New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RGW/STS: honor configured limits when updating max session duration #53842
Conversation
@BBoozmen : Please refer to my comment in the tracker. |
src/rgw/rgw_admin.cc
Outdated
@@ -6910,7 +6910,7 @@ int main(int argc, const char **argv) | |||
if (ret < 0) { | |||
return -ret; | |||
} | |||
if (!role->validate_max_session_duration(dpp())) { | |||
if (!role->validate_max_session_duration(dpp(), std::stoull(max_session_duration))) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The correct way to validate the value of max session duration here is to reverse the order of calls, like the following:
role->update_max_session_duration(max_session_duration);
if (!role->validate_max_session_duration(dpp())) {
ret = -EINVAL;
return ret;
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @pritha-srivastava for the clarification. We had the wrong impression that the knob can be used to increase higher session-durations than 43200.
I've added the new evidence. It now addresses 2 things:
- don't allow "role update" to go over the limit.
- let "role create" honor the max-session-duration option.
Also, revised the long_desc
of the knob to provide some more clarification.
Please have a look.
d4758b4
to
c60c1d6
Compare
c60c1d6
to
48b72a1
Compare
src/rgw/rgw_admin.cc
Outdated
@@ -6701,6 +6701,7 @@ int main(int argc, const char **argv) | |||
return -EINVAL; | |||
} | |||
std::unique_ptr<rgw::sal::RGWRole> role = driver->get_role(role_name, tenant, path, assume_role_doc); | |||
role->update_max_session_duration(max_session_duration); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will work, but please pass the max_session_duration param in the get_role() call above, something like the following:
std::unique_ptr<rgw::sal::RGWRole> role = driver->get_role(role_name, tenant, path, assume_role_doc, max_session_duration, {});
update_max_session_duration()
was meant to update the existing max_session_duration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good point @pritha-srivastava. Added a new evidence.
src/common/options/rgw.yaml.in
Outdated
@@ -3295,8 +3295,13 @@ options: | |||
type: uint | |||
level: advanced | |||
desc: Session token max duration | |||
long_desc: Max duration in seconds for which the session token is valid. | |||
long_desc: Max duration in seconds for which the session token is valid. This |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This option can be used to configure the upper limit of the durationSeconds of temporary credentials returned by 'GetSessionToken'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please correct the description for rgw_sts_min_session_duration
also - This option can be used to configure the lower limit of durationSeconds of temporary credentials returned by 'AssumeRole*' calls.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
48b72a1
to
2a3f6b4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me, thanks @BBoozmen , just add the tracker issue fixed to the commit messages.
2a3f6b4
to
62b08de
Compare
…ing it If we validate before updating the role's max-session-duration, the validator function wrongly uses the on-disk (existing/old) value for validation. Note that the "role" object being updated is in-memory and only after validation passes, it's persisted on-disk. So, calling role object's update_max_session_duration API function is OK before the role->validate_max_session_duration call. validate_max_session_duration is used by both "role creation" and "role update". The latter wrongly uses existing role's max_session_duration value for validation instead of the new/target duration: $ radosgw-admin ... role create --role-name=myrole ... $ radosgw-admin ... role get --role-name=myrole | jq '.MaxSessionDuration' 3600 where 3600 seconds is the default value. $ radosgw-admin ... role update --role-name=myrole --max_session_duration=100000 Max session duration updated successfully for role: myrole Although above update call should have failed since 100K is higher than 43200 (the default max), it succeeded. $ radosgw-admin ... role get --role-name=myrole | jq '.MaxSessionDuration' 100000 Fixes: https://tracker.ceph.com/issues/63109 Signed-off-by: Oguzhan Ozmen <oozmen@bloomberg.net>
Currently, this option is not honored and the default (3600s) is used regardless of whether this option is provided when creating a role: $ radosgw-admin role create --role-name=myrole --max-session-duration=43200 ... $ radosgw-admin role get --role-name=myrole | jq '.MaxSessionDuration' 3600 With this commit, the value given by the --max-session-duration is considered when creating the role. This would reduce the need for updating the role's max-session-duration using a separate "role update" radosgw-admin command call after the role is created: $ radosgw-admin role create --role-name=myrole --max-session-duration=43200 ... $ radosgw-admin role get --role-name=myrole | jq '.MaxSessionDuration' 43200 Signed-off-by: Oguzhan Ozmen <oozmen@bloomberg.net>
…on_duration Fixes: https://tracker.ceph.com/issues/63109 Signed-off-by: Oguzhan Ozmen <oozmen@bloomberg.net>
62b08de
to
e5abfff
Compare
passed qa after rerun in https://pulpito.ceph.com/cbodley-2023-11-03_18:34:54-rgw-wip-cbodley-testing-distro-default-smithi/ |
Fixes https://tracker.ceph.com/issues/63109
BEFORE
Creating a role uses the default 3600 sec as the session duration.
User can set a higher than allowed limit
Although hard-coded (and configured) limit is set to 43200, a user can set the limit higher than that:
Subsequent updates over that limit fails, though but user already breached the limit. The problem is role-creation and role-update uses the same validation codepath and role-update wrongly uses current session duration value (3600 in this case) rather than the new value (100K) for validation.
Role creation doesn't honor --max_session_duration option
"role creation" doesn't honor the option --max_session_duration when it's valid:
Although "43200" is given, role still uses the default "3600".
AFTER
With the fix:
We now don't allow going over the limit.
Moreover, we can also now honor the max_session_duration option when creating the role:
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "pacific"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
Checklist
Show available Jenkins commands
jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox
jenkins test windows