[ceph-users] How to use STS Lite correctly?

Pritha Srivastava prsrivas at redhat.com
Tue Mar 5 08:27:50 PST 2019


Are you using this key your conf file:

rgw sts key = "1234567890"

STS uses AES encryption internally so it has to be 16 bytes in length, for
example 'abcdefghijklmnop'.

Can you change that and see if it works? If not, can you post all the
commands to create a role and attach a permission policy to it? Have you
created a role called - cgtw-STS.

STS works at the root path (and not at /rgw)

Thanks,Pritha

On Tue, Mar 5, 2019 at 8:27 AM myxingkong <admin at xingkong.io> wrote:

> Hello.
>
> I successfully created the role and attached the permission policy, but it
> still didn't work as expected.
>
> When I request the root path, it returns an HTTP 400 error:
>
> Request:
>
> POST / HTTP/1.1
> Host: 192.168.199.81:8080
> Accept-Encoding: identity
> Content-Length: 159
> Content-Type: application/x-www-form-urlencoded; charset=utf-8
> X-Amz-Date: 20190305T024604Z
> Authorization: AWS4-HMAC-SHA256 Credential=O966WM2NEUB232Z53VYG/20190305
> //sts/aws4_request, SignedHeaders=content-type;host;x-amz-date,
> Signature=dfb51d46ca561fa7bf763ceaededf58afd17b3fe6293c4cc6dc4fccba24c95d1
> User-Agent: Boto3/1.9.106 Python/2.7.15 Windows/7 Botocore/1.12.106
>
>
> Action=AssumeRole&DurationSeconds=3600&RoleArn=arn%3Aaws%3Aiam%3A%3A%3Arole%2Fapplication_abc%2Fcomponent_xyz%2Fcgtw-STS&Version=2011-06-15&RoleSessionName=Bob
>
>
> Response:
>
> <Error>
>     <Code>InvalidArgument</Code>
>     <RequestId>tx00000000000000000000f-005c7de2ea-1217e-default</RequestId>
>     <HostId>1217e-default-default</HostId>
> </Error>
>
>
> When I requested the /rgw path, it returned an HTTP 403 error:
>
> Request:
>
> POST /rgw HTTP/1.1
> Host: 192.168.199.81:8080
> Accept-Encoding: identity
> Content-Length: 159
> Content-Type: application/x-www-form-urlencoded; charset=utf-8
> X-Amz-Date: 20190305T024904Z
> Authorization: AWS4-HMAC-SHA256 Credential=O966WM2NEUB232Z53VYG/20190305
> //sts/aws4_request, SignedHeaders=content-type;host;x-amz-date,
> Signature=d68e6f79ded8d06bef19fa0d9248d5c72bdfd08abbd61b54de887fba17474f6d
> User-Agent: Boto3/1.9.106 Python/2.7.15 Windows/7 Botocore/1.12.106
>
>
> Action=AssumeRole&DurationSeconds=3600&RoleArn=arn%3Aaws%3Aiam%3A%3A%3Arole%2Fapplication_abc%2Fcomponent_xyz%2Fcgtw-STS&Version=2011-06-15&RoleSessionName=Bob
>
>
> Response:
>
> <Error>
>     <Code>AccessDenied</Code>
>     <RequestId>tx000000000000000000010-005c7de39f-1217e-default</RequestId>
>     <HostId>1217e-default-default</HostId>
> </Error>
>
> Can you tell me if my request path is incorrect?
> *发件人:* Pritha Srivastava <prsrivas at redhat.com>
> *发送时间:* 2019-03-04 22:57:27
> *收件人:*  myxingkong <admin at xingkong.io>
> *抄送:*  ceph-users <ceph-users at lists.ceph.com>
> *主题:* Re: [ceph-users] How to use STS Lite correctly?
>
> There are two steps that have to be performed before calling AssumeRole:
>
> 1. A role named S3Access needs to be created to which it is mandatory to
> attach an assume role policy document. For example,
>
> radosgw-admin role create --role-name=S3Access --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
>
>
> 2. A permission policy needs to be attached to the role, to allow all s3
> operations using the temporary creds returned by the Assume role call. For
> example,
>
> radosgw-admin role-policy put --role-name=S3Access --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}
>
>
> The documentation for above is at:
> http://docs.ceph.com/docs/master/radosgw/role/
>
> Thanks,
> Pritha
>
> On Mon, Mar 4, 2019 at 4:48 PM myxingkong <admin at xingkong.io> wrote:
>
>>
>> I want to use the STS service to generate temporary credentials for use
>> by third-party clients.
>>
>> I configured STS lite based on the documentation.
>> http://docs.ceph.com/docs/master/radosgw/STSLite/
>>
>> This is my configuration file:
>>
>> [global]
>> fsid = 42a7cae1-84d1-423e-93f4-04b0736c14aa
>> mon_initial_members = admin, node1, node2, node3
>> mon_host = 192.168.199.81,192.168.199.82,192.168.199.83,192.168.199.84
>> auth_cluster_required = cephx
>> auth_service_required = cephx
>> auth_client_required = cephx
>>
>> osd pool default size = 2
>>
>> [client.rgw.admin]
>> rgw sts key = "1234567890"
>> rgw s3 auth use sts = true
>>
>> When I execute the getSessionToken method, return a 403 error:
>>
>> <Error>
>> <Code>AccessDenied</Code>
>> <RequestId>tx00000000000000000000d-005c7d07ed-3a3c-default</RequestId>
>> <HostId>3a3c-default-default</HostId>
>> </Error>
>>
>> try:
>>     host = 'http://192.168.199.81:7480'
>>     access_key = '2324YFZ7QDEOSRL18QHR'
>>     secret_key = 'rL9FabxCOw5LDbrHtmykiGSCjzpKLmEs9WPiNjVJ'
>>
>>     client = boto3.client('sts',
>>                           aws_access_key_id = access_key,
>>                           aws_secret_access_key = secret_key,
>>                           endpoint_url = host)
>>     response = client.assume_role(
>>
>> RoleArn='arn:aws:iam:::role/application_abc/component_xyz/S3Access',
>>         RoleSessionName='Bob',
>>         DurationSeconds=3600
>>     )
>>     print response
>> except:
>>     print traceback.format_exc()
>>
>> Who can tell me if my configuration or code is wrong?
>>
>> My version of ceph is: ceph version 14.1.0
>> (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev)
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users at lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20190305/7b171ac4/attachment.html>


More information about the ceph-users mailing list