rgw/sts: GetCallerIdentity API by ArbitCode · Pull Request #63672 · ceph/ceph

ArbitCode · 2025-06-03T09:30:49Z

Contribution Guidelines

To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

Tracker (select at least one)
- References tracker ticket
- Very recent bug; references commit where it was introduced
- New feature (ticket optional)
- Doc update (no ticket needed)
- Code cleanup (no ticket needed)
Component impact
- Affects Dashboard, opened tracker ticket
- Affects Orchestrator, opened tracker ticket
- No impact that needs to be tracked
Documentation (select at least one)
- Updates relevant documentation
- No doc update is appropriate
Tests (select at least one)
- Includes unit test(s)
- Includes integration test(s)
- Includes bug reproducer
- No tests

Show available Jenkins commands

jenkins test classic perf Jenkins Job | Jenkins Job Definition
jenkins test crimson perf Jenkins Job | Jenkins Job Definition
jenkins test signed Jenkins Job | Jenkins Job Definition
jenkins test make check Jenkins Job | Jenkins Job Definition
jenkins test make check arm64 Jenkins Job | Jenkins Job Definition
jenkins test submodules Jenkins Job | Jenkins Job Definition
jenkins test dashboard Jenkins Job | Jenkins Job Definition
jenkins test dashboard cephadm Jenkins Job | Jenkins Job Definition
jenkins test api Jenkins Job | Jenkins Job Definition
jenkins test docs ReadTheDocs | Github Workflow Definition
jenkins test ceph-volume all Jenkins Jobs | Jenkins Jobs Definition
jenkins test windows Jenkins Job | Jenkins Job Definition
jenkins test rook e2e Jenkins Job | Jenkins Job Definition

src/rgw/rgw_rest_sts.cc

pritha-srivastava · 2025-06-04T07:59:40Z

@cbodley : we found a test case that creates a role in an account here https://github.com/ceph/s3-tests/blob/master/s3tests_boto3/functional/test_iam.py:test_account_role_create. Is there any test case that tests assume role using cross account access (not tenants).

cbodley · 2025-06-04T12:22:37Z

@cbodley : we found a test case that creates a role in an account here https://github.com/ceph/s3-tests/blob/master/s3tests_boto3/functional/test_iam.py:test_account_role_create. Is there any test case that tests assume role using cross account access (not tenants).

the examples i found:
test_cross_account_role_policy_allow
test_account_role_policy_allow_create_bucket
test_account_role_policy_allow_get_role

src/rgw/rgw_rest_sts.cc

src/rgw/rgw_rest_account.cc

cbodley · 2025-06-17T13:59:15Z

src/rgw/rgw_auth.cc

+  string key = "aws:userid";
+  string value = user_info.type == TYPE_ROOT ? user_info.account_id : user_info.user_id.id;
+  s->env.emplace(key, value);


👍 but you can please update RemoteApplier too?

sure, I find user_info is missing,
should I load user_info to check user type?
or without loading user_info can i proceed as I get userid

const AuthInfo info;

string key = "aws:userid"; string value = info.acct_user.id; s->env.emplace(key, value);

your use of AuthInfo info looks correct to me 👍

thank you 👍🏻 pushed new update.

👍 but you can please update RemoteApplier too?

@cbodley does this really apply to RemoteApplier?

doesn't RemoteApplier support all the other interactions with iam policy? RemoteApplier::is_identity() matches policy Principals based on info.acct_user.id, and RemoteApplier::load_acct_info() produces a s->user whose uid comes from info.acct_user

yes, but RemoteApplier is meant for Keystone/LDAP users, whereas GetCallerIdentity is mostly for IAM user/root user or roles.

We can add functionality for aws:userid to RemoteApplier, and then we will need to add implementation to its get_caller_indentity() method also? (right now it returns nullopt)

yes, but RemoteApplier is meant for Keystone/LDAP users, whereas GetCallerIdentity is mostly for IAM user/root user or roles.

this is probably analogous to 'federated users' in sts? but our existing code presents these as normal s3 users

so i think RemoteApplier::get_caller_indentity() would return the same kind of user arn that it matches through is_identity(): "arn:aws:iam::{account id or tentant}:user/{userid}"

ok, sounds fine to me. @ArbitCode : add implementation for get_caller_indentity() in RemoteApplier also

@pritha-srivastava I added imp for get_caller_identity() in RemoteApplier

pritha-srivastava · 2025-06-18T04:37:31Z

Overall the PR looks fine to me.

cbodley · 2025-06-18T14:50:25Z

Overall the PR looks fine to me.

same! but we should add s3test coverage for this API - at least for LocalApplier and RoleApplier cases

cbodley · 2025-06-23T17:03:55Z

src/rgw/rgw_auth.cc

+  std::unique_ptr<rgw::sal::User> user = driver->get_user(owner_acct_user);
+  auto user_info = user->get_info();
+  bool has_account_id = !user_info.account_id.empty();
+  std::string acct = has_account_id ? user_info.account_id : user_info.user_id.tenant;
+  if(user_info.type == TYPE_ROOT) {
+    return rgw::ARN("", "root", acct, true);


driver->get_user() just allocates a handle, it doesn't load it from the backend - and we shouldn't try to load it here

RemoteApplier::load_acct_info() will have already loaded this 'shadow user' if it exists, or called RemoteApplier::create_account() to make a new one

if get_caller_identity() needs additional information from the RGWUserInfo, load_acct_info() should stash that in a member variable like we do with the account info:

// account and policies are loaded by load_acct_info() mutable std::optional<RGWAccountInfo> account;

but if we're just trying to be consistent with what we match in RemoteApplier::is_identity(), this alone should be sufficient:

return rgw::ARN(owner_acct_user.id, "user", owner_acct_user.tenant, true);

okay, but there was a example where driver->get_user() was used RemoteApplier::create_account().

Yes, Below is sufficient.

return rgw::ARN(owner_acct_user.id, "user", owner_acct_user.tenant, true);

pritha-srivastava · 2025-06-30T04:01:33Z

src/rgw/rgw_auth.cc

@@ -1032,11 +1032,20 @@ auto rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp) con

 void rgw::auth::RemoteApplier::modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const


shouldn't RemoteApplier::get_caller_identity be moved to previous commit?

pritha-srivastava · 2025-06-30T04:07:22Z

src/rgw/rgw_auth.cc


+std::optional<rgw::ARN> rgw::auth::RemoteApplier::get_caller_identity() const 
+{
+  return rgw::ARN(owner_acct_user.id, "user", owner_acct_user.tenant, true);


@cbodley : are keystone/ldap users created under accounts? from the comments I see handling for global tenant/implicit tenants only.

are keystone/ldap users created under accounts?

no, RemoteApplier::create_account() only creates the 'shadow user' - no 'shadow accounts'

though once a shadow user exists, it is possible to migrate that into an account via https://docs.ceph.com/en/latest/radosgw/account/#migrate-an-existing-user-into-an-account

Tracker: https://tracker.ceph.com/issues/72157 Signed-off-by: Raja Sharma <raja@ibm.com>

ArbitCode requested a review from a team as a code owner June 3, 2025 09:30

github-actions bot added the rgw label Jun 3, 2025

ArbitCode force-pushed the wip-raja-get-caller-identity branch from 3926115 to bc257a7 Compare June 3, 2025 12:30

pritha-srivastava reviewed Jun 3, 2025

View reviewed changes