Re: Ceph OIDC Integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Pritha and thanks for your reply. We are using Ceph Octopus and we have switched to Keycloak from dexIdP.

Having said that we have followed the guide from https://docs.ceph.com/en/octopus/radosgw/STS/ but we are constantly having an issue with the AssumeRoleWithWebIdentity example.

We are using 2 different accounts for role creation and policy creation and those 2 parts of the example script are working fine but when we move over to the assume_role_with_web_identity part we have forbidden error from Ceph.

We have used cephadm to install Ceph which is at:
# ceph --version
ceph version 15.2.5 (2c93eff00150f0cc5f106a559557a58d3d7b6f1f) octopus (stable)

We used the following command to add the role capabilities for both users:
radosgw-admin caps add --uid="TESTER" --caps="roles=*"
radosgw-admin caps add --uid="TESTER1" --caps="roles=*"

We have set the capabilities for the 2 users mentioned above as shown here:
buckets (*)
metadata (*)
roles (*)
usage (*)
user-policy (*)
users (*)
zone (*) 

---

Can you please confirm that the key values have actually spaces in them or are they missing an underscore?
[client.radosgw.gateway]
rgw sts key = {sts key for encrypting the session token}
rgw s3 auth use sts = true

---

We are also getting "NameError: name 'client' is not defined" error from AssumeRoleWithWebIdentity example in this part shown below. Shouldn't it be "sts_client.assume_role_with_web_identity" from "client.assume_role_with_web_identity" as it is being defined as sts_client in the code above it?

sts_client = boto3.client('sts',
aws_access_key_id=<access_key of TESTER1>,
aws_secret_access_key=<secret_key of TESTER1>,
endpoint_url=<STS URL>,
region_name='',
)

response = client.assume_role_with_web_identity(
RoleArn=role_response['Role']['Arn'],
RoleSessionName='Bob',
DurationSeconds=3600,
WebIdentityToken=<Web Token>
)

Can you or anyone give us some pointers to this issue please?
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux