My tracker account has been approved now. Issue created as https://tracker.ceph.com/issues/51206 Thanks Daniel On Thu, 10 Jun 2021 at 13:29, Pritha Srivastava <prsrivas@xxxxxxxxxx> wrote: > Hi Daniel, > > Yes, it looks like a bug in the way the role name is being parsed in the > code. Please open a tracker issue for the same, and I'll fix it when I can. > > Thanks, > Pritha > > On Thu, Jun 10, 2021 at 5:09 PM Daniel Iwan <iwan.daniel@xxxxxxxxx> wrote: > >> Hi Pritha >> >> y answers inline. >> Forgot to add I'm on Ceph 1.2.1 >> >> >>> How did you check whether the role was created in tenant1 or tenant2? >>> It shouldn't be created in tenant2, if it is, then it's a bug, please >>> open a tracker issue for it. >>> >> >> I checked that with >> radosgw-admin role list --tenant tenant1 >> >> Example commands with output >> User creating roles has in this case roles:* capability. >> >> When creating without tenant prefix role is created in the tenant user >> belongs to >> >> aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam >> create-role --role-name=TemporaryRole --assume-role-policy-document >> file://json/trust-policy-assume-role.json >> >> { >> "Role": { >> "Path": "/", >> "RoleName": "TemporaryRole", >> "RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc", >> "Arn": "arn:aws:iam::tenant1:role/TemporaryRole", >> "CreateDate": "2021-06-10T11:17:15.638000+00:00", >> "AssumeRolePolicyDocument": { >> "Version": "2012-10-17", >> "Statement": [ >> { >> "Effect": "Allow", >> "Principal": { >> "Federated": [ >> "arn:aws:iam:::oidc-provider/ >> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1" >> ] >> }, >> "Action": [ >> "sts:AssumeRoleWithWebIdentity" >> ], >> "Condition": { >> "StringEquals": { >> " >> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id": >> "account" >> } >> } >> } >> ] >> }, >> "MaxSessionDuration": 3600 >> } >> } >> >> root@:~# radosgw-admin role list --tenant tenant1 >> [ >> { >> "RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc", >> "RoleName": "TemporaryRole", >> "Path": "/", >> "Arn": "arn:aws:iam::tenant1:role/TemporaryRole", >> "CreateDate": "2021-06-10T11:17:15.638Z", >> "MaxSessionDuration": 3600, >> "AssumeRolePolicyDocument": >> "{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/ >> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\ >> <http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1%5C> >> "\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\" >> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\ >> <http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id%5C> >> ":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}" >> } >> ] >> >> then created with another tenant name >> >> aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam >> create-role --role-name="tenant2\$TemporaryRole" >> --assume-role-policy-document file://json/trust-policy-assume-role.json >> { >> "Role": { >> "Path": "/", >> "RoleName": "TemporaryRole", >> "RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09", >> "Arn": "arn:aws:iam::tenant2:role/TemporaryRole", >> "CreateDate": "2021-06-10T11:17:52.110000+00:00", >> "AssumeRolePolicyDocument": { >> "Version": "2012-10-17", >> "Statement": [ >> { >> "Effect": "Allow", >> "Principal": { >> "Federated": [ >> "arn:aws:iam:::oidc-provider/ >> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1" >> ] >> }, >> "Action": [ >> "sts:AssumeRoleWithWebIdentity" >> ], >> "Condition": { >> "StringEquals": { >> " >> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id": >> "account" >> } >> } >> } >> ] >> }, >> "MaxSessionDuration": 3600 >> } >> } >> >> root@:~# radosgw-admin role list --tenant tenant2 >> [ >> { >> "RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09", >> "RoleName": "TemporaryRole", >> "Path": "/", >> "Arn": "arn:aws:iam::tenant2:role/TemporaryRole", >> "CreateDate": "2021-06-10T11:17:52.110Z", >> "MaxSessionDuration": 3600, >> "AssumeRolePolicyDocument": >> "{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/ >> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\ >> <http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1%5C> >> "\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\" >> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\ >> <http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id%5C> >> ":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}" >> } >> ] >> >> Similarly, a federated user who assumes a role with iam:CreateRole >>>> permission >>>> can create an arbitrary role like below. >>>> >>>> aws --endpoint=$HOST_S3_API --region="" iam create-role >>>> --role-name="tenant2\$TemporaryRole" --assume-role-policy-document >>>> file://json/trust-policy-assume-role.json >>>> >>>> Example permission policy >>>> { >>>> "Statement":[ >>>> {"Effect":"Allow","Action":["iam:GetRole"]}, >>>> {"Effect":"Allow","Action":["iam:CreateRole"]} >>>> ] >>>> } >>>> >>>> What entity is this permission policy attached to? The user making the >>> CreateRole call? >>> >> >> This is a permission policy of a role that the user assumes before >> creating another role. >> It was created solely for the purpose of the test. >> >> Cheers >> Daniel >> >> _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |