RGW/STS: honor configured limits when updating max session duration #53842
Conversation
|
@BBoozmen : Please refer to my comment in the tracker. |
src/rgw/rgw_admin.cc
Outdated
| @@ -6910,7 +6910,7 @@ int main(int argc, const char **argv) | |||
| if (ret < 0) { | |||
| return -ret; | |||
| } | |||
| if (!role->validate_max_session_duration(dpp())) { | |||
| if (!role->validate_max_session_duration(dpp(), std::stoull(max_session_duration))) { | |||
There was a problem hiding this comment.
The correct way to validate the value of max session duration here is to reverse the order of calls, like the following:
role->update_max_session_duration(max_session_duration);
if (!role->validate_max_session_duration(dpp())) {
ret = -EINVAL;
return ret;
}
There was a problem hiding this comment.
Thank you @pritha-srivastava for the clarification. We had the wrong impression that the knob can be used to increase higher session-durations than 43200.
I've added the new evidence. It now addresses 2 things:
- don't allow "role update" to go over the limit.
- let "role create" honor the max-session-duration option.
Also, revised the long_desc of the knob to provide some more clarification.
Please have a look.
BBoozmen
force-pushed
the
oozmen_sts_max_duration
branch
from
d4758b4
to
c60c1d6
Compare
BBoozmen
force-pushed
the
oozmen_sts_max_duration
branch
from
c60c1d6
to
48b72a1
Compare
src/rgw/rgw_admin.cc
Outdated
| @@ -6701,6 +6701,7 @@ int main(int argc, const char **argv) | |||
| return -EINVAL; | |||
| } | |||
| std::unique_ptr<rgw::sal::RGWRole> role = driver->get_role(role_name, tenant, path, assume_role_doc); | |||
| role->update_max_session_duration(max_session_duration); | |||
There was a problem hiding this comment.
This will work, but please pass the max_session_duration param in the get_role() call above, something like the following:
std::unique_ptr<rgw::sal::RGWRole> role = driver->get_role(role_name, tenant, path, assume_role_doc, max_session_duration, {});
update_max_session_duration() was meant to update the existing max_session_duration.
There was a problem hiding this comment.
That's a good point @pritha-srivastava. Added a new evidence.
src/common/options/rgw.yaml.in
Outdated
| @@ -3295,8 +3295,13 @@ options: | |||
| type: uint | |||
| level: advanced | |||
| desc: Session token max duration | |||
| long_desc: Max duration in seconds for which the session token is valid. | |||
| long_desc: Max duration in seconds for which the session token is valid. This | |||
There was a problem hiding this comment.
This option can be used to configure the upper limit of the durationSeconds of temporary credentials returned by 'GetSessionToken'.
There was a problem hiding this comment.
Can you please correct the description for rgw_sts_min_session_duration also - This option can be used to configure the lower limit of durationSeconds of temporary credentials returned by 'AssumeRole*' calls.
BBoozmen
force-pushed
the
oozmen_sts_max_duration
branch
from
48b72a1
to
2a3f6b4
Compare
There was a problem hiding this comment.
looks good to me, thanks @BBoozmen , just add the tracker issue fixed to the commit messages.
BBoozmen
force-pushed
the
oozmen_sts_max_duration
branch
from
2a3f6b4
to
62b08de
Compare
…ing it If we validate before updating the role's max-session-duration, the validator function wrongly uses the on-disk (existing/old) value for validation. Note that the "role" object being updated is in-memory and only after validation passes, it's persisted on-disk. So, calling role object's update_max_session_duration API function is OK before the role->validate_max_session_duration call. validate_max_session_duration is used by both "role creation" and "role update". The latter wrongly uses existing role's max_session_duration value for validation instead of the new/target duration: $ radosgw-admin ... role create --role-name=myrole ... $ radosgw-admin ... role get --role-name=myrole | jq '.MaxSessionDuration' 3600 where 3600 seconds is the default value. $ radosgw-admin ... role update --role-name=myrole --max_session_duration=100000 Max session duration updated successfully for role: myrole Although above update call should have failed since 100K is higher than 43200 (the default max), it succeeded. $ radosgw-admin ... role get --role-name=myrole | jq '.MaxSessionDuration' 100000 Fixes: https://tracker.ceph.com/issues/63109 Signed-off-by: Oguzhan Ozmen <oozmen@bloomberg.net>
Currently, this option is not honored and the default (3600s) is used regardless of whether this option is provided when creating a role: $ radosgw-admin role create --role-name=myrole --max-session-duration=43200 ... $ radosgw-admin role get --role-name=myrole | jq '.MaxSessionDuration' 3600 With this commit, the value given by the --max-session-duration is considered when creating the role. This would reduce the need for updating the role's max-session-duration using a separate "role update" radosgw-admin command call after the role is created: $ radosgw-admin role create --role-name=myrole --max-session-duration=43200 ... $ radosgw-admin role get --role-name=myrole | jq '.MaxSessionDuration' 43200 Signed-off-by: Oguzhan Ozmen <oozmen@bloomberg.net>
…on_duration Fixes: https://tracker.ceph.com/issues/63109 Signed-off-by: Oguzhan Ozmen <oozmen@bloomberg.net>
BBoozmen
force-pushed
the
oozmen_sts_max_duration
branch
from
62b08de
to
e5abfff
Compare
|
passed qa after rerun in https://pulpito.ceph.com/cbodley-2023-11-03_18:34:54-rgw-wip-cbodley-testing-distro-default-smithi/ |
Fixes https://tracker.ceph.com/issues/63109
BEFORE
Creating a role uses the default 3600 sec as the session duration.
$ ./bin/radosgw-admin -c ./ceph.conf role create --role-name=myrole --assume-role-policy-doc="{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}" { "RoleId": "454b3f8d-3230-457f-9cc2-bb8811382a9c", "RoleName": "myrole", "Path": "/", "Arn": "arn:aws:iam:::role/myrole", "CreateDate": "2023-10-04T02:23:57.110Z", "MaxSessionDuration": 3600, "AssumeRolePolicyDocument": "{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}" }User can set a higher than allowed limit
Although hard-coded (and configured) limit is set to 43200, a user can set the limit higher than that:
Subsequent updates over that limit fails, though but user already breached the limit. The problem is role-creation and role-update uses the same validation codepath and role-update wrongly uses current session duration value (3600 in this case) rather than the new value (100K) for validation.
Role creation doesn't honor --max_session_duration option
"role creation" doesn't honor the option --max_session_duration when it's valid:
$ ./bin/radosgw-admin -c ./ceph.conf role create --role-name=myrole --max-session-duration=43200 --path=/ --assume-role-policy-doc="{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser1\"]},\"Action\":[\"sts:AssumeRole\"]}]}" { "RoleId": "015ef813-5c6b-47c4-98c7-5926bef7e356", "RoleName": "myrole", "Path": "/", "Arn": "arn:aws:iam:::role/myrole", "CreateDate": "2023-10-07T01:39:41.379Z", "MaxSessionDuration": 3600, "AssumeRolePolicyDocument": "{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser1\"]},\"Action\":[\"sts:AssumeRole\"]}]}" }Although "43200" is given, role still uses the default "3600".
AFTER
With the fix:
$ ./bin/radosgw-admin -c ./ceph.conf role create --role-name=myrole --assume-role-policy-doc="{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}" { "RoleId": "bc660f5b-1d39-4c90-ace2-e576536f1a3d", "RoleName": "myrole", "Path": "/", "Arn": "arn:aws:iam:::role/myrole", "CreateDate": "2023-10-04T03:25:31.797Z", "MaxSessionDuration": 3600, "AssumeRolePolicyDocument": "{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}" }We now don't allow going over the limit.
Moreover, we can also now honor the max_session_duration option when creating the role:
]$ ./bin/radosgw-admin -c ./ceph.conf role create --role-name=myrole --max-session-duration=100000 --path=/ --assume-role-policy-doc="{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser1\"]},\"Action\":[\"sts:AssumeRole\"]}]}" 2023-10-06T21:38:44.012-0400 7f1a77cb7780 0 ERROR: Invalid session duration, should be between 3600 and 43200 seconds $ ./bin/radosgw-admin -c ./ceph.conf role create --role-name=myrole --max-session-duration=43200 --path=/ --assume-role-policy-doc="{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser1\"]},\"Action\":[\"sts:AssumeRole\"]}]}" { "RoleId": "015ef813-5c6b-47c4-98c7-5926bef7e356", "RoleName": "myrole", "Path": "/", "Arn": "arn:aws:iam:::role/myrole", "CreateDate": "2023-10-07T01:39:41.379Z", "MaxSessionDuration": 43200, "AssumeRolePolicyDocument": "{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser1\"]},\"Action\":[\"sts:AssumeRole\"]}]}"Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windows