Re: Ceph OIDC Integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello again,

The issues that you are seeing are because as I mentioned in my previous
email, I missed backporting some commits to Octopus (apologies for the
same), and I have opened a backport PR ((
https://github.com/ceph/ceph/pull/37640) and this should be available in
the next Octopus release.

Thanks,
Pritha

On Wed, Oct 14, 2020 at 11:48 PM <technical@xxxxxxxxxxxxxxxxx> wrote:

> Hi Pritha and thanks again for your reply. Unfortunately we are still
> stuck at the AssumeRoleWithWebIdentity API call as shown below:
>
> 2020-10-14T08:24:26.314+0000 7ff6600ff700  1 ====== starting new request
> req=0x7ff6b69496b0 =====
> 2020-10-14T08:24:26.314+0000 7ff6600ff700  2 req 7 0s initializing for
> trans_id = tx000000000000000000007-005f86b5ba-1e4f8-ZylaS3
> 2020-10-14T08:24:26.314+0000 7ff6600ff700 10 rgw api priority: s3=8
> s3website=7
> 2020-10-14T08:24:26.314+0000 7ff6600ff700 10 host=192.168.35.28
> 2020-10-14T08:24:26.314+0000 7ff6600ff700 20 subdomain= domain=
> in_hosted_domain=0 in_hosted_domain_s3website=0
> 2020-10-14T08:24:26.314+0000 7ff6600ff700 20 final domain/bucket
> subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0
> s->info.domain= s->info.request_uri=/
> 2020-10-14T08:24:26.314+0000 7ff6600ff700 20 req 7 0s get_handler
> handler=26RGWHandler_REST_Service_S3
> 2020-10-14T08:24:26.314+0000 7ff6600ff700 10
> handler=26RGWHandler_REST_Service_S3
> 2020-10-14T08:24:26.314+0000 7ff6600ff700  2 req 7 0s getting op 4
> 2020-10-14T08:24:26.314+0000 7ff6600ff700 10 Content of POST:
> Action=AssumeRoleWithWebIdentity&Version=2011-06-15&RoleArn=arn%3Aaws%3Aiam%3A%3A%3Arole%2FS3Access&RoleSessionName=KC-Client&DurationSeconds=3600&WebIdentityToken=<token_here>
> 2020-10-14T08:24:26.315+0000 7ff6600ff700 10 req 7 0.001000005s
> sts:assume_role_web_identity scheduling with dmclock client=0 cost=1
> 2020-10-14T08:24:26.315+0000 7ff6600ff700 10
> op=31RGWSTSAssumeRoleWithWebIdentity
> 2020-10-14T08:24:26.315+0000 7ff6600ff700  2 req 7 0.001000005s
> sts:assume_role_web_identity verifying requester
> 2020-10-14T08:24:26.315+0000 7ff6600ff700 20 req 7 0.001000005s
> sts:assume_role_web_identity rgw::auth::sts::DefaultStrategy: trying
> rgw::auth::sts::WebTokenEngine
> 2020-10-14T08:24:26.315+0000 7ff6600ff700 20 req 7 0.001000005s
> sts:assume_role_web_identity rgw::auth::sts::WebTokenEngine denied with
> reason=-13
> 2020-10-14T08:24:26.315+0000 7ff6600ff700  5 req 7 0.001000005s
> sts:assume_role_web_identity Failed the auth strategy, reason=-13
> 2020-10-14T08:24:26.315+0000 7ff6600ff700 10 failed to authorize request
> 2020-10-14T08:24:26.315+0000 7ff6600ff700  1 op->ERRORHANDLER: err_no=-13
> new_err_no=-13
> 2020-10-14T08:24:26.315+0000 7ff6600ff700  2 req 7 0.001000005s
> sts:assume_role_web_identity op status=0
> 2020-10-14T08:24:26.315+0000 7ff6600ff700  2 req 7 0.001000005s
> sts:assume_role_web_identity http status=403
> 2020-10-14T08:24:26.315+0000 7ff6600ff700  1 ====== req done
> req=0x7ff6b69496b0 op status=0 http_status=403 latency=0.001000005s ======
> 2020-10-14T08:24:26.315+0000 7ff6600ff700  1 beast: 0x7ff6b69496b0:
> 192.168.35.116 - - [2020-10-14T08:24:26.315479+0000] "POST / HTTP/1.1" 403
> 185 - "Boto3/1.15.16 Python/3.8.5 Linux/5.4.0-48-generic Botocore/1.18.16" -
> 2020-10-14T08:24:26.383+0000 7ff66690c700 20 failed to read header: end of
> stream
>
> to get the web token we are using the below script and pasting the output
> in the AssumeRoleWithWebIdentity API call:
>
> #!/bin/bash
>
> KC_REALM=myrealm
> KC_CLIENT=rgw-app
> KC_CLIENT_SECRET=<string from credentials tab in KC of the client>
> KC_SERVER=<IP>:<port>
> KC_CONTEXT=auth
>
> # Request Tokens for credentials
> KC_RESPONSE=$( \
> curl -k --no-progress-meter -X POST \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "scope=openid" \
> -d "grant_type=client_credentials" \
> -d "client_id=$KC_CLIENT" \
> -d "client_secret=$KC_CLIENT_SECRET" \
> "https://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token";
> \
> | jq .
> )
>
> KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
> echo $KC_ACCESS_TOKEN
>
> For the above token request to work we had to turn "ON" the option
> "Service Accounts Enabled" in the settings tab of the client
>
> I suspect that the issue is more in relation to the capabilities of the
> user when calling the STS engine for the AssumeRoleWithWebIdentity API call.
>
> If anyone can help... You are more than welcome :-)
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux