Hi Pritha
y answers inline.
Forgot to add I'm on Ceph 1.2.1
How did you check whether the role was created in
tenant1 or tenant2?
It shouldn't be created in tenant2, if it is, then it's a bug, please open
a tracker issue for it.
I checked that with
radosgw-admin role list --tenant tenant1
Example commands with output
User creating roles has in this case roles:* capability.
When creating without tenant prefix role is created in the tenant user
belongs to
aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam
create-role --role-name=TemporaryRole --assume-role-policy-document
file://json/trust-policy-assume-role.json
{
"Role": {
"Path": "/",
"RoleName": "TemporaryRole",
"RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc",
"Arn": "arn:aws:iam::tenant1:role/TemporaryRole",
"CreateDate": "2021-06-10T11:17:15.638000+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": [
"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1"
]
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
],
"Condition": {
"StringEquals": {
"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id": "account"
}
}
}
]
},
"MaxSessionDuration": 3600
}
}
root@:~# radosgw-admin role list --tenant tenant1
[
{
"RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc",
"RoleName": "TemporaryRole",
"Path": "/",
"Arn": "arn:aws:iam::tenant1:role/TemporaryRole",
"CreateDate": "2021-06-10T11:17:15.638Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument":
"{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\
"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\
":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}"
}
]
then created with another tenant name
aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam
create-role --role-name="tenant2\$TemporaryRole"
--assume-role-policy-document file://json/trust-policy-assume-role.json
{
"Role": {
"Path": "/",
"RoleName": "TemporaryRole",
"RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09",
"Arn": "arn:aws:iam::tenant2:role/TemporaryRole",
"CreateDate": "2021-06-10T11:17:52.110000+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": [
"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1"
]
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
],
"Condition": {
"StringEquals": {
"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id": "account"
}
}
}
]
},
"MaxSessionDuration": 3600
}
}
root@:~# radosgw-admin role list --tenant tenant2
[
{
"RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09",
"RoleName": "TemporaryRole",
"Path": "/",
"Arn": "arn:aws:iam::tenant2:role/TemporaryRole",
"CreateDate": "2021-06-10T11:17:52.110Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument":
"{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\
"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\
":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}"
}
]
Similarly, a federated user who assumes a role with iam:CreateRole
permission
can create an arbitrary role like below.
aws --endpoint=$HOST_S3_API --region="" iam create-role
--role-name="tenant2\$TemporaryRole" --assume-role-policy-document
file://json/trust-policy-assume-role.json
Example permission policy
{
"Statement":[
{"Effect":"Allow","Action":["iam:GetRole"]},
{"Effect":"Allow","Action":["iam:CreateRole"]}
]
}
What entity is this permission policy attached to? The user making the
CreateRole
call?
This is a permission policy of a role that the user assumes before creating
another role.
It was created solely for the purpose of the test.
Cheers
Daniel