A separate 'iam' namespace is still not supported in RGW, hence the REST
APIs for Roles using boto will not work. The REST APIs have been tested
using another client (s3curl) for the time being.
On Thu, Mar 7, 2019 at 12:00 PM myxingkong <ad...@xingkong.io> wrote:
>
> I created a role and attached a permission policy to it.
>
> radosgw-admin role create --role-name=S3Access
> --path=/application_abc/component_xyz/
> --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:*\"\]\}\]\}
>
>
> radosgw-admin role-policy put --role-name=S3Access --policy-name=Policy1
> --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\}\}\]\}
>
>
> I then created a user with administrator privileges.
>
> radosgw-admin user create --uid=admin --display-name="admin" --admin
>
> radosgw-admin caps add --uid=admin --caps="roles=*"
>
>
> When I use the REST admin APIs to get the Role, it returns an HTTP 405
> error.
>
> Request:
>
> POST / HTTP/1.1
> Host: 192.168.199.81:7480
> Accept-Encoding: identity
> Content-Length: 51
> Content-Type: application/x-www-form-urlencoded; charset=utf-8
> X-Amz-Date: 20190307T062057Z
> Authorization: AWS4-HMAC-SHA256
> Credential=PW6NM2ITY1U7AZDD23LR/20190307//iam/aws4_request,
> SignedHeaders=content-type;host;x-amz-date,
> Signature=af5f820f898a856f3a624a47b37d7577bd0bf1b23b4100070a03d910b64717db
> User-Agent: Boto3/1.9.107 Python/2.7.15 Windows/7 Botocore/1.12.107
>
> Action=GetRole&RoleName=S3Access&Version=2010-05-08
>
>
> Response:
>
> HTTP/1.1 405 Method Not Allowed
> Content-Length: 191
> x-amz-request-id: tx000000000000000000004-005c80b848-1b028-default
> Accept-Ranges: bytes
> Content-Type: application/xml
> Date: Thu, 07 Mar 2019 06:20:56 GMT
> Connection: keep-alive
>
> <?xml version="1.0"
> encoding="UTF-8"?><Error><Code>MethodNotAllowed</Code><RequestId>tx000000000000000000004-005c80b848-1b028-default</RequestId><HostId>1b028-default-default</HostId></Error>
>
>
> This is my test code:
>
> import os
> import sys
> import boto3
> import traceback
>
> try:
> host = 'http://192.168.199.81:7480'
> access_key = 'PW6NM2ITY1U7AZDD23LR'
> secret_key = 'o0Td78FhgxUMJ6qZuv5OcmntLEYpyavVUuZE5TGM'
>
> client = boto3.client('iam',
> aws_access_key_id = access_key,
> aws_secret_access_key = secret_key,
> endpoint_url = host,
> region_name="")
>
> response = client.get_role(
> RoleName='S3Access'
> )
> print response
> except:
> print traceback.format_exc()
>
>
>
> This is my ceph.conf:
>
> [global]
> fsid = adf809ab-6534-469d-afe6-a7677d8a490c
> mon_initial_members = admin, node1, node2, node3
> mon_host = 192.168.199.81,192.168.199.82,192.168.199.83,192.168.199.84
> auth_cluster_required = cephx
> auth_service_required = cephx
> auth_client_required = cephx
> osd pool default size = 2
>
> [client.rgw.admin]
> rgw sts key = "abcdefghijklmnopq"
> rgw s3 auth use sts = true
>
> Can someone tell me if my configuration is incorrect?
> Or does the version I tested not provide a rest admin API?
>
> My version of ceph is: ceph version 14.1.0
> (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev)
>
>
> Thanks,
> myxingkong
> _______________________________________________
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
