Project

General

Profile

Actions
Copy link

Feature #58311

open

Extending RadosGW HTTP Request Body With Additional Claim Values Present in OIDC token.

Added by ahmad alkhansa over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

Hi,

We are using RadosGW STS functionality to allow OIDC AuthN/Z of Ceph users. In addition, we have enabled Open Policy Agent (OPA) to manage AuthZ policies in a continuous integration environment. After performing Assume Role with Web Identity with RadosGW, the HTTP request body that is sent to OPA contains only the OIDC token "sub" claim value. Is it possible to include additional custom claims that may exist in the token (e.g. groups)?

We are including an example of the request body sent to OPA and the token claims that we are trying to integrate in the AuthZ process:

HTTP PUT request,

{
  "client_addr": "xxx.xxx.xxx.xxx:xxxxx",
  "level": "info",
  "msg": "Received request.",
  "req_body": "{
    \"input\": {
      \"method\": \"PUT\",
      \"relative_uri\": \"/my-bucket-3\",
      \"decoded_uri\": \"/my-bucket-3\",
      \"params\": \"\",
      \"request_uri_aws4\": \"/my-bucket-3\",
      \"subuser\": \"\",
      \"user_info\": {
        \"user_id\": \"$oidc$xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",
        \"display_name\": \"\",
        \"email\": \"\",
        \"suspended\": 0,
        \"max_buckets\": 1000,
        \"subusers\": [

        ],
        \"keys\": [

        ],
        \"swift_keys\": [

        ],
        \"caps\": [

        ],
        \"op_mask\": \"read, write, delete\",
        \"default_placement\": \"\",
        \"default_storage_class\": \"\",
        \"placement_tags\": [

        ],
        \"bucket_quota\": {
          \"enabled\": false,
          \"check_on_raw\": false,
          \"max_size\": -1,
          \"max_size_kb\": 0,
          \"max_objects\": -1
        },
        \"user_quota\": {
          \"enabled\": false,
          \"check_on_raw\": false,
          \"max_size\": -1,
          \"max_size_kb\": 0,
          \"max_objects\": -1
        },
        \"temp_url_keys\": [

        ],
        \"type\": \"none\",
        \"mfa_ids\": [

        ]
      }
    }
  }",
  "req_id": xxxxxxx,
  "req_method": "POST",
  "req_params": {

  },
  "req_path": "/v1/data/ceph/authz/allow",
  "time": "2022-12-07T08:23:30Z" 
}

OIDC token claim values

{
  "client_id": "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx",
  "exp": xxxxxxx,
  "groups": [
    "xxxxxxx" 
  ],
  "iat": xxxxxxxx,
  "iss": "https://xxxxxx.xxxxxx.xxxxx.xxxxxx/",
  "jti": "xxxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxx",
  "name": "xxxxx xxxxxx",
  "nbf": xxxxxxxx,
  "organisation_name": "xxxxx",
  "preferred_username": "xxxxxx",
  "scope": "xxxxxx",
  "sub": "xxxxxxx-xxxxx-xxxxx-xxxxxx-xxxxxxx" 
}

Thank you.

No data to display

Actions
Copy link

Also available in: Atom PDF