Bug #63109
closed[rgw][sts] the ceph config item to set the max session duration is not honored
0%
Description
There’s 2 issues wrt how the config item rgw_sts_max_session_duration is updated and used.
1. Since hard-coded limits SESSION_DURATION_MIN/MAX (https://github.com/ceph/ceph/blob/db8fb4d0474c8381cce027f7e54bc6275133e02b/src/rgw/rgw_role.h#L84) are used, even when the user updates the ceph conf item rgw_sts_max_session_duration (https://github.com/ceph/ceph/blob/db8fb4d0474c8381cce027f7e54bc6275133e02b/src/common/options/rgw.yaml.in#L3294), user cannot set a max limit higher than 43200s (the hardcoded max). That's, the config item rgw_sts_max_session_duration is honored.
2. A user can update a role’s max session duration limit larger than the allowed limit
$ ./bin/radosgw-admin -c ./ceph.conf role create --role-name=myrole --assume-role-policy-doc="{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
{
"RoleId": "454b3f8d-3230-457f-9cc2-bb8811382a9c",
"RoleName": "myrole",
"Path": "/",
"Arn": "arn:aws:iam:::role/myrole",
"CreateDate": "2023-10-04T02:23:57.110Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument": "{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}
!
! In this test both hard-coded and rgw conf max session duration limit is 43200 seconds.
! However, a client can set the role’s max duration higher than that.
!
$ ./bin/radosgw-admin -c ./ceph.conf role update --role-name=myrole --max_session_duration=100000
Max session duration updated successfully for role: myrole
$ radosgw-admin ... role get --role-name=myrole | jq '.MaxSessionDuration'
100000
!
! The subsequent update attempts fail. The first update request should have failed with the same error, too.
!
$ ./bin/radosgw-admin -c ./ceph.conf role update --role-name=myrole --max_session_duration=99000
2023-10-03T22:27:23.462-0400 7fb27678c780 0 ERROR: Invalid session duration, should be between 900 and 43200 seconds
Updated by Oguzhan Ozmen 7 months ago
Added https://github.com/ceph/ceph/pull/53842 to fix.
Updated by Pritha Srivastava 7 months ago
I agree that there is a bug in the radosgw-admin command to update max-session-duration with the passed in value. The value of 100000 must not be allowed.
But the usage of rgw_sts_min_session_duration and rgw_sts_max_session_duration, is incorrect in the PR. These values were not intended to make the limits of max session duration of a role configurable.
rgw_sts_max_session_duration was introduced to make the upper limit of durationSeconds of session token returned by 'GetSessionToken' configurable. rgw_sts_min_session_duration was introduced to make the lower limit of durationSeconds (time for which the credentials are valid) in AssumeRole* APIs configurable, which allows the user to set a value of durationSeconds of a role lower than 15 minutes (15 mins is the limit set in AWS documents). The max-session-duration parameter of a role only controls the upper limit of the durationSeconds parameter of AssumeRole* APIs, which ranges from 1-12 hours according to AWS docs.
durationSeconds parameter of AssumeRole* APIs according to rgw code can range from rgw_sts_min_session_duration to max-session-duration (which ranges from 1 hr to 12 hrs). rgw_sts_max_session_duration was NOT introduced to make the upper limit of durationSeconds in AssumeRole* calls configurable.
Even if we want to make the durationSeconds' upper limit configurable by allowing max session duration to be configurable, we must not be using rgw_sts_max_session_duration as the limits for GetSessionToken are different from that of AssumeRole* APIs. We need a different tracker, and PR to make durationSeconds upper limit configurable. This PR should only fix the bug that has been pointed out in the tracker, i.e. max-session-duration of a role was set to a value higher than 43200.
And the description of these in rgw.yaml.in should be made clearer.
Updated by Oguzhan Ozmen 7 months ago
Thank you for the clarification on the use of the knob rgw_sts_max_session_duration. I've updated the PR accordingly.
We need a different tracker, and PR to make durationSeconds upper limit configurable.
will do.
Updated by Casey Bodley 6 months ago
- Status changed from New to Fix Under Review
- Tags changed from rgw to sts
Updated by Casey Bodley 6 months ago
- Status changed from Fix Under Review to Resolved
if this needs backports, please add backport tags and move status to pending backport
Updated by Oguzhan Ozmen 5 months ago
Thank you! I believe backport is not needed.