My tracker account has been approved now.
Issue created as
https://tracker.ceph.com/issues/51206
Thanks
Daniel
On Thu, 10 Jun 2021 at 13:29, Pritha Srivastava <prsrivas(a)redhat.com> wrote:
Hi Daniel,
Yes, it looks like a bug in the way the role name is being parsed in the
code. Please open a tracker issue for the same, and I'll fix it when I can.
Thanks,
Pritha
On Thu, Jun 10, 2021 at 5:09 PM Daniel Iwan <iwan.daniel(a)gmail.com> wrote:
> Hi Pritha
>
> y answers inline.
> Forgot to add I'm on Ceph 1.2.1
>
>
>> How did you check whether the role was created in tenant1 or tenant2?
>> It shouldn't be created in tenant2, if it is, then it's a bug, please
>> open a tracker issue for it.
>>
>
> I checked that with
> radosgw-admin role list --tenant tenant1
>
> Example commands with output
> User creating roles has in this case roles:* capability.
>
> When creating without tenant prefix role is created in the tenant user
> belongs to
>
> aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam
> create-role --role-name=TemporaryRole --assume-role-policy-document
> file://json/trust-policy-assume-role.json
>
> {
> "Role": {
> "Path": "/",
> "RoleName": "TemporaryRole",
> "RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc",
> "Arn": "arn:aws:iam::tenant1:role/TemporaryRole",
> "CreateDate": "2021-06-10T11:17:15.638000+00:00",
> "AssumeRolePolicyDocument": {
> "Version": "2012-10-17",
> "Statement": [
> {
> "Effect": "Allow",
> "Principal": {
> "Federated": [
> "arn:aws:iam:::oidc-provider/
> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1"
> ]
> },
> "Action": [
> "sts:AssumeRoleWithWebIdentity"
> ],
> "Condition": {
> "StringEquals": {
> "
> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id":
> "account"
> }
> }
> }
> ]
> },
> "MaxSessionDuration": 3600
> }
> }
>
> root@:~# radosgw-admin role list --tenant tenant1
> [
> {
> "RoleId": "507f990e-46cd-418c-ad4e-cc59276500dc",
> "RoleName": "TemporaryRole",
> "Path": "/",
> "Arn": "arn:aws:iam::tenant1:role/TemporaryRole",
> "CreateDate": "2021-06-10T11:17:15.638Z",
> "MaxSessionDuration": 3600,
> "AssumeRolePolicyDocument":
>
"{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/
> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\
> <http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1%5C>
>
"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\"
> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\
> <http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id%5C>
> ":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}"
> }
> ]
>
> then created with another tenant name
>
> aws --profile=user-from-tenant1 --endpoint=$HOST_S3_API --region="" iam
> create-role --role-name="tenant2\$TemporaryRole"
> --assume-role-policy-document file://json/trust-policy-assume-role.json
> {
> "Role": {
> "Path": "/",
> "RoleName": "TemporaryRole",
> "RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09",
> "Arn": "arn:aws:iam::tenant2:role/TemporaryRole",
> "CreateDate": "2021-06-10T11:17:52.110000+00:00",
> "AssumeRolePolicyDocument": {
> "Version": "2012-10-17",
> "Statement": [
> {
> "Effect": "Allow",
> "Principal": {
> "Federated": [
> "arn:aws:iam:::oidc-provider/
> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1"
> ]
> },
> "Action": [
> "sts:AssumeRoleWithWebIdentity"
> ],
> "Condition": {
> "StringEquals": {
> "
> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id":
> "account"
> }
> }
> }
> ]
> },
> "MaxSessionDuration": 3600
> }
> }
>
> root@:~# radosgw-admin role list --tenant tenant2
> [
> {
> "RoleId": "9086dc3c-3654-465c-9524-dd60cee6ec09",
> "RoleName": "TemporaryRole",
> "Path": "/",
> "Arn": "arn:aws:iam::tenant2:role/TemporaryRole",
> "CreateDate": "2021-06-10T11:17:52.110Z",
> "MaxSessionDuration": 3600,
> "AssumeRolePolicyDocument":
>
"{\n\t\"Version\":\"2012-10-17\",\n\t\"Statement\":[\n\t\t{\n\t\t\t\"Effect\":\"Allow\",\n\t\t\t\"Principal\":{\n\t\t\t\t\"Federated\":[\n\t\t\t\t\t\"arn:aws:iam:::oidc-provider/
> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1\
> <http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1%5C>
>
"\n\t\t\t\t]\n\t\t\t},\n\t\t\t\"Action\":[\n\t\t\t\t\"sts:AssumeRoleWithWebIdentity\"\n\t\t\t],\n\t\t\t\"Condition\":{\n\t\t\t\t\"StringEquals\":{\n\t\t\t\t\t\"
> localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id\
> <http://localhost.ceph-om-vm-node3.com:8443/auth/realms/tenant1:app_id%5C>
> ":\"account\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}"
> }
> ]
>
> Similarly, a federated user who assumes a role with iam:CreateRole
>>> permission
>>> can create an arbitrary role like below.
>>>
>>> aws --endpoint=$HOST_S3_API --region="" iam create-role
>>> --role-name="tenant2\$TemporaryRole" --assume-role-policy-document
>>> file://json/trust-policy-assume-role.json
>>>
>>> Example permission policy
>>> {
>>> "Statement":[
>>>
{"Effect":"Allow","Action":["iam:GetRole"]},
>>>
{"Effect":"Allow","Action":["iam:CreateRole"]}
>>> ]
>>> }
>>>
>>> What entity is this permission policy attached to? The user making the
>> CreateRole call?
>>
>
> This is a permission policy of a role that the user assumes before
> creating another role.
> It was created solely for the purpose of the test.
>
> Cheers
> Daniel
>
>