Re: Creating a role in another tenant seems to be possible

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Pritha

y answers inline.
Forgot to add I'm on Ceph 1.2.1


> How did you check whether the role was created in tenant1 or tenant2?
> It shouldn't be created in tenant2, if it is, then it's a bug, please open
> a tracker issue for it.
>

I checked that with
radosgw-admin role list --tenant tenant1

Example commands with output
User creating roles has in this case roles:* capability.

When creating without tenant prefix role is created in the tenant user
belongs to

aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam
create-role --role-name=TemporaryRole --assume-role-policy-document
file://json/trust-policy-assume-role.json

{
    "Role": {
        "Path": "/",
        "RoleName": "TemporaryRole",
        "RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc",
        "Arn": "arn:aws:iam::tenant1:role/TemporaryRole",
        "CreateDate": "2021-06-10T11:17:15.638000+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Federated": [
                            "arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1"
                        ]
                    },
                    "Action": [
                        "sts:AssumeRoleWithWebIdentity"
                    ],
                    "Condition": {
                        "StringEquals": {
                            "
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id": "account"
                        }
                    }
                }
            ]
        },
        "MaxSessionDuration": 3600
    }
}

root@:~# radosgw-admin role list --tenant tenant1
[
    {
        "RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc",
        "RoleName": "TemporaryRole",
        "Path": "/",
        "Arn": "arn:aws:iam::tenant1:role/TemporaryRole",
        "CreateDate": "2021-06-10T11:17:15.638Z",
        "MaxSessionDuration": 3600,
        "AssumeRolePolicyDocument":
"{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\
"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\
":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}"
    }
]

then created with another tenant name

aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam
create-role --role-name="tenant2\$TemporaryRole"
--assume-role-policy-document file://json/trust-policy-assume-role.json
{
    "Role": {
        "Path": "/",
        "RoleName": "TemporaryRole",
        "RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09",
        "Arn": "arn:aws:iam::tenant2:role/TemporaryRole",
        "CreateDate": "2021-06-10T11:17:52.110000+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Federated": [
                            "arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1"
                        ]
                    },
                    "Action": [
                        "sts:AssumeRoleWithWebIdentity"
                    ],
                    "Condition": {
                        "StringEquals": {
                            "
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id": "account"
                        }
                    }
                }
            ]
        },
        "MaxSessionDuration": 3600
    }
}

root@:~# radosgw-admin role list --tenant tenant2
[
    {
        "RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09",
        "RoleName": "TemporaryRole",
        "Path": "/",
        "Arn": "arn:aws:iam::tenant2:role/TemporaryRole",
        "CreateDate": "2021-06-10T11:17:52.110Z",
        "MaxSessionDuration": 3600,
        "AssumeRolePolicyDocument":
"{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\
"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\
":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}"
    }
]

Similarly, a federated user who assumes a role with iam:CreateRole
>> permission
>> can create an arbitrary role like below.
>>
>> aws --endpoint=$HOST_S3_API --region="" iam create-role
>> --role-name="tenant2\$TemporaryRole" --assume-role-policy-document
>> file://json/trust-policy-assume-role.json
>>
>> Example permission policy
>> {
>> "Statement":[
>> {"Effect":"Allow","Action":["iam:GetRole"]},
>> {"Effect":"Allow","Action":["iam:CreateRole"]}
>> ]
>> }
>>
>> What entity is this permission policy attached to? The user making the
> CreateRole call?
>

This is a permission policy of a role that the user assumes before creating
another role.
It was created solely for the purpose of the test.

Cheers
Daniel
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux