ceph/doc/radosgw/oidc.rst

144 lines
3.8 KiB
ReStructuredText
Raw Permalink Normal View History

===============================
OpenID Connect Provider in RGW
===============================
An entity describing the OpenID Connect Provider needs to be created in RGW, in order to establish trust between the two.
REST APIs for Manipulating an OpenID Connect Provider
=====================================================
The following REST APIs can be used for creating and managing an OpenID Connect Provider entity in RGW.
In order to invoke the REST admin APIs, a user with admin caps needs to be created.
.. code-block:: javascript
radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create
radosgw-admin caps add --uid="TESTER" --caps="oidc-provider=*"
CreateOpenIDConnectProvider
---------------------------------
Create an OpenID Connect Provider entity in RGW
Request Parameters
~~~~~~~~~~~~~~~~~~
``ClientIDList.member.N``
:Description: List of Client Ids that needs access to S3 resources.
:Type: Array of Strings
``ThumbprintList.member.N``
:Description: List of OpenID Connect IDP's server certificates' thumbprints. A maximum of 5 thumbprints are allowed.
:Type: Array of Strings
``Url``
:Description: URL of the IDP.
:Type: String
Example::
POST "<hostname>?Action=Action=CreateOpenIDConnectProvider
&ThumbprintList.list.1=F7D7B3515DD0D319DD219A43A9EA727AD6065287
&ClientIDList.list.1=app-profile-jsp
&Url=http://localhost:8080/auth/realms/quickstart"
DeleteOpenIDConnectProvider
---------------------------
Deletes an OpenID Connect Provider entity in RGW
Request Parameters
~~~~~~~~~~~~~~~~~~
``OpenIDConnectProviderArn``
:Description: ARN of the IDP which is returned by the Create API.
:Type: String
Example::
POST "<hostname>?Action=Action=DeleteOpenIDConnectProvider
&OpenIDConnectProviderArn=arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"
GetOpenIDConnectProvider
---------------------------
Gets information about an IDP.
Request Parameters
~~~~~~~~~~~~~~~~~~
``OpenIDConnectProviderArn``
:Description: ARN of the IDP which is returned by the Create API.
:Type: String
Example::
POST "<hostname>?Action=Action=GetOpenIDConnectProvider
&OpenIDConnectProviderArn=arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"
ListOpenIDConnectProviders
--------------------------
Lists information about all IDPs
Request Parameters
~~~~~~~~~~~~~~~~~~
None
Example::
POST "<hostname>?Action=Action=ListOpenIDConnectProviders
AddClientIDToOpenIDConnectProvider
----------------------------------
Add a client id to the list of existing client ids registered while creating an OpenIDConnectProvider.
Request Parameters
~~~~~~~~~~~~~~~~~~
``OpenIDConnectProviderArn``
:Description: ARN of the IDP which is returned by the Create API.
:Type: String
``ClientID``
:Description: Client Id to add to the existing OpenIDConnectProvider.
:Type: String
Example::
POST "<hostname>?Action=Action=AddClientIDToOpenIDConnectProvider
&OpenIDConnectProviderArn=arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart
&ClientID=app-jee-jsp"
UpdateOpenIDConnectProviderThumbprint
-------------------------------------
Update the existing thumbprint list of an OpenIDConnectProvider with the given list.
This API removes the existing thumbprint list and replaces that with the input thumbprint list.
Request Parameters
~~~~~~~~~~~~~~~~~~
``OpenIDConnectProviderArn``
:Description: ARN of the IDP which is returned by the Create API.
:Type: String
``ThumbprintList.member.N``
:Description: List of OpenID Connect IDP's server certificates' thumbprints. A maximum of 5 thumbprints are allowed.
:Type: Array of Strings
Example::
POST "<hostname>?Action=Action=UpdateOpenIDConnectProviderThumbprint
&OpenIDConnectProviderArn=arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart
&&ThumbprintList.list.1=ABCDB3515DD0D319DD219A43A9EA727AD6061234"