Bug 1274084

Summary: [RFE] Support for AWS Secure Token Service (STS) with RGW
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Neil Levine <nlevine>
Component: RGWAssignee: Pritha Srivastava <prsrivas>
Status: CLOSED ERRATA QA Contact: Tejas <tchandra>
Severity: medium Docs Contact: Karen Norteman <knortema>
Priority: medium    
Version: 1.3.0CC: anharris, cbodley, ceph-eng-bugs, flucifre, hnallurv, jbrier, kbader, kdreyer, knortema, mbenjamin, mwatts, prsrivas, rmandyam, sweil, tserlin, uboppana, yweinste
Target Milestone: rcKeywords: FutureFeature
Target Release: 4.1Flags: uboppana: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-14.2.8-41.el8cp, ceph-14.2.8-33.el7cp Doc Type: Enhancement
Doc Text:
.Support for Amazon S3 resources in Ceph Object Gateway AWS provides the Secure Token Service (STS) to allow secure federation with existing OpenID Connect/ OAuth2.0 compliant identity services such as Keycloak. STS is a standalone REST service that provides temporary tokens for an application or user to access a Simple Storage Service (S3) endpoint after the user authenticates against an identity provider (IDP). Previously, users without permanent Amazon Web Services (AWS) credentials could not access S3 resources through Ceph Object Gateway. With this update, Ceph Object Gateway supports STS AssumeRoleWithWebIdentity. This service allows web application users who have been authenticated with an OpenID Connect/OAuth 2.0 compliant IDP to access S3 resources through Ceph Object Gateway. For more information, see link:{developer-guide}#secure-token-service_dev[Secure Token Service] in the link:{developer-guide}[Developer Guide].
 Story Points: ---
Clone Of:
: 1812537 (view as bug list) Environment:
Last Closed: 2020-05-19 17:30:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1812537, 1816167    

Description Neil Levine 2015-10-21 21:04:32 UTC 
AWS provides the Secure Token Service to allow secure federation with existing identity services like Active Directory. STS is a standalone REST service which provides temporary tokens for an application or user to access an S3 endpoint after having the user authenticates against an IDP.

We will deliver a standalone service that provides the STS service for use with RGW.

In addition, to the extent that RGW also provides IAM like functions, there are changes needed to the RGW service itself needed to interact with an IDP.
Comment 4 Ken Dreyer (Red Hat) 2016-03-15 01:24:49 UTC 
STS is not in master. From Marcus' comment in bug 1261912, STS support may land in Kraken, with the possibility of a backport to Jewel. Re-targeting to RHCS 2.1.
Comment 15 Pritha Srivastava 2019-05-29 16:02:42 UTC 
Hi Matt,

Commits related to IAM API support are not present in Nautilus 14.2.1, they are there in master though.

Thanks,
Pritha
Comment 16 Giridhar Ramaraju 2019-08-05 13:06:11 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 17 Giridhar Ramaraju 2019-08-05 13:08:52 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 35 errata-xmlrpc 2020-05-19 17:30:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:2231