2013616 – rfe: service account based authentication for vault

Bug 2013616 - rfe: service account based authentication for vault

Summary: rfe: service account based authentication for vault

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RGW
Sub Component:
Version:	4.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	7.0
Assignee:	Jiffin
QA Contact:	Vidushi Mishra
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-13 11:30 UTC by Matt Benjamin (redhat)
Modified:	2023-07-04 06:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-07-04 06:15:50 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	ceph ceph pull 37868	0	None	open	rgw: service account based authentication for vault	2021-10-13 11:30:14 UTC
Red Hat Issue Tracker	RHCEPH-2042	0	None	None	None	2021-10-13 11:32:07 UTC

Description Matt Benjamin (redhat) 2021-10-13 11:30:14 UTC

Currently, vault server authenticates RGW via token which is saved in a file.
In Kubernetes or OCS world service account can be used as authenticating between those two.
For that following need to be done:
At vault side,
Need to create a role and attach the role with service account and policy.

At RGW side,
There will be jwt token present in /var/run/secrets/kubernetes.io/serviceaccount/token and
using role specified send request to vault server as follows:

# KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
# VAULT_SA_LOGIN=http://vault.default:8200/v1/auth/kubernetes/login
# curl --request POST --data '{"jwt": "'"$KUBE_TOKEN"'", "role": "rook-ceph-rgw"}' $VAULT_SA_LOGIN | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1652  100   687  100   965  38166  53611 --:--:-- --:--:-- --:--:-- 91777
{
  "request_id": "d3b3a7ba-6f9f-ed1e-2f7f-a5e3a3c0e119",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "wrap_info": null,
  "warnings": null,
  "auth": {
    "client_token": "s.J31TfjkCEYske7VXOzZ0hOjZ",
    "accessor": "UKBLKjFpjv9lctzohTDizyQf",
    "policies": [
      "default",
      "rgw-kv-policy"
    ],
    "token_policies": [
      "default",
      "rgw-kv-policy"
    ],
    "metadata": {
      "role": "rook-ceph-rgw",
      "service_account_name": "rook-ceph-rgw",
      "service_account_namespace": "rook-ceph",
      "service_account_secret_name": "rook-ceph-rgw-token-g2q44",
      "service_account_uid": "01393961-3ceb-4df3-a384-8b78aba7b8f6"
    },
    "lease_duration": 86400,
    "renewable": true,
    "entity_id": "3fc23dc9-f850-9f41-0ae2-fbb0322979de",
    "token_type": "service",
    "orphan": true
  }
}
Fetch the "auth.client_token" from it and follows existing code flows in rgw_kms.cc

Comment 1 RHEL Program Management 2021-10-13 11:30:22 UTC

Please specify the severity of this bug. Severity is defined here:
https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity.

Note You need to log in before you can comment on or make changes to this bug.