Hi Daniel,
Yes, it looks like a bug in the way the role name is being parsed in the
code. Please open a tracker issue for the same, and I'll fix it when I can.
Thanks,
Pritha
On Thu, Jun 10, 2021 at 5:09 PM Daniel Iwan <iwan.daniel(a)gmail.com> wrote:
Hi Pritha
y answers inline.
Forgot to add I'm on Ceph 1.2.1
How did you check whether the role was created in
tenant1 or tenant2?
It shouldn't be created in tenant2, if it is, then it's a bug, please
open a tracker issue for it.
I checked that with
radosgw-admin role list --tenant tenant1
Example commands with output
User creating roles has in this case roles:* capability.
When creating without tenant prefix role is created in the tenant user
belongs to
aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam
create-role --role-name=TemporaryRole --assume-role-policy-document
file://json/trust-policy-assume-role.json
{
"Role": {
"Path": "/",
"RoleName": "TemporaryRole",
"RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc",
"Arn": "arn:aws:iam::tenant1:role/TemporaryRole",
"CreateDate": "2021-06-10T11:17:15.638000+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": [
"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1"
]
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
],
"Condition": {
"StringEquals": {
"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id":
"account"
}
}
}
]
},
"MaxSessionDuration": 3600
}
}
root@:~# radosgw-admin role list --tenant tenant1
[
{
"RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc",
"RoleName": "TemporaryRole",
"Path": "/",
"Arn": "arn:aws:iam::tenant1:role/TemporaryRole",
"CreateDate": "2021-06-10T11:17:15.638Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument":
"{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\
<http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1%5C>
"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\
<http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id%5C>
":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}"
}
]
then created with another tenant name
aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam
create-role --role-name="tenant2\$TemporaryRole"
--assume-role-policy-document file://json/trust-policy-assume-role.json
{
"Role": {
"Path": "/",
"RoleName": "TemporaryRole",
"RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09",
"Arn": "arn:aws:iam::tenant2:role/TemporaryRole",
"CreateDate": "2021-06-10T11:17:52.110000+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": [
"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1"
]
},
"Action": [
"sts:AssumeRoleWithWebIdentity"
],
"Condition": {
"StringEquals": {
"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id":
"account"
}
}
}
]
},
"MaxSessionDuration": 3600
}
}
root@:~# radosgw-admin role list --tenant tenant2
[
{
"RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09",
"RoleName": "TemporaryRole",
"Path": "/",
"Arn": "arn:aws:iam::tenant2:role/TemporaryRole",
"CreateDate": "2021-06-10T11:17:52.110Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument":
"{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\
<http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1%5C>
"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\"
localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\
<http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id%5C>
":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}"
}
]
Similarly, a federated user who assumes a role with iam:CreateRole
permission
can create an arbitrary role like below.
aws --endpoint=$HOST_S3_API --region="" iam create-role
--role-name="tenant2\$TemporaryRole" --assume-role-policy-document
file://json/trust-policy-assume-role.json
Example permission policy
{
"Statement":[
{"Effect":"Allow","Action":["iam:GetRole"]},
{"Effect":"Allow","Action":["iam:CreateRole"]}
]
}
What entity is this permission policy attached to? The user making the
CreateRole
call?
This is a permission policy of a role that the user assumes before
creating another role.
It was created solely for the purpose of the test.
Cheers
Daniel