Keycloack with Radosgw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

 

I'm trying to setup Keycloak as OpenID Connect Provider for Rados Gateway
without success (I'm using Ceph version pacific).

 

Following the documentation I made these steps:

 

1) Added to /etc/ceph/ceph.conf the following options:



[client]

rgw sts key = 1234abcd5678efgh

rgw s3 auth use sts = true

 

 

2) Created a user on radosgw with caps:

 

radosgw-admin --uid MYUSER --display-name "MyUser" --access_key MYUSER
--secret test123 user create

radosgw-admin caps add --uid=" MYUSER" --caps="oidc-provider=*"

 

 

3) Added an OpenID Connect Provider from aws s3 libs:

 

aws --profile=ceph-lab --endpoint=http://X.X.X.X:423 iam
create-open-id-connect-provider --url
https://mykeycloak.org.com/auth/realms/myrealm --thumbprint-list
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

 

4) Added this trust policy named "S3Access"

 

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {"Federated":
"arn:aws:iam:::oidc-provider/mykeycloak.org.com/auth/realms/myrealm"},

      "Action": "sts:AssumeRoleWithWebIdentity",

      "Condition": {

        "StringEquals":
{"mykeycloak.org.com/auth/realms/myrealm:clientId":"radosgw"}

      }

    }

  ]

}

 

 

5) attached this role policy to the previous one:

 

{

  "Version": "2012-10-17",

  "Statement": {

    "Effect": "Allow",

    "Action": "s3:*",

    "Resource": "*"

  }

}



 

 

6) I retrieve a web token from Keacloack and pass it in this request to
Radosgw:

 

GET /?Action=AssumeRoleWithWebIdentity

&DurationSeconds=3600

&RoleArn=arn:aws:iam:::role/S3Access

&WebIdentityToken=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

 

7) I got this reply, but I expected to have a new set of temporary
credentials:

 

<?xml version="1.0" encoding="UTF-8"?>

<ListAllMyBucketsResult

                xmlns="http://s3.amazonaws.com/doc/2006-03-01/";>

                <Owner>

 
<ID>$oidc$ccbfcd2c-2f00-49fc-8524-df3a8d81e03d</ID>

                               <DisplayName></DisplayName>

                </Owner>

                <Buckets></Buckets>

</ListAllMyBucketsResult>

 

 

 

Sure I'm missing something but reading Ceph docs, AWS docs and a lot of
articles I did not found any solution, could someone help me finding the
issue?

 

King regards

Simone



_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux