Hi Ryan,
This appears to be a known issue and is tracked here:
https://tracker.ceph.com/issues/54562. There is a workaround mentioned in
the tracker that has worked and you can try that. Otherwise, I will be
working on this 'invalid padding' problem very soon.
Thanks,
Pritha
On Tue, Jul 9, 2024
There are REST APIs 1. UpdateRole to modify a role 2.
UpdateAssumeRolePolicy to modify the trust policy of a role.
What exactly are you trying to modify for a role?
Thanks,
Pritha
On Tue, Apr 23, 2024 at 11:00 AM farhad kh
wrote:
> hi , i used ceph api for create rgw/role but ther is not api
:14 PM Austin Axworthy
wrote:
> Hi Pritha,
>
> I have added the bucket to the resource, but I am still running into the
> same Forbidden response.
>
> Thanks,
> Austin
>
>
> -Original Message-
> From: Pritha Srivastava
> Sent: June 14, 2023 4:59 AM
>
Hi Austin,
Can you try by adding the bucket arn to the Resource section of the policy,
like the following:
"Resource": [
"arn:aws:s3:::bucket1",
"arn:aws:s3:::bucket1/*",
Hi Christian,
Replies are inline.
On Wed, Mar 15, 2023 at 9:27 PM Christian Rohmann <
christian.rohm...@inovex.de> wrote:
> Hello ceph-users,
>
> unhappy with the capabilities in regards to bucket access policies when
> using the Keystone authentication module
> I posted to this ML a while back
I will look into the bug that you submitted.
Thanks,
Pritha
On Thu, Mar 2, 2023 at 3:46 AM wrote:
> Hello,
>
> I just submitted: https://tracker.ceph.com/issues/58890
>
> Here are more details about the configuration. Note that I've tried a URL
> with and without a trailing `/` slash like what
Hi,
What version of ceph are you using? Can you share the trust policy that is
attached to the role being assumed?
Thanks,
Pritha
On Wed, Mar 1, 2023 at 9:07 PM wrote:
> I've setup RadosGW with STS ontop of my ceph cluster. It works great and
> fine but I'm also trying to setup authentication
Hi,
Have you added oidc-provider caps to the user that is trying to create the
openid connect provider/ list openid connect providers, in your case the
user which has the access key as 'L70QT3LN71SQXWHS97Y4'. (
https://docs.ceph.com/en/quincy/radosgw/oidc/)
Thanks,
Pritha
On Fri, Feb 17, 2023
Hi,
When you list the roles, the Condition element of the trust policy in the
role doesn't seem quite right:
"Condition": {
>"StringEquals": {
>"localhost:8080/auth/realms/demo:myclient
use this Condition?
>
>
> "StringEquals": {"mykeycloak.org.com/auth/realms/myrealm:app_id":"aud"}
>
>
>
>
>
> Could you please share a concrete example?
>
>
>
> Best
>
> Simone
>
> *Da:* Pritha Srivastava
&
set of temporary
> credentials.
>
>
>
> Best
>
> Simone
>
> *Da:* Pritha Srivastava
> *Inviato:* mercoledì 16 marzo 2022 13:15
> *A:* simone.becc...@staff.aruba.it
> *Cc:* ceph-users
> *Oggetto:* Re: [ceph-users] Keycloack with Radosgw
>
>
>
> Please corr
can
be found here: https://docs.ceph.com/en/latest/radosgw/session-tags/
Thanks,
Pritha
On Wed, Mar 9, 2022 at 9:54 AM Pritha Srivastava
wrote:
> Hi Mark,
>
> On Wed, Mar 9, 2022 at 6:57 AM Mark Selby wrote:
>
>> I am not sure that what I would like to do is even poss
Hi Mark,
On Wed, Mar 9, 2022 at 6:57 AM Mark Selby wrote:
> I am not sure that what I would like to do is even possible. I was hoping
> there is someone out there who could chime in on this.
>
>
>
> We use Ceph RBD and Ceph FS somewhat extensively and are starting on our
> RGW journey.
>
>
>
>
th {} marking
> something that needs to be replaced, perhaps the doc could be changed to
> also add a "{name}" in the section header? Putting it under [global] also
> worked.
>
> Best regards,
> Michael
>
>
> On Wed, 24 Nov 2021 at 10:55, Pritha Srivastava
>
upgrading from nautilus to
octopus?(Seems like you didn't). And also how many days after
upgrading did you start seeing this problem?
I will take a look at it asap.
Thanks,
Pritha
On Wed, Nov 24, 2021 at 4:54 PM Jaka Močnik wrote:
> hi, pritha,
>
> On Wed, 2021-11-24 at 16:41 +053
Hi Jaka,
On Wed, Nov 24, 2021 at 4:11 PM Jaka Močnik wrote:
> hi,
>
> running an octopus cluster (upgraded from nautilus a few months ago) of
> some 0.5PB capacity. it is used exclusively as an object storage via
> rgw (clients use the swift API), 6 rgw instances are used to cater to
> this.
have to ensure that your rgw section
name is correct, else for testing you can add it to the global section - it
should work. The one given in the documentation:
https://docs.ceph.com/en/latest/radosgw/STS/ works.
Thanks,
Pritha
> Best regards,
> Michael
>
>
> On Wed, 24 Nov 2021 at 03:
> "view-profile"
> ]
> }
> },
> "scope": "openid profile email",
> "email_verified": true,
> "name": "testuser",
> "preferred_username": "testuser",
> "given_name"
Hi Nio,
Can you provide more details around what you are trying to do?
RGW supports attaching IAM policies to users that aid in managing their
permissions.
Thanks,
Pritha
On Tue, Nov 23, 2021 at 11:43 AM nio wrote:
> hi,all:
> In the process of using RGW, I still cannot authenticate
me exists.
>
> With the example python from the page
> https://docs.ceph.com/en/latest/radosgw/STS/ it worked (it has an extra
> "]" that needs to be removed in the policy_document variable).
>
> Thanks again, Marcelo.
>
>
> De: "Pritha Srivastava"
> Para: &
Hi Marcelo,
Your trust policy has an error:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"*Main*":{
"AWS":[
"arn:aws:iam:::user/someuser"
]
},
"Action":[
"sts:AssumeRole"
]
}
]
}
In place of 'Main', use 'Principal' as you have done for the radosgw-admin
role create command.
Hi Daniel,
Yes, it looks like a bug in the way the role name is being parsed in the
code. Please open a tracker issue for the same, and I'll fix it when I can.
Thanks,
Pritha
On Thu, Jun 10, 2021 at 5:09 PM Daniel Iwan wrote:
> Hi Pritha
>
> y answers inline.
> Forgot to add I'm on Ceph 1.2.1
On Fri, Jun 4, 2021 at 5:06 PM Daniel Iwan wrote:
> Hi
>
> It seems that with command like this
>
> aws --profile=my-user-tenant1 --endpoint=$HOST_S3_API --region="" iam
> create-role --role-name="tenant2\$TemporaryRole"
> --assume-role-policy-document file://json/trust-policy-assume-role.json
>
Yes, that is correct.
Thanks,
Pritha
On Thu, May 13, 2021 at 4:07 PM Daniel Iwan wrote:
> Thanks, that explains it.
> This is in combination with permissions given via bucket policies of
> course?
>
> Daniel
> ___
> ceph-users mailing list --
e?
> arn:aws:iam::mytenant:user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
>
> If it's the second one, it relies on the fact that IDs are unique, which in
> turns depends on the sub field in the token.
>
> Regards
> Daniel
>
> On Wed, 12 May 2021 at 13:31, Pritha Srivastava
The federated user will be allowed to perform only those s3 actions that
are explicitly allowed by the role's permission policy. The permission
policy is there for someone to exercise finer grained control over what s3
action is allowed and what is not, hence it differs from what regular users
are
Hi,
Can you try with the following ARN:
arn:aws:iam:::user/oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b
The format of the user id is: $$ , and in
$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b, the '$' before oidc is a
separator for a tenant which is empty here, and ARN for a user is of the
format:
Hello,
The next Octopus release should be there in 3-4 weeks.
In Octopus, shadow users aren't created ((for federated oidc users). But we
later realised that shadow users are needed to maintain user stats, hence
the code for the same is under the process of being added as of now and
should be
Hello again,
The issues that you are seeing are because as I mentioned in my previous
email, I missed backporting some commits to Octopus (apologies for the
same), and I have opened a backport PR ((
https://github.com/ceph/ceph/pull/37640) and this should be available in
the next Octopus release.
Hello,
rgw sts key should be a key of length 16 since we use AES 128 for
encryption (e.g. rgw sts key = abcdefghijklmnop)
Yes it should be 'sts_client' and not 'client'. The errors in documentation
have been noted and will be corrected.
Also please note that the backport to octopus of the new
Hello,
If it is possible for the uid that has been used for LDAP users to be the
same for OIDC users (which is based off the 'sub' field of the OpenID
connect token), then there are no extra migration steps needed.
Which version of Ceph are you using? In octopus, offline token validation
has
rce": "s3://tenant2/jerry-bucket"
>> }
>> ]
>> }
>>CORS: none
>>ACL: Jerry: FULL_CONTROL
>>
>>
>> When I try to list using Tom access keys, I get below error:
>> [root@vishwas-test cluster]# s3cmd --acc
Hi Vishwas,
Bucket policy should let you access buckets in another tenant.
What exact command are you using?
Thanks,
Pritha
On Thursday, May 14, 2020, Vishwas Bm wrote:
> > Hi,
> >
> > I have two users both belong to different tenant.
> >
> > Can I give permission for the user in another
it works fine.
>> >
>> > thanks!!
>> >
>> >
>> > On Tue, May 12, 2020 at 11:11 AM Wyllys Ingersoll <
>> wyllys.ingers...@keepertech.com> wrote:
>> >>
>> >> The "aud" field in the introspection result is a list,
app_id must match with the 'aud' field in the token introspection result
(In the example the value of 'aud' is 'customer-portal')
Thanks,
Pritha
On Tue, May 12, 2020 at 8:16 PM Wyllys Ingersoll <
wyllys.ingers...@keepertech.com> wrote:
>
> Running Nautilus 14.2.9 and trying to follow the STS
head [sync_read 4096~1024]
> 2020-05-06T08:06:33.925+0200 7f73b554a700 10 osd.15 pg_epoch: 5395 pg[5.9(
> v 5395'481462 (5387'478000,5395'481462] local-lis/les=5394/5395 n=48
> ec=67/67 lis/c=5394/5394 les/c/f=5395/5395/0 sis=5394 pruub=12.023579210s)
> [15,21,26] r=0 lpr=5394 crt=5395'481460 l
Hi James,
Does radosgw-admin gc list --include-all, give the same error? If yes, can
you please open a tracker issue and share rgw and osd logs?
Thanks,
Pritha
On Wed, May 6, 2020 at 12:22 AM James, GleSYS
wrote:
> Hi,
>
> We’ve recently installed a new Ceph cluster running Octopus 15.2.1,
.
>
> One question - the above list only has list of shadow and multi-part
> objects. So, objects that are less than 4MB - will they be not queued -
> since they are part of the HEAD and the HEAD gets deleted when we issue
> s3cmd del command?
>
> Thanks,
> Priya
>
>
Hi Priya,
Did you try to list the objects using radosgw-admin gc list immediately
after deleting them?
Try using the command: radosgw-admin gc list --include-all, this lists all
the expired and non expired entries.
radosgw-admin gc list, only lists entries that have expired. Objects that
have
Hi,
Is the ACCESSKEY_STRING and SECRETKEY_STRING of user trying to assume role
'S3Access' same as that of user 'sr'? (that is the user specified in the
assume_role_policy_document)
Thanks,
Pritha
On Sun, Mar 8, 2020 at 7:54 PM 曹 海旺 wrote:
> Hi ,I want to use the sts to get a temporary
Hi,
Did you add admin caps to the user trying to attach User Policy to User1?
like
radosgw-admin caps add --uid="TESTER" --caps="user-policy=*".
TESTER is the user trying to attach user policy to TESTER1.
Thanks,
Pritha
On Wed, Dec 25, 2019 at 2:00 PM 黄明友 wrote:
> hi,all
>
>
> I follow
41 matches
Mail list logo