Extending RadosGW HTTP Request Body With Additional Claim Values Present in OIDC token.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
We are using RadosGW STS functionality to allow OIDC AuthN/Z of Ceph users. In addition, we have enabled Open Policy Agent (OPA) to manage AuthZ policies in a continuous integration environment. After performing Assume Role with Web Identity with RadosGW, the HTTP request body that is sent to OPA contains only the OIDC token "sub" claim value. Is it possible to include additional custom claims that may exist in the token (e.g. groups)?
We are including an example of the request body sent to OPA and the token claims that we are trying to integrate in the AuthZ process: 

HTTP PUT request,

{
"client_addr": "xxx.xxx.xxx.xxx:xxxxx",
"level": "info",
"msg": "Received request.",
"req_body": "{
\"input\": {
\"method\": \"PUT\",
\"relative_uri\": \"/my-bucket-3\",
\"decoded_uri\": \"/my-bucket-3\",
\"params\": \"\",
\"request_uri_aws4\": \"/my-bucket-3\",
\"subuser\": \"\",
\"user_info\": {
\"user_id\": \"$oidc$xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",
\"display_name\": \"\",
\"email\": \"\",
\"suspended\": 0,
\"max_buckets\": 1000,
\"subusers\": [

],
\"keys\": [

],
\"swift_keys\": [

],
\"caps\": [

],
\"op_mask\": \"read, write, delete\",
\"default_placement\": \"\",
\"default_storage_class\": \"\",
\"placement_tags\": [

],
\"bucket_quota\": {
\"enabled\": false,
\"check_on_raw\": false,
\"max_size\": -1,
\"max_size_kb\": 0,
\"max_objects\": -1
},
\"user_quota\": {
\"enabled\": false,
\"check_on_raw\": false,
\"max_size\": -1,
\"max_size_kb\": 0,
\"max_objects\": -1
},
\"temp_url_keys\": [

],
\"type\": \"none\",
\"mfa_ids\": [

]
}
}
}",
"req_id": xxxxxxx,
"req_method": "POST",
"req_params": {

},
"req_path": "/v1/data/ceph/authz/allow",
"time": "2022-12-07T08:23:30Z"
}

OIDC token claim values

{
  "client_id": "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx",
  "exp": xxxxxxx,
  "groups": [
    "xxxxxxx"
  ],
  "iat": xxxxxxxx,
  "iss":"https://xxxxxx.xxxxxx.xxxxx.xxxxxx/";,
  "jti": "xxxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxx",
  "name": "xxxxx xxxxxx",
  "nbf": xxxxxxxx,
  "organisation_name": "xxxxx",
  "preferred_username": "xxxxxx",
  "scope": "xxxxxx",
  "sub": "xxxxxxx-xxxxx-xxxxx-xxxxxx-xxxxxxx"
}

Thank you.

Best regards.

_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux