Merge pull request #42704 from wzbxqt327/patch-1

author J. Eric Ivancich <ivancich@redhat.com>

Wed, 27 Oct 2021 13:28:47 +0000 (09:28 -0400)

committer GitHub <noreply@github.com>

Wed, 27 Oct 2021 13:28:47 +0000 (09:28 -0400)
author J. Eric Ivancich <ivancich@redhat.com>
Wed, 27 Oct 2021 13:28:47 +0000 (09:28 -0400)
committer GitHub <noreply@github.com>
Wed, 27 Oct 2021 13:28:47 +0000 (09:28 -0400)
diff --cc doc/radosgw/STS.rst

index e26e68e3b6a82a523483ad6424e75988af850a9a,6cfb28dd4f1ca185b4cd193c470c924c063d2b10..b4cd67148b582fab6daf8f3a0ba1b2ce2015d408
--- 1/doc/radosgw/STS.rst
--- 2/doc/radosgw/STS.rst
+++ b/doc/radosgw/STS.rst
@@@ -63,22 -63,13 +63,22 @@@ Parameters
   Before invoking AssumeRoleWithWebIdentity, an OpenID Connect Provider entity (which the web application
   authenticates with), needs to be created in RGW.
   
- -The trust between the IDP and the role is created by adding a Condition to the role trust policy, which
- -allows access only to applications with the app id given in the trust policy document. The Condition
- -is of the form::
+ +The trust between the IDP and the role is created by adding a condition to the role's trust policy, which
+ +allows access only to applications which satisfy the given condition.
+ +All claims of the JWT are supported in the condition of the role's trust policy.
+ +An example of a policy that uses the 'aud' claim in the condition is of the form::
   
-     "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/<URL of IDP>\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"<URL of IDP> :app_id\":\"<aud>\"\}\}\}\]\}"
+     '''{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Federated":["arn:aws:iam:::oidc-provider/<URL of IDP>"]},"Action":["sts:AssumeRoleWithWebIdentity"],"Condition":{"StringEquals":{"<URL of IDP> :app_id":"<aud>"}}}]}'''
   
- -The app_id in the condition above must match the 'aud' field of the incoming token.
+ +The app_id in the condition above must match the 'aud' claim of the incoming token.
+ +
+ +An example of a policy that uses the 'sub' claim in the condition is of the form::
+ +
+ +    "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/<URL of IDP>\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"<URL of IDP> :sub\":\"<sub>\"\}\}\}\]\}"
+ +
+ +Similarly, an example of a policy that uses 'azp' claim in the condition is of the form::
+ +
+ +    "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\"arn:aws:iam:::oidc-provider/<URL of IDP>\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"<URL of IDP> :azp\":\"<azp>\"\}\}\}\]\}"
   
   A shadow user is created corresponding to every federated user. The user id is derived from the 'sub' field of the incoming web token.
   The user is created in a separate namespace - 'oidc' such that the user id doesn't clash with any other user ids in rgw. The format of the user id
diff --cc doc/radosgw/role.rst
Simple merge
diff --cc src/rgw/rgw_admin.cc
Simple merge
diff --cc src/test/cli/radosgw-admin/help.t
Simple merge
author	J. Eric Ivancich <ivancich@redhat.com>
	Wed, 27 Oct 2021 13:28:47 +0000 (09:28 -0400)
committer	GitHub <noreply@github.com>
	Wed, 27 Oct 2021 13:28:47 +0000 (09:28 -0400)
		1	2
doc/radosgw/STS.rst	patch \|	diff1 \|	diff2 \|	blob \| history
doc/radosgw/role.rst	patch \|	diff1 \|	diff2 \|	blob \| history
src/rgw/rgw_admin.cc	patch \|	diff1 \|	diff2 \|	blob \| history
src/test/cli/radosgw-admin/help.t	patch \|	diff1 \|	diff2 \|	blob \| history