1855944 – [Ceph][Doc] STS documentation enhancements

Bug 1855944 - [Ceph][Doc] STS documentation enhancements

Summary: [Ceph][Doc] STS documentation enhancements

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Documentation
Sub Component:
Version:	4.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	z2
Target Release:	4.1
Assignee:	Aron Gunn
QA Contact:	Vidushi Mishra
Docs Contact:	Amrita
URL:
Whiteboard:
Depends On:
Blocks:	1859104
TreeView+	depends on / blocked

Reported:	2020-07-11 07:08 UTC by Mustafa Aydın
Modified:	2020-10-15 17:14 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-15 17:14:48 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mustafa Aydın 2020-07-11 07:08:55 UTC

Description of problem:

- We need to mention that the sts key (rgw_sts_key) should be at least 16 characters;
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html/developer_guide/ceph-object-gateway-and-the-s3-api#secure-token-service_dev

- At the "AssumeRole" example , the correct policy_document statement should be as below. The current one at the example gives syntax error. 

policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER1\"]},\"Action\":[\"sts:AssumeRole\"]}}"

- creating role and role policy outside of script and reading them instead of creating inside of script would be a better example, otherwise script gives an error after 2nd run because role and rolepolicy was already defined.

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html-single/developer_guide/index#examples-using-the-secure-token-service-apis_dev

- instead of just giving the usernames such as  "TESTER" and "TESTER1", it might be also better to give the user names which defines the purpose of these users (maybe a suffix can be added to the end of TESTER username).

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html-single/developer_guide/index#examples-using-the-secure-token-service-apis_dev
 
- An example script of sending a policy from the client and some examples which explains how role policy and policy sent by the client interacts to provide the final permissions would be very helpful for system administrators who are not expert on S3 policies.  Example script excerpt where the client sends policy:

policyfromclient="{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}"

response = sts_client.assume_role_with_web_identity(
RoleArn='arn:aws:iam:::role/identityrole',
RoleSessionName='Bob',
DurationSeconds=3600,
Policy=policyfromclient,
WebIdentityToken="eyJhbGciOiJSUzI1NiIsInR...7dfQmg_S0iF588MBlg"

)


- We need to add "How to obtain thumbprint of an OpenID Connect Provider IDP" and https://docs.ceph.com/docs/master/radosgw/oidc/ sections to the downstream documents.

- We need to mention to add proper CAPS to the related user at the downstream documents, ex:
radosgw-admin caps add --uid="TESTER1" --caps="roles=*"


- For AssumeRolewithWebIdentity, we need to mention that CA certificate of IDP should be trusted by the RGWs or "rgw verify ssl" needs to set to "false"

- At the condition statement while creating the role we should mention that the string should match with the "aud" attribute at the JWT token

- We can note that the x5c is the  mandatory field in the GET request for validation

Version-Release number of selected component (if applicable):
4.1

Note You need to log in before you can comment on or make changes to this bug.