Bug 1274084 - [RFE] Support for AWS Secure Token Service (STS) with RGW
Summary: [RFE] Support for AWS Secure Token Service (STS) with RGW
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: RGW
Version: 1.3.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 4.1
Assignee: Pritha Srivastava
QA Contact: Tejas
Karen Norteman
URL:
Whiteboard:
Depends On:
Blocks: 1812537 1816167
TreeView+ depends on / blocked
 
Reported: 2015-10-21 21:04 UTC by Neil Levine
Modified: 2020-07-17 20:35 UTC (History)
17 users (show)

Fixed In Version: ceph-14.2.8-41.el8cp, ceph-14.2.8-33.el7cp
Doc Type: Enhancement
Doc Text:
.Support for Amazon S3 resources in Ceph Object Gateway AWS provides the Secure Token Service (STS) to allow secure federation with existing OpenID Connect/ OAuth2.0 compliant identity services such as Keycloak. STS is a standalone REST service that provides temporary tokens for an application or user to access a Simple Storage Service (S3) endpoint after the user authenticates against an identity provider (IDP). Previously, users without permanent Amazon Web Services (AWS) credentials could not access S3 resources through Ceph Object Gateway. With this update, Ceph Object Gateway supports STS AssumeRoleWithWebIdentity. This service allows web application users who have been authenticated with an OpenID Connect/OAuth 2.0 compliant IDP to access S3 resources through Ceph Object Gateway. For more information, see link:{developer-guide}#secure-token-service_dev[Secure Token Service] in the link:{developer-guide}[Developer Guide].
Clone Of:
: 1812537 (view as bug list)
Environment:
Last Closed: 2020-05-19 17:30:39 UTC
Embargoed:
uboppana: needinfo+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2231 0 None None None 2020-05-19 17:30:58 UTC

Description Neil Levine 2015-10-21 21:04:32 UTC 
AWS provides the Secure Token Service to allow secure federation with existing identity services like Active Directory. STS is a standalone REST service which provides temporary tokens for an application or user to access an S3 endpoint after having the user authenticates against an IDP.

We will deliver a standalone service that provides the STS service for use with RGW.

In addition, to the extent that RGW also provides IAM like functions, there are changes needed to the RGW service itself needed to interact with an IDP.
Comment 4 Ken Dreyer (Red Hat) 2016-03-15 01:24:49 UTC 
STS is not in master. From Marcus' comment in bug 1261912, STS support may land in Kraken, with the possibility of a backport to Jewel. Re-targeting to RHCS 2.1.
Comment 15 Pritha Srivastava 2019-05-29 16:02:42 UTC 
Hi Matt,

Commits related to IAM API support are not present in Nautilus 14.2.1, they are there in master though.

Thanks,
Pritha
Comment 16 Giridhar Ramaraju 2019-08-05 13:06:11 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 17 Giridhar Ramaraju 2019-08-05 13:08:52 UTC 
Updating the QA Contact to a Hemant. Hemant will be rerouting them to the appropriate QE Associate. 

Regards,
Giri
Comment 35 errata-xmlrpc 2020-05-19 17:30:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:2231
Note You need to log in before you can comment on or make changes to this bug.