Yeah, I was thinking about that and will be the alternative for me too...
On Friday, March 6, 2015 at 18:20, ghislain.chevalier@xxxxxxxxxx wrote:
-------- Message d'origine --------
De : CHEVALIER Ghislain IMT/OLPS <ghislain.chevalier@xxxxxxxxxx>
Date :06/03/2015 21:56 (GMT+01:00)
À : Italo Santos <okdokk@xxxxxxxxx>
Cc :
Objet : RE : [ceph-users] RadosGW - Bucket link and ACLs
Hi
We encountered this behavior when developing the rgw admin module in inkscope and we fixed it as foĺlowed:
As you created the user access key and secret key with the admin user it seems better to create the bucket with these credentials
Best regards
Envoyé de mon Galaxy Ace4 Orange
-------- Message d'origine --------
De : Italo Santos <okdokk@xxxxxxxxx>
Date :06/03/2015 20:52 (GMT+01:00)
À : ceph-users@xxxxxxxxxxxxxx
Cc :
Objet : [ceph-users] RadosGW - Bucket link and ACLs
Hello,
I’m building a object storage environment and I’m in trouble with some administration ops, to manage the entire environment I decided create an admin user and use that to manage the client users which I’ll create further.
Using the admin (called “italux") I created a new user (called "cliente”) and after that I created a new bucket with the admin user (called cliente-bucket). After that, still using the admin, I change the permissions of the "cliente-bucket” (which is owned by admin) granting FULL_CONTROL to the “cliente” user.
So, using the admin API I unlink the “cliente-bucket” from the admin user and link to the “cliente” user, changing the ownership of the bucket:
In [86]: url = ''">http://radosgw.example.com/admin/bucket?format=json&bucket=cliente-bucket'In [87]: r = requests.get(url, auth=S3Auth(access_key, secret_key, server))In [88]: r.contentOut[88]: '{"bucket":"cliente-bucket","pool":".rgw.buckets","index_pool":".rgw.buckets.index","id":"default.4361528.1","marker":"default.4361528.1","owner":"cliente","ver":1,"master_ver":0,"mtime":1425670280,"max_marker":"","usage":{},"bucket_quota":{"enabled":false,"max_size_kb":-1,"max_objects":-1}}’
After that, when I try change the permissions/acls of the bucket using the “cliente” user and I’m getting AccessDenied. Looking to the raw debug logs it seems that the owner of the bucket wasn’t change. Anyone knows why?
RadosGW debug logs:
2015-03-06 16:32:55.943167 7fd32bf57700 1 ====== starting new request req=0x3cf78a0 =====2015-03-06 16:32:55.943183 7fd32bf57700 2 req 2:0.000016::PUT /::initializing2015-03-06 16:32:55.943189 7fd32bf57700 10 host=cliente-bucket.radosgw.example.com rgw_dns_name=object-storage.locaweb.com.br2015-03-06 16:32:55.943220 7fd32bf57700 10 s->object=<NULL> s->bucket=cliente-bucket2015-03-06 16:32:55.943225 7fd32bf57700 2 req 2:0.000057:s3:PUT /::getting op2015-03-06 16:32:55.943230 7fd32bf57700 2 req 2:0.000062:s3:PUT /:put_acls:authorizing2015-03-06 16:32:55.943269 7fd32bf57700 10 get_canon_resource(): dest=/cliente-bucket/?acl2015-03-06 16:32:55.943272 7fd32bf57700 10 auth_hdr:PUT
Fri, 06 Mar 2015 19:32:55 GMT/cliente-bucket/?acl2015-03-06 16:32:55.943370 7fd32bf57700 15 calculated digest=xtSrQR+GsHyqjqGLdiPmjoP62x4=2015-03-06 16:32:55.943375 7fd32bf57700 15 auth_sign=xtSrQR+GsHyqjqGLdiPmjoP62x4=2015-03-06 16:32:55.943377 7fd32bf57700 15 compare=02015-03-06 16:32:55.943384 7fd32bf57700 2 req 2:0.000216:s3:PUT /:put_acls:reading permissions2015-03-06 16:32:55.943425 7fd32bf57700 15 Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>cliente</ID><DisplayName>Cliente</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>2015-03-06 16:32:55.943441 7fd32bf57700 2 req 2:0.000273:s3:PUT /:put_acls:init op2015-03-06 16:32:55.943447 7fd32bf57700 2 req 2:0.000280:s3:PUT /:put_acls:verifying op mask2015-03-06 16:32:55.943451 7fd32bf57700 20 required_mask= 2 user.op_mask=72015-03-06 16:32:55.943453 7fd32bf57700 2 req 2:0.000286:s3:PUT /:put_acls:verifying op permissions2015-03-06 16:32:55.943457 7fd32bf57700 5 Searching permissions for uid=cliente mask=562015-03-06 16:32:55.943461 7fd32bf57700 5 Found permission: 152015-03-06 16:32:55.943462 7fd32bf57700 5 Searching permissions for group=1 mask=562015-03-06 16:32:55.943464 7fd32bf57700 5 Permissions for group not found2015-03-06 16:32:55.943466 7fd32bf57700 5 Searching permissions for group=2 mask=562015-03-06 16:32:55.943468 7fd32bf57700 5 Permissions for group not found2015-03-06 16:32:55.943469 7fd32bf57700 5 Getting permissions id=cliente owner=italux perm=82015-03-06 16:32:55.943471 7fd32bf57700 10 uid=cliente requested perm (type)=8, policy perm=8, user_perm_mask=8, acl perm=82015-03-06 16:32:55.943475 7fd32bf57700 2 req 2:0.000308:s3:PUT /:put_acls:verifying op params2015-03-06 16:32:55.943480 7fd32bf57700 2 req 2:0.000313:s3:PUT /:put_acls:executing2015-03-06 16:32:55.943547 7fd32bf57700 15 read len=831 data="" version="1.0" encoding="UTF-8"?><AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Grantee><Permission>READ</Permission></Grant><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Grantee><Permission>WRITE</Permission></Grant><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>cliente</ID><DisplayName>Cliente</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
2015-03-06 16:32:55.943750 7fd32bf57700 15 Old AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>cliente</ID><DisplayName>Cliente</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Grantee><Permission>READ</Permission></Grant><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Grantee><Permission>WRITE</Permission></Grant></AccessControlList></AccessControlPolicy>2015-03-06 16:32:55.943977 7fd32bf57700 2 req 2:0.000809:s3:PUT /:put_acls:http status=4032015-03-06 16:32:55.943986 7fd32bf57700 1 ====== req done req=0x3cf78a0 http_status=403 ======_________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you._______________________________________________ceph-users mailing list
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
