Re: How to use STS Lite correctly?

Pritha Srivastava <prsrivas@xxxxxxxxxx> · Tue, 5 Mar 2019 21:57:50 +0530

Are you using this key your conf file:

rgw sts key = "1234567890"

STS uses AES encryption internally so it has to be 16 bytes in length, for example 'abcdefghijklmnop'.

Can you change that and see if it works? If not, can you post all the commands to create a role and attach a permission policy to it? Have you created a role called - cgtw-STS. 

STS works at the root path (and not at /rgw)

Thanks,Pritha

On Tue, Mar 5, 2019 at 8:27 AM myxingkong <admin@xxxxxxxxxxx> wrote:
Hello.

I successfully created the role and attached the permission policy, but it still didn't work as expected.

When I request the root path, it returns an HTTP 400 error:

Request:

POST / HTTP/1.1
Host: 192.168.199.81:8080
Accept-Encoding: identity
Content-Length: 159
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20190305T024604Z
Authorization: AWS4-HMAC-SHA256 Credential=O966WM2NEUB232Z53VYG/20190305//sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=dfb51d46ca561fa7bf763ceaededf58afd17b3fe6293c4cc6dc4fccba24c95d1
User-Agent: Boto3/1.9.106 Python/2.7.15 Windows/7 Botocore/1.12.106

Action="">

Response:

<Error>
    <Code>InvalidArgument</Code>
    <RequestId>tx00000000000000000000f-005c7de2ea-1217e-default</RequestId>
    <HostId>1217e-default-default</HostId>
</Error>

When I requested the /rgw path, it returned an HTTP 403 error:

Request:

POST /rgw HTTP/1.1
Host: 192.168.199.81:8080
Accept-Encoding: identity
Content-Length: 159
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20190305T024904Z
Authorization: AWS4-HMAC-SHA256 Credential=O966WM2NEUB232Z53VYG/20190305//sts/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=d68e6f79ded8d06bef19fa0d9248d5c72bdfd08abbd61b54de887fba17474f6d
User-Agent: Boto3/1.9.106 Python/2.7.15 Windows/7 Botocore/1.12.106

Action="">

Response:

<Error>
    <Code>AccessDenied</Code>
    <RequestId>tx000000000000000000010-005c7de39f-1217e-default</RequestId>
    <HostId>1217e-default-default</HostId>
</Error>

Can you tell me if my request path is incorrect?

				发件人： Pritha Srivastava

				发送时间： 2019-03-04 22:57:27

				收件人： 

				myxingkong

				抄送： 

				ceph-users

				主题： Re:  How to use STS Lite correctly?

There are two steps that have to be performed before calling AssumeRole:

1. A role named S3Access needs to be created to which it is mandatory to attach an assume role policy document. For example,

radosgw-admin role create --role-name=S3Access --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}

2. A permission policy needs to be attached to the role, to allow all s3 operations using the temporary creds returned by the Assume role call. For example,

radosgw-admin role-policy put --role-name=S3Access --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}

The documentation for above is at: http://docs.ceph.com/docs/master/radosgw/role/

Thanks,

Pritha

On Mon, Mar 4, 2019 at 4:48 PM myxingkong <admin@xxxxxxxxxxx> wrote:

I want to use the STS service to generate temporary credentials for use by third-party clients.

I configured STS lite based on the documentation.

http://docs.ceph.com/docs/master/radosgw/STSLite/

This is my configuration file:

[global]
fsid = 42a7cae1-84d1-423e-93f4-04b0736c14aa
mon_initial_members = admin, node1, node2, node3
mon_host = 192.168.199.81,192.168.199.82,192.168.199.83,192.168.199.84
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx

osd pool default size = 2

[client.rgw.admin]
rgw sts key = "1234567890"
rgw s3 auth use sts = true

When I execute the getSessionToken method, return a 403 error:

<Error>

<Code>AccessDenied</Code>

<RequestId>tx00000000000000000000d-005c7d07ed-3a3c-default</RequestId>

<HostId>3a3c-default-default</HostId>
</Error>

try:
    host = 'http://192.168.199.81:7480'
    access_key = '2324YFZ7QDEOSRL18QHR'
    secret_key = 'rL9FabxCOw5LDbrHtmykiGSCjzpKLmEs9WPiNjVJ'

    client = boto3.client('sts',
                          aws_access_key_id = access_key,
                          aws_secret_access_key = secret_key,
                          endpoint_url = host)

    response = client.assume_role(

        RoleArn='arn:aws:iam:::role/application_abc/component_xyz/S3Access',
        RoleSessionName='Bob',
        DurationSeconds=3600
    )
    print response
except:
    print traceback.format_exc()

Who can tell me if my configuration or code is wrong?
My version of ceph is: ceph version 14.1.0 (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev)

_______________________________________________

ceph-users mailing list

ceph-users@xxxxxxxxxxxxxx

http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com