]>
Commit | Line | Data |
---|---|---|
11fdf7f2 TL |
1 | ========= |
2 | STS Lite | |
3 | ========= | |
4 | ||
5 | Ceph Object Gateway provides support for a subset of Amazon Secure Token Service | |
9f95a23c TL |
6 | (STS) APIs. STS Lite is an extension of STS and builds upon one of its APIs to |
7 | decrease the load on external IDPs like Keystone and LDAP. | |
11fdf7f2 | 8 | |
9f95a23c TL |
9 | A set of temporary security credentials is returned after authenticating |
10 | a set of AWS credentials with the external IDP. These temporary credentials can be used | |
11 | to make subsequent S3 calls which will be authenticated by the STS engine in Ceph, | |
12 | resulting in less load on the Keystone/ LDAP server. | |
13 | ||
14 | Temporary and limited privileged credentials can be obtained for a local user | |
15 | also using the STS Lite API. | |
11fdf7f2 TL |
16 | |
17 | STS Lite REST APIs | |
18 | ================== | |
19 | ||
9f95a23c | 20 | The following STS Lite REST API is part of STS Lite in Ceph Object Gateway: |
11fdf7f2 TL |
21 | |
22 | 1. GetSessionToken: Returns a set of temporary credentials for a set of AWS | |
9f95a23c TL |
23 | credentials. After initial authentication with Keystone/ LDAP, the temporary |
24 | credentials returned can be used to make subsequent S3 calls. The temporary | |
25 | credentials will have the same permission as that of the AWS credentials. | |
11fdf7f2 TL |
26 | |
27 | Parameters: | |
28 | **DurationSeconds** (Integer/ Optional): The duration in seconds for which the | |
29 | credentials should remain valid. Its default value is 3600. Its default max | |
30 | value is 43200 which is can be configured using rgw sts max session duration. | |
31 | ||
32 | **SerialNumber** (String/ Optional): The Id number of the MFA device associated | |
33 | with the user making the GetSessionToken call. | |
34 | ||
35 | **TokenCode** (String/ Optional): The value provided by the MFA device, if MFA is required. | |
36 | ||
37 | An end user needs to attach a policy to allow invocation of GetSessionToken API using its permanent | |
38 | credentials and to allow subsequent s3 operations invocation using only the temporary credentials returned | |
39 | by GetSessionToken. | |
40 | The following is an example of attaching the policy to a user 'TESTER1':: | |
41 | ||
42 | s3curl.pl --debug --id admin -- -s -v -X POST "http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER1&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08" | |
43 | ||
44 | The user attaching the policy needs to have admin caps. For example:: | |
45 | ||
46 | radosgw-admin caps add --uid="TESTER" --caps="user-policy=*" | |
47 | ||
11fdf7f2 TL |
48 | STS Lite Configuration |
49 | ====================== | |
50 | ||
51 | The following configurable options are available for STS Lite integration:: | |
52 | ||
53 | [client.radosgw.gateway] | |
54 | rgw sts key = {sts key for encrypting the session token} | |
55 | rgw s3 auth use sts = true | |
56 | ||
57 | The above STS configurables can be used with the Keystone configurables if one | |
58 | needs to use STS Lite in conjunction with Keystone. The complete set of | |
59 | configurable options will be:: | |
60 | ||
61 | [client.radosgw.gateway] | |
62 | rgw sts key = {sts key for encrypting/ decrypting the session token} | |
63 | rgw s3 auth use sts = true | |
64 | ||
65 | rgw keystone url = {keystone server url:keystone server admin port} | |
66 | rgw keystone admin project = {keystone admin project name} | |
67 | rgw keystone admin tenant = {keystone service tenant name} | |
68 | rgw keystone admin domain = {keystone admin domain name} | |
69 | rgw keystone api version = {keystone api version} | |
70 | rgw keystone implicit tenants = {true for private tenant for each new user} | |
71 | rgw keystone admin password = {keystone service tenant user name} | |
72 | rgw keystone admin user = keystone service tenant user password} | |
73 | rgw keystone accepted roles = {accepted user roles} | |
74 | rgw keystone token cache size = {number of tokens to cache} | |
11fdf7f2 | 75 | rgw s3 auth use keystone = true |
9f95a23c TL |
76 | |
77 | The details of the integrating ldap with Ceph Object Gateway can be found here: | |
78 | :doc:`keystone` | |
79 | ||
80 | The complete set of configurables to use STS Lite with LDAP are:: | |
81 | ||
82 | [client.radosgw.gateway] | |
83 | rgw sts key = {sts key for encrypting/ decrypting the session token} | |
84 | rgw s3 auth use sts = true | |
85 | ||
86 | rgw_s3_auth_use_ldap = true | |
87 | rgw_ldap_uri = {LDAP server to use} | |
88 | rgw_ldap_binddn = {Distinguished Name (DN) of the service account} | |
89 | rgw_ldap_secret = {password for the service account} | |
90 | rgw_ldap_searchdn = {base in the directory information tree for searching users} | |
91 | rgw_ldap_dnattr = {attribute being used in the constructed search filter to match a username} | |
92 | rgw_ldap_searchfilter = {search filter} | |
93 | ||
94 | The details of the integrating ldap with Ceph Object Gateway can be found here: | |
95 | :doc:`ldap-auth` | |
11fdf7f2 TL |
96 | |
97 | Note: By default, STS and S3 APIs co-exist in the same namespace, and both S3 | |
98 | and STS APIs can be accessed via the same endpoint in Ceph Object Gateway. | |
99 | ||
100 | Example showing how to Use STS Lite with Keystone | |
101 | ================================================= | |
102 | ||
103 | The following are the steps needed to use STS Lite with Keystone. Boto 3.x has | |
104 | been used to write an example code to show the integration of STS Lite with | |
105 | Keystone. | |
106 | ||
107 | 1. Generate EC2 credentials : | |
108 | ||
109 | .. code-block:: javascript | |
110 | ||
111 | openstack ec2 credentials create | |
112 | +------------+--------------------------------------------------------+ | |
113 | | Field | Value | | |
114 | +------------+--------------------------------------------------------+ | |
115 | | access | b924dfc87d454d15896691182fdeb0ef | | |
116 | | links | {u'self': u'http://192.168.0.15/identity/v3/users/ | | |
117 | | | 40a7140e424f493d8165abc652dc731c/credentials/ | | |
118 | | | OS-EC2/b924dfc87d454d15896691182fdeb0ef'} | | |
119 | | project_id | c703801dccaf4a0aaa39bec8c481e25a | | |
120 | | secret | 6a2142613c504c42a94ba2b82147dc28 | | |
121 | | trust_id | None | | |
122 | | user_id | 40a7140e424f493d8165abc652dc731c | | |
123 | +------------+--------------------------------------------------------+ | |
124 | ||
125 | 2. Use the credentials created in the step 1. to get back a set of temporary | |
126 | credentials using GetSessionToken API. | |
127 | ||
128 | .. code-block:: python | |
129 | ||
130 | import boto3 | |
131 | ||
132 | access_key = <ec2 access key> | |
133 | secret_key = <ec2 secret key> | |
134 | ||
135 | client = boto3.client('sts', | |
136 | aws_access_key_id=access_key, | |
137 | aws_secret_access_key=secret_key, | |
138 | endpoint_url=<STS URL>, | |
139 | region_name='', | |
140 | ) | |
141 | ||
142 | response = client.get_session_token( | |
143 | DurationSeconds=43200 | |
144 | ) | |
145 | ||
146 | 3. The temporary credentials obtained in step 2. can be used for making S3 calls: | |
147 | ||
148 | .. code-block:: python | |
149 | ||
150 | s3client = boto3.client('s3', | |
151 | aws_access_key_id = response['Credentials']['AccessKeyId'], | |
152 | aws_secret_access_key = response['Credentials']['SecretAccessKey'], | |
153 | aws_session_token = response['Credentials']['SessionToken'], | |
154 | endpoint_url=<S3 URL>, | |
155 | region_name='') | |
156 | ||
157 | bucket = s3client.create_bucket(Bucket='my-new-shiny-bucket') | |
158 | response = s3client.list_buckets() | |
159 | for bucket in response["Buckets"]: | |
160 | print "{name}\t{created}".format( | |
161 | name = bucket['Name'], | |
162 | created = bucket['CreationDate'], | |
163 | ) | |
164 | ||
9f95a23c | 165 | Similar steps can be performed for using GetSessionToken with LDAP. |
11fdf7f2 TL |
166 | |
167 | Limitations and Workarounds | |
168 | =========================== | |
169 | ||
170 | 1. Keystone currently supports only S3 requests, hence in order to successfully | |
171 | authenticate an STS request, the following workaround needs to be added to boto | |
172 | to the following file - botocore/auth.py | |
173 | ||
174 | Lines 13-16 have been added as a workaround in the code block below: | |
175 | ||
176 | .. code-block:: python | |
177 | ||
178 | class SigV4Auth(BaseSigner): | |
179 | """ | |
180 | Sign a request with Signature V4. | |
181 | """ | |
182 | REQUIRES_REGION = True | |
183 | ||
184 | def __init__(self, credentials, service_name, region_name): | |
185 | self.credentials = credentials | |
186 | # We initialize these value here so the unit tests can have | |
9f95a23c | 187 | # valid values. But these will get overridden in ``add_auth`` |
11fdf7f2 TL |
188 | # later for real requests. |
189 | self._region_name = region_name | |
190 | if service_name == 'sts': | |
191 | self._service_name = 's3' | |
192 | else: | |
193 | self._service_name = service_name | |
194 |