Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1855944

Summary: [Ceph][Doc] STS documentation enhancements
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Mustafa Aydın <maydin>
Component: DocumentationAssignee: Aron Gunn <agunn>
Status: CLOSED CURRENTRELEASE QA Contact: Vidushi Mishra <vimishra>
Severity: medium Docs Contact: Amrita <asakthiv>
Priority: unspecified    
Version: 4.1CC: agunn, asakthiv, kdreyer, mbenjamin, prsrivas, tbulut, vfarias
Target Milestone: z2   
Target Release: 4.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-15 17:14:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1859104    

Description Mustafa Aydın 2020-07-11 07:08:55 UTC 
Description of problem:

- We need to mention that the sts key (rgw_sts_key) should be at least 16 characters;
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html/developer_guide/ceph-object-gateway-and-the-s3-api#secure-token-service_dev

- At the "AssumeRole" example , the correct policy_document statement should be as below. The current one at the example gives syntax error. 

policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER1\"]},\"Action\":[\"sts:AssumeRole\"]}}"

- creating role and role policy outside of script and reading them instead of creating inside of script would be a better example, otherwise script gives an error after 2nd run because role and rolepolicy was already defined.

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html-single/developer_guide/index#examples-using-the-secure-token-service-apis_dev

- instead of just giving the usernames such as  "TESTER" and "TESTER1", it might be also better to give the user names which defines the purpose of these users (maybe a suffix can be added to the end of TESTER username).

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html-single/developer_guide/index#examples-using-the-secure-token-service-apis_dev
 
- An example script of sending a policy from the client and some examples which explains how role policy and policy sent by the client interacts to provide the final permissions would be very helpful for system administrators who are not expert on S3 policies.  Example script excerpt where the client sends policy:

policyfromclient="{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}"

response = sts_client.assume_role_with_web_identity(
RoleArn='arn:aws:iam:::role/identityrole',
RoleSessionName='Bob',
DurationSeconds=3600,
Policy=policyfromclient,
WebIdentityToken="eyJhbGciOiJSUzI1NiIsInR...7dfQmg_S0iF588MBlg"

)


- We need to add "How to obtain thumbprint of an OpenID Connect Provider IDP" and https://docs.ceph.com/docs/master/radosgw/oidc/ sections to the downstream documents.

- We need to mention to add proper CAPS to the related user at the downstream documents, ex:
radosgw-admin caps add --uid="TESTER1" --caps="roles=*"


- For AssumeRolewithWebIdentity, we need to mention that CA certificate of IDP should be trusted by the RGWs or "rgw verify ssl" needs to set to "false"

- At the condition statement while creating the role we should mention that the string should match with the "aud" attribute at the JWT token

- We can note that the x5c is the  mandatory field in the GET request for validation

Version-Release number of selected component (if applicable):
4.1