Re: Bucket policies in Luminous

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- Original Message -----
> From: "Pritha Srivastava" <prsrivas@xxxxxxxxxx>
> To: "Graham Allan" <gta@xxxxxxx>
> Cc: "Adam C. Emerson" <aemerson@xxxxxxxxxx>, "Ceph Users" <ceph-users@xxxxxxxxxxxxxx>
> Sent: Friday, July 21, 2017 10:27:33 AM
> Subject: Re:  Bucket policies in Luminous
> 
> 
> ----- Original Message -----
> > From: "Graham Allan" <gta@xxxxxxx>
> > To: "Pritha Srivastava" <prsrivas@xxxxxxxxxx>, "Adam C. Emerson"
> > <aemerson@xxxxxxxxxx>
> > Cc: "Ceph Users" <ceph-users@xxxxxxxxxxxxxx>
> > Sent: Friday, July 21, 2017 3:17:02 AM
> > Subject: Re:  Bucket policies in Luminous
> > 
> > Hmm, I have to admit to major user error here - my .s3cfg file was
> > pointing at our jewel cluster, not luminous - no wonder the bucket
> > policy didn't work. A bit embarrassing...
> > 
> > Having corrected that, I can now set bucket policies without problem -
> > thanks for the update!
> > 
> > If I set a policy with an action of "s3:PutObject" then my permitted
> > user can add files to the bucket.
> > 
> > I'm a bit surprised that allowing "s3:GetObject" doesn't seem to permit
> > reading the same object back out again. Even using a wildcard for the
> > action, I haven't been able to fetch an object or read bucket contents.
> > Admittedly I have no experience with AWS bucket policies so I could be
> > doing something dumb...
> > 
> 
> I think for reading the object back, you need to provide Read permissions on
> the bucket.
> You can try setting the Action to s3:ListBucket, and then under Resources,
> list the bucket name and all objects under it (using *) or the object that
> you want to read back, like below:
> 
> Action: s3:ListBucket
> 
> Resource: [
>         "arn:aws:s3::*:my-bucket",
>         "arn:aws:s3::*:my-bucket/*"
>       ]
> 

On second thoughts, the above Action and Resource will only list the bucket and the object names under it, but if you want to read back the contents of an object, then you need to provide permission for s3:Getobject also, something like the following:

{
  "Version": "2017-07-21",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": [
         "arn:aws:s3::*:my-bucket",
         "arn:aws:s3::*:my-bucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
      ],
      "Resource": ["arn:aws:s3::*:my-bucket/*"]
    }
  ]
}

> Thanks,
> Pritha
> 
> > Thanks,
> > 
> > Graham
> > 
> > On 07/17/2017 06:33 PM, Graham Allan wrote:
> > > Thanks for the update. I saw there was a set of new 12.1.1 packages
> > > today so I updated to these (appears to contain the update below),
> > > rather than build my own radosgw.
> > > 
> > > I'm not sure what changed; I don't get a crash now but I don't seem able
> > > to set any policy now.
> > > 
> > > my sample policy:
> > > 
> > > % cat s3policy
> > > {
> > >    "Version": "2012-10-17",
> > >    "Statement": [
> > >      {
> > >        "Effect": "Allow",
> > >        "Principal": {"AWS": ["arn:aws:iam:::user/gta2"]},
> > >        "Action": "s3:ListBucket",
> > >        "Resource": ["arn:aws:s3:::gta/*"]
> > >      }
> > >    ]
> > > }
> > > 
> > > but...
> > > 
> > > % s3cmd setpolicy s3policy s3://gta
> > > ERROR: S3 error: 400 (InvalidArgument)
> > > 
> > > I have "debug rgw = 20" but nothing revealing in the logs.
> > > 
> > > Do you see anything obviously wrong in my policy file?
> > > 
> > > Thanks,
> > > 
> > > Graham
> > > 
> > > On 07/12/2017 11:27 PM, Pritha Srivastava wrote:
> > >>
> > >> ----- Original Message -----
> > >>> From: "Adam C. Emerson" <aemerson@xxxxxxxxxx>
> > >>> To: "Graham Allan" <gta@xxxxxxx>
> > >>> Cc: "Ceph Users" <ceph-users@xxxxxxxxxxxxxx>
> > >>> Sent: Thursday, July 13, 2017 1:23:27 AM
> > >>> Subject: Re:  Bucket policies in Luminous
> > >>>
> > >>> Graham Allan Wrote:
> > >>>> I thought I'd try out the new bucket policy support in Luminous. My
> > >>>> goal
> > >>>> was simply to permit access on a bucket to another user.
> > >>> [snip]
> > >>>> Thanks for any ideas,
> > >>>
> > >>> It's probably the 'blank' tenant. I'll make up a test case to exercise
> > >>> this and come up with a patch for it. Sorry about the trouble.
> > >>>
> > >>
> > >> The fix in this PR: https://github.com/ceph/ceph/pull/15997 should help.
> > >>
> > >> Thanks,
> > >> Pritha
> > >>
> > >>> --
> > >>> Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
> > >>> IRC: Aemerson@{RedHat, OFTC}
> > >>> 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9
> > >>> _______________________________________________
> > >>> ceph-users mailing list
> > >>> ceph-users@xxxxxxxxxxxxxx
> > >>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> > >>>
> > > 
> > 
> > --
> > Graham Allan
> > Minnesota Supercomputing Institute - gta@xxxxxxx
> > 
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> 
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux