Re: Ceph OIDC Integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

If it is possible for the uid that has been used for LDAP users to be the
same for OIDC users (which is based off the 'sub' field of the OpenID
connect token), then there are no extra migration steps needed.

Which version of Ceph are you using? In octopus, offline token validation
has been introduced, where an incoming web token is validated using the
certificate of the IDP.  Uptil Octopus, there were no shadow users for OIDC
users, but we have introduced  shadow user creation in the 'master' branch,
and that is done automatically when an AssumeRoleWithWebIdentity call is
made. So the metadata to look at right now would be <tenant>$<uid>$buckets
which stores the user stats and make sure that the same uid is being used
across both LDAP and OIDC (if that is possible), else there is a
radosgw-admin user rename command that will rename the user and update all
other metadata.

Also, please note that currently AssumeRoleWithWebIdentity has been tested
only with Keycloak. The documentation for STS in Octopus is here:
https://docs.ceph.com/en/octopus/radosgw/STS/

Thanks,
Pritha

On Mon, Oct 5, 2020 at 9:56 PM <technical@xxxxxxxxxxxxxxxxx> wrote:

> Hello, we have integrated Ceph's RGW with LDAP and have authenticated
> users using the mail attribute successfully. We would like to shift to SSO
> and are evaluating the new OIDC feature in Ceph together with dexIdP with
> an LDAP connector as an upstream IdP.
>
> We are trying to understand the flow of the user authentication and how it
> will effect my current LDAP users buckets which are already created in Ceph
> as LDAP users.
>
> Will the Ceph RGW be able to pass the token to be verified to the IdP and
> what type of user will then be created in Ceph? Is this the intended way of
> OIDC integration?
>
> Thanks for any assistance
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux