Re: RGW STS Support in Nautilus ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



app_id must match with the 'aud' field in the token introspection result (In the example the value of 'aud' is 'customer-portal')

Thanks,
Pritha

On Tue, May 12, 2020 at 8:16 PM Wyllys Ingersoll <wyllys.ingersoll@xxxxxxxxxxxxxx> wrote:

Running Nautilus 14.2.9 and trying to follow the STS example given here: https://docs.ceph.com/docs/master/radosgw/STS/ to setup a policy for AssumeRoleWithWebIdentity using KeyCloak (8.0.1) as the OIDC provider. I am able to see in the rgw debug logs that the token being passed from the client is passing the introspection check, but it always ends up failing the final authorization to access the requested bucket resource and is rejected with a 403 status "AccessDenied".

I configured my policy as described in the 2nd example on the STS page above. I suspect the problem is with the "StringEquals" condition statement in the AssumeRolePolicy document (I could be wrong though).

The example shows using the keycloak URI followed by ":app_id" matching with the name of the keycloak client application ("customer-portal" in the example).  My keycloak setup does not have any such field in the introspection result and I can't seem to figure out how to make this all work.

I cranked up the logging to 20/20 and still did not see any hints as to what part of the policy is causing the access to be denied.

Any suggestions?

-Wyllys Ingersoll

_______________________________________________
Dev mailing list -- dev@xxxxxxx
To unsubscribe send an email to dev-leave@xxxxxxx
_______________________________________________
Dev mailing list -- dev@xxxxxxx
To unsubscribe send an email to dev-leave@xxxxxxx

[Index of Archives]     [CEPH Users]     [Ceph Devel]     [Ceph Large]     [Information on CEPH]     [Linux BTRFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux