Project

General

Profile

Actions
Copy link

Bug #63109

closed

[rgw][sts] the ceph config item to set the max session duration is not honored

Added by Oguzhan Ozmen 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Community (user)
Tags:
sts
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
53842
Crash signature (v1):
Crash signature (v2):

Description

There’s 2 issues wrt how the config item rgw_sts_max_session_duration is updated and used.

1. Since hard-coded limits SESSION_DURATION_MIN/MAX (https://github.com/ceph/ceph/blob/db8fb4d0474c8381cce027f7e54bc6275133e02b/src/rgw/rgw_role.h#L84) are used, even when the user updates the ceph conf item rgw_sts_max_session_duration (https://github.com/ceph/ceph/blob/db8fb4d0474c8381cce027f7e54bc6275133e02b/src/common/options/rgw.yaml.in#L3294), user cannot set a max limit higher than 43200s (the hardcoded max). That's, the config item rgw_sts_max_session_duration is honored.

2. A user can update a role’s max session duration limit larger than the allowed limit

$ ./bin/radosgw-admin -c ./ceph.conf role create --role-name=myrole --assume-role-policy-doc="{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}" {
"RoleId": "454b3f8d-3230-457f-9cc2-bb8811382a9c",
"RoleName": "myrole",
"Path": "/",
"Arn": "arn:aws:iam:::role/myrole",
"CreateDate": "2023-10-04T02:23:57.110Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument": "{\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/myuser\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}

!
! In this test both hard-coded and rgw conf max session duration limit is 43200 seconds.
! However, a client can set the role’s max duration higher than that.
!
$ ./bin/radosgw-admin -c ./ceph.conf role update --role-name=myrole --max_session_duration=100000
Max session duration updated successfully for role: myrole

$ radosgw-admin ... role get --role-name=myrole | jq '.MaxSessionDuration'
100000

!
! The subsequent update attempts fail. The first update request should have failed with the same error, too.
!
$ ./bin/radosgw-admin -c ./ceph.conf role update --role-name=myrole --max_session_duration=99000
2023-10-03T22:27:23.462-0400 7fb27678c780 0 ERROR: Invalid session duration, should be between 900 and 43200 seconds

Actions
Copy link

Also available in: Atom PDF