Re: Keycloack with Radosgw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The value of the 'aud' field in the token must be set in the Condition
element, checking it against 'app_id'. There is no need to add a custom
field 'app_id'.

The Ceph STS APIs have been tested using standard AWS tools (boto3 and
aws), so I'd suggest you to use them.

Thanks,
Pritha

On Wed, Mar 16, 2022 at 8:45 PM <simone.beccato@xxxxxxxxxxxxxx> wrote:

> Hi Pritha,
>
>
>
> I need to add a custom field to the access-token named “app_id” ?
>
>
>
> Looking at the RGW logs files I see the curl request coming correctly, the
> point is that i receive a “listBucket” response instead a set of temporary
> credentials.
>
>
>
> Best
>
> Simone
>
> *Da:* Pritha Srivastava <prsrivas@xxxxxxxxxx>
> *Inviato:* mercoledì 16 marzo 2022 13:15
> *A:* simone.beccato@xxxxxxxxxxxxxx
> *Cc:* ceph-users <ceph-users@xxxxxxx>
> *Oggetto:* Re:  Keycloack with Radosgw
>
>
>
> Please correct the trust policy with the condition element that I pointed
> out before. Also, Can you please try using AWS tools - boto3 or AWS STS
> apis to make the AssumeRoleWithWebIdentity call. You can check the RGW log
> files to see whether the call reaches RGW with the curl command.
>
>
>
> Thanks,
>
> Pritha
>
> On Wednesday, March 16, 2022, <simone.beccato@xxxxxxxxxxxxxx> wrote:
>
> Hi Pritha,
>
> in step 4) I created a role with the Trust Policy:
>
> radosgw-admin role create --role-name=S3Access2
> --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"Federated\":\"arn:aws:iam:::oidc-provider/
> mykeycloak.org.com/auth/realms/myrealm\
> <http://mykeycloak.org.com/auth/realms/myrealm/>
> "\},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":\{\"StringEquals\":\{\"
> mykeycloak.org.com/auth/realms/myrealm:clientId\
> <http://mykeycloak.org.com/auth/realms/myrealm:clientId/>
> ":\"radosgw\"\}\}\}\]\}
>
> Is this not correct?
>
> To call the AssumeRoleWithWebIdentity I used curl:
>
> curl -k -v -X GET "
> http://X.X.X.X:423/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleArn=
> arn:aws:iam:::role/S3Access &WebIdentityToken=XXXXXXXXXXX"
>
>
> Best
> Simone
>
> -----Messaggio originale-----
> Da: Pritha Srivastava <prsrivas@xxxxxxxxxx>
> Inviato: mercoledì 16 marzo 2022 11:11
> A: simone.beccato@xxxxxxxxxxxxxx
> Cc: ceph-users <ceph-users@xxxxxxx>
> Oggetto:  Re: Keycloack with Radosgw
>
> Hi Simone,
>
> There is a step that I see missing here - have you created a role? For
> creating a role, you need to attach 'roles' caps to the user that you
> created.
> Also, what tool have you used to make the AssumeRoleWithWebIdentity call?
> An example using boto3 is outlined in the documentation here:
> https://docs.ceph.com/en/pacific/radosgw/STS/#sts-configuration. Also in
> Pacific the trust policy supports only app_id in the Condition element:
>
> From the documentation:
>
> 'The app_id in the condition above must match the ‘aud’ claim of the
> incoming token.'
>
> Thanks,
> Pritha
>
> On Wed, Mar 16, 2022 at 3:05 PM <simone.beccato@xxxxxxxxxxxxxx> wrote:
>
> > Hi all,
> >
> >
> >
> > I'm trying to setup Keycloak as OpenID Connect Provider for Rados
> > Gateway without success (I'm using Ceph version pacific).
> >
> >
> >
> > Following the documentation I made these steps:
> >
> >
> >
> > 1) Added to /etc/ceph/ceph.conf the following options:
> >
> >
> >
> > [client]
> >
> > rgw sts key = 1234abcd5678efgh
> >
> > rgw s3 auth use sts = true
> >
> >
> >
> >
> >
> > 2) Created a user on radosgw with caps:
> >
> >
> >
> > radosgw-admin --uid MYUSER --display-name "MyUser" --access_key MYUSER
> > --secret test123 user create
> >
> > radosgw-admin caps add --uid=" MYUSER" --caps="oidc-provider=*"
> >
> >
> >
> >
> >
> > 3) Added an OpenID Connect Provider from aws s3 libs:
> >
> >
> >
> > aws --profile=ceph-lab --endpoint=http://X.X.X.X:423 iam
> > create-open-id-connect-provider --url
> > https://mykeycloak.org.com/auth/realms/myrealm --thumbprint-list
> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >
> >
> >
> >
> >
> > 4) Added this trust policy named "S3Access"
> >
> >
> >
> > {
> >
> >   "Version": "2012-10-17",
> >
> >   "Statement": [
> >
> >     {
> >
> >       "Effect": "Allow",
> >
> >       "Principal": {"Federated":
> > "arn:aws:iam:::oidc-provider/mykeycloak.org.com/auth/realms/myrealm"},
> >
> >       "Action": "sts:AssumeRoleWithWebIdentity",
> >
> >       "Condition": {
> >
> >         "StringEquals":
> > {"mykeycloak.org.com/auth/realms/myrealm:clientId":"radosgw"}
> >
> >       }
> >
> >     }
> >
> >   ]
> >
> > }
> >
> >
> >
> >
> >
> > 5) attached this role policy to the previous one:
> >
> >
> >
> > {
> >
> >   "Version": "2012-10-17",
> >
> >   "Statement": {
> >
> >     "Effect": "Allow",
> >
> >     "Action": "s3:*",
> >
> >     "Resource": "*"
> >
> >   }
> >
> > }
> >
> >
> >
> >
> >
> >
> >
> > 6) I retrieve a web token from Keacloack and pass it in this request
> > to
> > Radosgw:
> >
> >
> >
> > GET /?Action=AssumeRoleWithWebIdentity
> >
> > &DurationSeconds=3600
> >
> > &RoleArn=arn:aws:iam:::role/S3Access
> >
> > &WebIdentityToken=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >
> >
> >
> >
> >
> > 7) I got this reply, but I expected to have a new set of temporary
> > credentials:
> >
> >
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> > <ListAllMyBucketsResult
> >
> >                 xmlns="http://s3.amazonaws.com/doc/2006-03-01/";>
> >
> >                 <Owner>
> >
> >
> > <ID>$oidc$ccbfcd2c-2f00-49fc-8524-df3a8d81e03d</ID>
> >
> >                                <DisplayName></DisplayName>
> >
> >                 </Owner>
> >
> >                 <Buckets></Buckets>
> >
> > </ListAllMyBucketsResult>
> >
> >
> >
> >
> >
> >
> >
> > Sure I'm missing something but reading Ceph docs, AWS docs and a lot
> > of articles I did not found any solution, could someone help me
> > finding the issue?
> >
> >
> >
> > King regards
> >
> > Simone
> >
> >
> >
> > _______________________________________________
> > ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> > email to ceph-users-leave@xxxxxxx
> >
> >
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an
> email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux