Bug #48761
closedrgw: fix user.rgw.user-policy attr remove by assume_role or modify user info
0%
Description
when put user policy on user yly by the follow boto3 script
import boto3
import botocore
botocore.session.Session().set_debug_logger()
access_key = 'admin'
secret_key = 'admin'
config_dict = { 'signature_version' : 's3', 'connect_timeout': 30000, 'read_timeout': 30000}
configuration = boto3.session.Config(**config_dict)
client = boto3.client('iam',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url='http://127.0.0.1:8000',
region_name='',
use_ssl = False,
config = configuration,
)
policy = '''{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:GetSessionToken",
"Resource": "*"
}]
}'''
response = client.put_user_policy(
UserName='yly',
PolicyName='yly-sts',
PolicyDocument= policy
)
./bin/rados -p default.rgw.meta listxattr yly --namespace users.uid -c ceph.conf
ceph.objclass.version
user.rgw.user-policy <= we have new attr here
but when we modify user info by
./bin/radosgw-admin user modify --uid=yly --max-buckets=200 -c ceph.conf
the user.rgw.user-policy attr will be removed
and if we assume_role, the user.rgw.user-policy attr will be remove too
./bin/radosgw-admin role create --role-name role1 --path / --assume-role-policy-doc \{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/yly\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
./bin/radosgw-admin role-policy put --role-name=role1 --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::test1\"\}\]\}
import boto3
import botocore
botocore.session.Session().set_debug_logger()
access_key = 'yly'
secret_key = 'yly'
config_dict = { 'signature_version' : 's3', 'connect_timeout': 30000, 'read_timeout': 30000}
configuration = boto3.session.Config(**config_dict)
client = boto3.client('sts',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
endpoint_url='http://127.0.0.1',
region_name='',
use_ssl = False,
config = configuration,
)
response = client.assume_role(
RoleArn='arn:aws:iam:::role/role1',
RoleSessionName='my-session-1',
DurationSeconds=3600,
)
after call assume_role, the user.rgw.user-policy will be remove and user can not call get_session_token which we defined in put_user_policy
Updated by Casey Bodley almost 1 year ago
- Status changed from New to Fix Under Review
- Backport set to pacific quincy reef
Updated by Casey Bodley 7 months ago
- Is duplicate of Bug #63134: rgw: fix user.rgw.user-policy attr remove by modify user info added
Updated by Casey Bodley 7 months ago
- Status changed from Fix Under Review to Duplicate