Host: GitHub
• URL: https://github.com/infn-datacloud/webapp-rgw
• Owner: infn-datacloud
• Created: 2025-03-20T08:10:34.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2026-03-09T09:29:30.000Z (4 months ago)
• Last Synced: 2026-03-09T12:49:14.196Z (4 months ago)
• Topics: ceph-radosgw, infn, infn-cloud, object-storage, oidc, outh2, s3, sts
• Language: TypeScript
• Homepage: https://s3webui.cloud.infn.it
• Size: 2.45 MB
• Stars: 0
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSES/EUPL-1.2.txt

Awesome Lists containing this project

README

          
# RADOS Gateway Web Application

This project consists in a web application to easily access file objects stored

within Ceph Object Storage/RADOS Gateway, using the AWS S3 protocol for object

handling, and the OAuth2/OpenID Connect for authorization and authentication via

the Secure Token Service (STS).

The webapp is implemented using the React, Next.js, TypeScript and TailwindCSS,

as core frameworks.

The OAuth2 support is provided by the [Better Auth.js](https://better-auth.com)

framework.

All S3 operations are implemented using the official

[AWS SDK for javascript](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/).

## OpenID/OAuth2 Client Configuration

The webapp acts as client OpenID Connect/OAuth2 client and thus, registering the

client is required.

The following sections describe how to configure an OpenID Connect/OAuth2

client.

### Redirect URIs

Redirect URIs must be in the form of

`/api/auth/oauth2/callback/indigo-iam`

(without the trailing `/`), where `` is the

hostname of the machine hosting the application.

It is possible to configure more than one redirect URI.

For development:

```shell

http://localhost:300/api/auth/oauth2/callback/indigo-iam

```

For a production deployment, the redirect uri will be, for example:

```shell

https://s3webui.cloud.infn.it/api/auth/oauth2/callback/indigo-iam

```

### Scopes

Enable the following scopes

- `email`

- `openid`

- `profile`

### Grant Types and Crypto

The `authorization_code` grant type is required.

Enable the PKCE crypto feature with SHA-256 has algorithm.

## Configuration

Before start the application, an environment file is needed. An example can be

found at [envs/example.env](envs/example.env).

- `WEBAPP_RGW_BASE_URL`: hostname of your deployment, for example

  https://s3webui.cloud.infn.it or http://localhost:3000

- `WEBAPP_RGW_AUTH_SECRET`: secret to encrypt session cookies (see below)

- `WEBAPP_RGW_OIDC_ISSUER`: OpenID Connect Issuer

- `WEBAPP_RGW_OIDC_CLIENT_ID`: OpenID Connect Client ID

- `WEBAPP_RGW_OIDC_CLIENT_SECRET` OpenID Connect Client Secret

- `WEBAPP_RGW_OIDC_AUDIENCE`: OpenID Connect Audience

- `WEBAPP_RGW_S3_ENDPOINT`: Rados Gateway/S3 API Endpoint

- `WEBAPP_RGW_S3_REGION`: Rados Gateway/S3 Region Name

- `WEBAPP_RGW_S3_ROLE_ARN`: Rados Gateway Role/S3 ARN

- `WEBAPP_RGW_S3_ROLE_DURATION_SECONDS`: Rados Gateway/S3 Role duration in seconds

### Auth Secret

The application needs a secret to encrypt/decrypt session cookies.

> **N.B.**: This is a _real_ secret and must be kept secure.

You can generate an `WEBAPP_RGW_AUTH_SECRET` with the following command:

```shell

openssl rand -base64 32

```

## Deployment

This project is configured with a CI/CD pipeline which builds Docker images

for development and production releases. The images are stored

[here](https://hub.docker.com/r/indigopaas/webapp-rgw).

To start the application run

```shell

docker run --rm --name s3webui -p 8080:80 --env-file .env indigopaas/webapp-rgw

```

If you have trouble in reaching the Rados Gateway endpoint from within the

container, you can specify the private IP address using the `--add-host` flag

to the `docker run` command, for example

```shell

docker run \

  --rm \

  --name s3webui \

  -d \

  --add-host rgw.cloud.infn.it=10.200.0.18 \

  --add-host s3webui.cloud.infn.it=10.200.0.18 \

  -p 127.0.0.1:8080:80 \

  --env-file .env \

  indigopaas/webapp-rgw

```

## Telemetry

The application supports Opentelemetry instrumentation and INFN-CNAF Otello

service. Telemetry is enabled by default and sends traces to

https://otello.cloud.cnaf.infn.it/collector/v1/traces.

To change the OpenTelemetry OTLP collector endpoint set the environment variable

```bash

WEBAPP_RGW_OTEL_EXPORTER_OTLP_ENDPOINT=https://otello.cloud.cnaf.infn.it/collector/v1/traces

```

To completely disable telemetry set the following environment variable

```bash

WEBAPP_RGW_OTEL_DISABLE_TELEMETRY=1

```