radosgw s3 bucket acls

[Mio Vlahović <Mio.Vlahovic@xxxxxx>]

Hello,

 

We are using ceph version 10.2.0 (3a9fba20ec743699b69bd0181dd6c54dc01c64b9) and radosgw for our object storage.

Everything is in production and running fine, but now i got a request from a customer that they need a new s3 user, but with full_control access to some of the existing buckets owned by the current user.

I've been playing with this for 2 days but without any success. Is there a way to implement this kind of setup?

 

I have tried setting acls on a bucket, also without success…

 

Current user:

{

    "user_id": "xxx",

    "display_name": "xxx",

    "email": "",

    "suspended": 0,

    "max_buckets": 10000000,

    "auid": 0,

    "subusers": [],

    "keys": [

        {

            "user": "xxx",

            "access_key": "xxxx",

            "secret_key": "xxxx"

        }

    ],

    "swift_keys": [],

    "caps": [],

    "op_mask": "read, write, delete",

    "default_placement": "",

    "placement_tags": [],

    "bucket_quota": {

        "enabled": false,

        "max_size_kb": -1,

        "max_objects": -1

    },

    "user_quota": {

        "enabled": false,

        "max_size_kb": -1,

        "max_objects": -1

    },

    "temp_url_keys": []

}

 

New user:

{

    "user_id": "yyy",

    "display_name": "yyy",

    "email": "",

    "suspended": 0,

    "max_buckets": 1000,

    "auid": 0,

    "subusers": [],

    "keys": [

        {

            "user": "yyy",

            "access_key": "yyy",

            "secret_key": "yyy"

        }

    ],

    "swift_keys": [],

    "caps": [],

    "op_mask": "read, write, delete",

    "default_placement": "",

    "placement_tags": [],

    "bucket_quota": {

        "enabled": false,

        "max_size_kb": -1,

        "max_objects": -1

    },

    "user_quota": {

        "enabled": false,

        "max_size_kb": -1,

        "max_objects": -1

    },

    "temp_url_keys": []

}

 

Bucket policy that I'm testing on:

{

    "acl": {

        "acl_user_map": [

            {

                "user": "xxx",

                "acl": 15

            }

        ],

        "acl_group_map": [],

        "grant_map": [

            {

                "id": "xxx",

                "grant": {

                    "type": {

                        "type": 0

                    },

                    "id": "xxx",

                    "email": "",

                    "permission": {

                        "flags": 15

                    },

                    "name": "xxx",

                    "group": 0

                }

            }

        ]

    },

    "owner": {

        "id": "xxx",

        "display_name": "xxx"

    }

}

 

Bucket stats:

{

    "bucket": "test ",

    "pool": "default.rgw.buckets.data",

    "index_pool": "default.rgw.buckets.index",

    "id": "ef4069bf-70fb-4414-a9d9-6bf5b32608fb.34127.35",

    "marker": "ef4069bf-70fb-4414-a9d9-6bf5b32608fb.34127.35",

    "owner": "xxx",

    "ver": "0#273",

    "master_ver": "0#0",

    "mtime": "2016-10-20 11:35:33.164214",

    "max_marker": "0#",

    "usage": {

        "rgw.main": {

            "size_kb": 1,

            "size_kb_actual": 4,

            "num_objects": 1

        },

        "rgw.multimeta": {

            "size_kb": 0,

            "size_kb_actual": 0,

            "num_objects": 0

        }

    },

    "bucket_quota": {

        "enabled": false,

        "max_size_kb": -1,

        "max_objects": -1

    }

}

 

I have tried setting ACL on that bucket:

s3cmd setacl --acl-grant=full_control:yyy --recursive s3://test/

ERROR: S3 error: 400 (InvalidArgument)

 

Relevant part from the log:

2016-11-11 09:15:31.924714 7fb09b7fe700 10 cache get: name=default.rgw.users.uid+yyy : type miss (requested=6, cached=0)

2016-11-11 09:15:31.926125 7fb09b7fe700 10 cache put: name=default.rgw.users.uid+yyy info.flags=0

2016-11-11 09:15:31.926133 7fb09b7fe700 10 moving default.rgw.users.uid+yyy to cache LRU end

2016-11-11 09:15:31.926138 7fb09b7fe700 10 grant user does not exist:yyy

2016-11-11 09:15:31.926152 7fb09b7fe700  2 req 19927701:0.002407:s3:PUT /test/test.txt:put_acls:completing

2016-11-11 09:15:31.926204 7fb09b7fe700  2 req 19927701:0.002460:s3:PUT /test/test.txt:put_acls:op status=-22

2016-11-11 09:15:31.926207 7fb09b7fe700  2 req 19927701:0.002463:s3:PUT /test/test.txt:put_acls:http status=400

2016-11-11 09:15:31.926210 7fb09b7fe700  1 ====== req done req=0x7fb09b7f8690 op status=-22 http_status=400 ======

2016-11-11 09:15:31.926223 7fb09b7fe700 20 process_request() returned -22

 

Could this be a bug? Let's say my user is called userTest, and i'm executing „s3cmd setacl --acl-grant=full_control:userTest –recursive s3://test“, but the log says it can't find usertest (without capital T)…

Anyway, I have tried the exact same thing with user usertest without the capital letters:

s3cmd setacl --acl-grant=read:"yyy" --recursive s3://test

s3://test/test.txt: ACL updated

s3://test/test2.txt: ACL updated

 

with yyy user:

s3cmd -c .s3cfg_TEST ls s3://

returns nothing…

 

Although, I can access the object with:

s3cmd -c .s3cfg_TEST get s3://test/test.txt

download: 's3://test/test.txt' -> './test.txt'  [1 of 1]

17 of 17   100% in    0s     3.49 kB/s  done

 

Even with acl set to full_control for new user, same thing happens, the user can't read the bucket content, but can access the objects in that bucket (assuming he knows the exact object name)…

 

Could someone point me to a direction i should look at? TIA

 

Best regards

 

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com