[ceph-users] Extending RadosGW HTTP Request Body With Additional Claim Values Present in OIDC token.

Wed, 07 Dec 2022 06:25:43 -0800 

Hi,
We are using RadosGW STS functionality to allow OIDC AuthN/Z of Ceph users. In addition, we have enabled Open Policy Agent (OPA) to manage AuthZ policies in a continuous integration environment. After performing Assume Role with Web Identity with RadosGW, the HTTP request body that is sent to OPA contains only the OIDC token "sub" claim value. Is it possible to include additional custom claims that may exist in the token (e.g. groups)? 


We are including an example of the request body sent to OPA and the 
token claims that we are trying to integrate in the AuthZ process:


HTTP PUT request,

{
"client_addr": "xxx.xxx.xxx.xxx:xxxxx",
"level": "info",
"msg": "Received request.",
"req_body": "{
\"input\": {
\"method\": \"PUT\",
\"relative_uri\": \"/my-bucket-3\",
\"decoded_uri\": \"/my-bucket-3\",
\"params\": \"\",
\"request_uri_aws4\": \"/my-bucket-3\",
\"subuser\": \"\",
\"user_info\": {
\"user_id\": \"$oidc$xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",
\"display_name\": \"\",
\"email\": \"\",
\"suspended\": 0,
\"max_buckets\": 1000,
\"subusers\": [

],
\"keys\": [

],
\"swift_keys\": [

],
\"caps\": [

],
\"op_mask\": \"read, write, delete\",
\"default_placement\": \"\",
\"default_storage_class\": \"\",
\"placement_tags\": [

],
\"bucket_quota\": {
\"enabled\": false,
\"check_on_raw\": false,
\"max_size\": -1,
\"max_size_kb\": 0,
\"max_objects\": -1
},
\"user_quota\": {
\"enabled\": false,
\"check_on_raw\": false,
\"max_size\": -1,
\"max_size_kb\": 0,
\"max_objects\": -1
},
\"temp_url_keys\": [

],
\"type\": \"none\",
\"mfa_ids\": [

]
}
}
}",
"req_id": xxxxxxx,
"req_method": "POST",
"req_params": {

},
"req_path": "/v1/data/ceph/authz/allow",
"time": "2022-12-07T08:23:30Z"
}

OIDC token claim values

{
  "client_id": "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx",
  "exp": xxxxxxx,
  "groups": [
    "xxxxxxx"
  ],
  "iat": xxxxxxxx,
  "iss":"https://xxxxxx.xxxxxx.xxxxx.xxxxxx/";,
  "jti": "xxxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxx",
  "name": "xxxxx xxxxxx",
  "nbf": xxxxxxxx,
  "organisation_name": "xxxxx",
  "preferred_username": "xxxxxx",
  "scope": "xxxxxx",
  "sub": "xxxxxxx-xxxxx-xxxxx-xxxxxx-xxxxxxx"
}

Thank you.

Best regards.

_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io














    











					Reply via email to