Re: Using ID of a federated user in a bucket policy in RGW

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Pritha

This is probably the only combination I haven't tried.
I was convinced it would have to be $oidc$
It worked brilliantly with the arn you suggested, thank you for that.

So does it mean that for a non-empty tenant we would have tenant name twice
like
arn:aws:iam::mytenant:user/mytenant$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b

or would it be a single tenant name?
arn:aws:iam::mytenant:user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b

If it's the second one, it relies on the fact that IDs are unique, which in
turns depends on the sub field in the token.

Regards
Daniel

On Wed, 12 May 2021 at 13:31, Pritha Srivastava <prsrivas@xxxxxxxxxx> wrote:

> Hi,
>
> Can you try with the following ARN:
>
> arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
>
> The format of the user id is: <tenant>$<user-namespace>$<sub> , and in
> $oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b, the '$' before oidc is a
> separator for a tenant which is empty here, and ARN for a user is of the
> format: arn:aws:iam::<tenant>:user/<user-id>, and hence the ARN here will
> be arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
> Thanks,
> Pritha
>
> On Wed, May 12, 2021 at 4:02 PM Daniel Iwan <iwan.daniel@xxxxxxxxx> wrote:
>
>> Hi all
>>
>> I'm working on the following scenario
>> User is authenticated with OIDC and tries to access a bucket which it does
>> not own.
>> How to specify user ID etc. to give access to such a user?
>>
>> By trial and error I found out that principal can be specified as
>> "Principal": {"Federated":["arn:aws:sts:::assumed-role/MySession"]},
>>
>> but I want to use shadow user ID or something similar as the principal
>>
>> Docs
>> https://docs.ceph.com/en/latest/radosgw/STS/
>> states:
>> 'A shadow user is created corresponding to every federated user. The user
>> id is derived from the ‘sub’ field of the incoming web token. The user is
>> created in a separate namespace - ‘oidc’ such that the user id doesn’t
>> clash with any other user ids in rgw. The format of the user id is -
>> <tenant>$<user-namespace>$<sub> where user-namespace is ‘oidc’ for users
>> that authenticate with oidc providers.'
>>
>> I see a shadow user in Web UI as e.g. 7f71c7c5-c24f-418e-87ac-aa8fe271289b
>> but I cannot work out the syntax of a user id, I was expecting something
>> like
>>
>> "arn:aws:iam:::user/$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b"
>>
>> but when trying to list content of a bucket I get AccessDenied.
>> If bucket policy has Principal "*" the my authenticated user can access
>> the
>> bucket
>>
>> Is this possible?
>> Regards
>> Daniel
>> _______________________________________________
>> ceph-users mailing list -- ceph-users@xxxxxxx
>> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux