Thanks Pritha for the inputs, please find the response inline below
1. IAM Policy grant across tenant doesn't work. - As far as I understand, user policies are not meant to provide cross account (in our case cross tenant) access. We have bucket policies for that and also STS AssumeRole to provide cross tenant access.
Yes, you right, AssumeRole needs to be used for cross tenant access
2. IAM Policy access control for IAM actions like PutUserPolicy not working - Can you elaborate on this?
When we apply a policy to user that deny IAM actions like PUTUserPolicy/GetUserPolicy it was not working, probably caps user-policy permission is overriding this
Regards,
Basavaraj Kirunge
On Wed, Mar 23, 2022 at 5:26 PM Pritha Srivastava <prsrivas@xxxxxxxxxx> wrote:
Hi Basavaraj,I would like to add some more points to what Casey has already listed above.When you say IAM policy, do you mean identity-based policies only; the document you shared implies that you plan to cover IAM policies attached to a user only. In that case src/test/rgw/test_rgw_iam_policy.cc has unit tests related to Bucket Policies and Role Policies only. If you want to look at the usage of User Policies, that is covered in https://github.com/ceph/s3-tests/blob/master/s3tests_boto3/functional/test_sts.py#L157RGW currently supports the implementation of REST APIs for PutUserPolicy, ListUserPolicies, GetUserPolicy and DeleteUserPolicies, which can be accessed via the s3 endpoint in rgw. There is support only for inline IAM policies (and not for managed or customer managed policies)I have some questions on the document that you have shared: https://seagate-systems.atlassian.net/wiki/spaces/PUB/pages/942571634/IAM+Policy+Blueprint+Draft1. IAM Policy grant across tenant doesn't work. - As far as I understand, user policies are not meant to provide cross account (in our case cross tenant) access. We have bucket policies for that and also STS AssumeRole to provide cross tenant access.2. IAM Policy access control for IAM actions like PutUserPolicy not working - Can you elaborate on this?Thank You,PrithaOn Wed, Mar 23, 2022 at 6:37 AM Basavaraj Kirunge <kirunge@xxxxxxxxx> wrote:_______________________________________________Thanks Casey, this PR https://github.com/ceph/ceph/pull/45528 was created by Mayank from our team to get early feedback.On Tue, Mar 22, 2022, 11:15 PM Casey Bodley <cbodley@xxxxxxxxxx> wrote:thanks, it's good to see more interest here! there was some recent
discussion on https://github.com/ceph/ceph/pull/45528 about how these
IAM APIs are currently exposed. with respect to test coverage, you can
find unit tests for the policy parsing and evaluation in
src/test/rgw/test_rgw_iam_policy.cc. there are also several tests for
these IAM APIs in s3-tests, under
s3tests_boto3/functional/test_sts.py, which we run under the rgw/sts
teuthology suite
On Tue, Mar 22, 2022 at 1:24 PM Basavaraj Kirunge <kirunge@xxxxxxxxx> wrote:
>
> Hi All,
>
> We are exploring IAM Policy feature support in RGW and created this blueprint draft https://seagate-systems.atlassian.net/wiki/spaces/PUB/pages/942571634/IAM+Policy+Blueprint
> As we are still updating this with more details, but would like to hear any feedback/comments, also added this as agenda for 23rd March RGW refactoring call for initial review and discussion.
> --
> Thanks and Regards,
>
> B a s a v a r a j K i r u n g e
>
> _______________________________________________
> Dev mailing list -- dev@xxxxxxx
> To unsubscribe send an email to dev-leave@xxxxxxx
Dev mailing list -- dev@xxxxxxx
To unsubscribe send an email to dev-leave@xxxxxxx
Thanks and Regards,
B a s a v a r a j K i r u n g e
B a s a v a r a j K i r u n g e
_______________________________________________ Dev mailing list -- dev@xxxxxxx To unsubscribe send an email to dev-leave@xxxxxxx
