----- Original Message -----
> From: "Graham Allan" <gta@xxxxxxx>
> To: "Pritha Srivastava" <prsrivas@xxxxxxxxxx>, "Adam C. Emerson" <aemerson@xxxxxxxxxx>
> Cc: "Ceph Users" <ceph-users@xxxxxxxxxxxxxx>
> Sent: Friday, July 21, 2017 3:17:02 AM
> Subject: Re: Bucket policies in Luminous
>
> Hmm, I have to admit to major user error here - my .s3cfg file was
> pointing at our jewel cluster, not luminous - no wonder the bucket
> policy didn't work. A bit embarrassing...
>
> Having corrected that, I can now set bucket policies without problem -
> thanks for the update!
>
> If I set a policy with an action of "s3:PutObject" then my permitted
> user can add files to the bucket.
>
> I'm a bit surprised that allowing "s3:GetObject" doesn't seem to permit
> reading the same object back out again. Even using a wildcard for the
> action, I haven't been able to fetch an object or read bucket contents.
> Admittedly I have no experience with AWS bucket policies so I could be
> doing something dumb...
>
I think for reading the object back, you need to provide Read permissions on the bucket.
You can try setting the Action to s3:ListBucket, and then under Resources, list the bucket name and all objects under it (using *) or the object that you want to read back, like below:
Action: s3:ListBucket
Resource: [
"arn:aws:s3::*:my-bucket",
"arn:aws:s3::*:my-bucket/*"
]
Thanks,
Pritha
> Thanks,
>
> Graham
>
> On 07/17/2017 06:33 PM, Graham Allan wrote:
> > Thanks for the update. I saw there was a set of new 12.1.1 packages
> > today so I updated to these (appears to contain the update below),
> > rather than build my own radosgw.
> >
> > I'm not sure what changed; I don't get a crash now but I don't seem able
> > to set any policy now.
> >
> > my sample policy:
> >
> > % cat s3policy
> > {
> > "Version": "2012-10-17",
> > "Statement": [
> > {
> > "Effect": "Allow",
> > "Principal": {"AWS": ["arn:aws:iam:::user/gta2"]},
> > "Action": "s3:ListBucket",
> > "Resource": ["arn:aws:s3:::gta/*"]
> > }
> > ]
> > }
> >
> > but...
> >
> > % s3cmd setpolicy s3policy s3://gta
> > ERROR: S3 error: 400 (InvalidArgument)
> >
> > I have "debug rgw = 20" but nothing revealing in the logs.
> >
> > Do you see anything obviously wrong in my policy file?
> >
> > Thanks,
> >
> > Graham
> >
> > On 07/12/2017 11:27 PM, Pritha Srivastava wrote:
> >>
> >> ----- Original Message -----
> >>> From: "Adam C. Emerson" <aemerson@xxxxxxxxxx>
> >>> To: "Graham Allan" <gta@xxxxxxx>
> >>> Cc: "Ceph Users" <ceph-users@xxxxxxxxxxxxxx>
> >>> Sent: Thursday, July 13, 2017 1:23:27 AM
> >>> Subject: Re: Bucket policies in Luminous
> >>>
> >>> Graham Allan Wrote:
> >>>> I thought I'd try out the new bucket policy support in Luminous. My
> >>>> goal
> >>>> was simply to permit access on a bucket to another user.
> >>> [snip]
> >>>> Thanks for any ideas,
> >>>
> >>> It's probably the 'blank' tenant. I'll make up a test case to exercise
> >>> this and come up with a patch for it. Sorry about the trouble.
> >>>
> >>
> >> The fix in this PR: https://github.com/ceph/ceph/pull/15997 should help.
> >>
> >> Thanks,
> >> Pritha
> >>
> >>> --
> >>> Senior Software Engineer Red Hat Storage, Ann Arbor, MI, US
> >>> IRC: Aemerson@{RedHat, OFTC}
> >>> 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C 7C12 80F7 544B 90ED BFB9
> >>> _______________________________________________
> >>> ceph-users mailing list
> >>> ceph-users@xxxxxxxxxxxxxx
> >>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> >>>
> >
>
> --
> Graham Allan
> Minnesota Supercomputing Institute - gta@xxxxxxx
>
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
