yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1897280] [NEW] Keystone does not accept Ceph STS and IAM auth requests

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Stuart Grace <1897280@xxxxxxxxxxxxxxxxxx>
Date: Fri, 25 Sep 2020 12:58:36 -0000
Reply-to: Bug 1897280 <1897280@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Ceph Object Gateway can use keystone for authenticating user requests to
its S3-compatible API, but recent versions also provide two other AWS-
compatible APIs for managing user access: Security Token Service (STS)
and Identity and Access Management (IAM). These attempt to authenticate
requests with Keystone but always receive 403 Access Denied. This is
because api/s3tokens.py only accepts "s3" as the service name.

Workaround: https://docs.ceph.com/en/latest/radosgw/STSLite
/#limitations-and-workarounds

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1897280

Title:
  Keystone does not accept Ceph STS and IAM auth requests

Status in OpenStack Identity (keystone):
  New

Bug description:
  Ceph Object Gateway can use keystone for authenticating user requests
  to its S3-compatible API, but recent versions also provide two other
  AWS-compatible APIs for managing user access: Security Token Service
  (STS) and Identity and Access Management (IAM). These attempt to
  authenticate requests with Keystone but always receive 403 Access
  Denied. This is because api/s3tokens.py only accepts "s3" as the
  service name.

  Workaround: https://docs.ceph.com/en/latest/radosgw/STSLite
  /#limitations-and-workarounds

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1897280/+subscriptions

Follow ups

[Bug 1897280] Re: Keystone does not accept Ceph STS and IAM auth requests
From: OpenStack Infra, 2021-12-10