Bug 2268379
| Summary: | [RFE] IAM ROLES. Improved debug logging of the Policy evaluation engine | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | daniel parkes <dparkes> |
| Component: | RGW | Assignee: | Adam C. Emerson <aemerson> |
| Status: | ASSIGNED --- | QA Contact: | Madhavi Kasturi <mkasturi> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | ceph-eng-bugs, cephqe-warriors, dparkes, mbenjamin |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | 9.1 | Flags: | mkasturi:
needinfo?
(mbenjamin) |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Please specify the severity of this bug. Severity is defined here: https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity. |
Hi, When working with IAM Roles, when writing the doc policy that will allow a user to assume a role by matching the condition in the policy, the rules, and expressions on the condition can get pretty complicated, and currently, there is no easy way to check in our RGW debug 20 logs why the policy evaluation engine is allowing or denying and specific incoming assume role request. Currently, the debug 20 logs when we get an error show: "logging of the Policy evaluation engine" Without giving any other further detail, it would improve the debugging experience and work with roles if we could get something like: "Evaluating policy X failed, not matching. Doc Policy on Role: arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart , incoming condition: "Principal":{"Federated":["arn:aws:iam:::oidc-provider/keycloak-sso.apps.ocp.local/auth/realms/ceph"]} don't match" This will help us pinpoint the issue immediately; it has been the case with customers that a small typo in the policy will take a very long time to debug because of this.