Re: Ceph OIDC Integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

rgw sts key  should be a key of length 16 since we use AES 128 for
encryption (e.g. rgw sts key = abcdefghijklmnop)

Yes it should be 'sts_client' and not 'client'. The errors in documentation
have been noted and will be corrected.

Also please note that the backport to octopus of the new changes is
underway (https://github.com/ceph/ceph/pull/37640), and this should be
available in the next Octopus release.

Thanks,
Pritha



On Tue, Oct 13, 2020 at 9:22 PM <technical@xxxxxxxxxxxxxxxxx> wrote:

> Hi Pritha and thanks for your reply. We are using Ceph Octopus and we have
> switched to Keycloak from dexIdP.
>
> Having said that we have followed the guide from
> https://docs.ceph.com/en/octopus/radosgw/STS/ but we are constantly
> having an issue with the AssumeRoleWithWebIdentity example.
>
> We are using 2 different accounts for role creation and policy creation
> and those 2 parts of the example script are working fine but when we move
> over to the assume_role_with_web_identity part we have forbidden error from
> Ceph.
>
> We have used cephadm to install Ceph which is at:
> # ceph --version
> ceph version 15.2.5 (2c93eff00150f0cc5f106a559557a58d3d7b6f1f) octopus
> (stable)
>
> We used the following command to add the role capabilities for both users:
> radosgw-admin caps add --uid="TESTER" --caps="roles=*"
> radosgw-admin caps add --uid="TESTER1" --caps="roles=*"
>
> We have set the capabilities for the 2 users mentioned above as shown here:
> buckets (*)
> metadata (*)
> roles (*)
> usage (*)
> user-policy (*)
> users (*)
> zone (*)
>
> ---
>
> Can you please confirm that the key values have actually spaces in them or
> are they missing an underscore?
> [client.radosgw.gateway]
> rgw sts key = {sts key for encrypting the session token}
> rgw s3 auth use sts = true
>
> ---
>
> We are also getting "NameError: name 'client' is not defined" error from
> AssumeRoleWithWebIdentity example in this part shown below. Shouldn't it be
> "sts_client.assume_role_with_web_identity" from
> "client.assume_role_with_web_identity" as it is being defined as sts_client
> in the code above it?
>
> sts_client = boto3.client('sts',
> aws_access_key_id=<access_key of TESTER1>,
> aws_secret_access_key=<secret_key of TESTER1>,
> endpoint_url=<STS URL>,
> region_name='',
> )
>
> response = client.assume_role_with_web_identity(
> RoleArn=role_response['Role']['Arn'],
> RoleSessionName='Bob',
> DurationSeconds=3600,
> WebIdentityToken=<Web Token>
> )
>
> Can you or anyone give us some pointers to this issue please?
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux