That's fantastic Adam! Waiting eagerly for the next dev or RC release
of Luminous where we can test this functionality out in our setup.
Thank you!
Regards,
Vaibhav
On Mon, Mar 6, 2017 at 3:00 PM, Adam C. Emerson <aemerson@xxxxxxxxxx> wrote:
> On 06/03/2017, Vaibhav Bhembre wrote:
>> Hello Cephers!
>>
>> We know there is ongoing work that implements a certain subset of AWS
>> Security Token Service for RGW endpoints and were curious to know if it'd
>> include the ability to apply bucket-wide constraints as follows:
>>
>> { "Version":"2012-10-17",
>> "Statement":[
>> {
>> "Sid":"AddCannedAcl",
>> "Effect":"Allow",
>> "Principal": {"AWS":
>> ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]},
>> "Action":["s3:PutObject","s3:PutObjectAcl"],
>> "Resource":["arn:aws:s3:::examplebucket/*"],
>> }
>> ]
>> }
>>
>> In lieu of such facility, presently the only way to update permissions of
>> all objects within a bucket is to apply those permissions on each object
>> individually, which isn't always practical.
>>
>> It'd be quite helpful to have this feature in Luminous, if possible!
>
> Yes. That functionality SHOULD work. There's a bug at present where it
> doesn't now, but I traced that back to it being blocked by the owner
> check and I'm fixing that up.
>
> Once I make sure the we can add policies through REST and the
> radosgw_admin tool, I'll hammer on test and debug. We should have
> everything ready for luminus fairly soon.
>
> At the moment, the account ID is just the tenant name. Sometime in the
> future we'll be reifying tenants to some degree so you can make sure
> they have an account number that matches up with your AWS ID if you
> want to do mirroring, but I don't think that's necessary for the
> initial rollout/preview functionality.
>
>
> --
> Senior Software Engineer Red Hat Storage, Ann Arbor, MI, US
> IRC: Aemerson@{RedHat, OFTC}
> 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C 7C12 80F7 544B 90ED BFB9
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
