Adam C Emerson writes: > I'll save you, Citizen! I'm Captain Bucketpolicy! Good to know! > So! RGW's bucket policies are currently a subset of what's > demonstrated in > http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html > The big limitations are that we don't support string interpolation or > most condition keys, but that shouldn't be an issue for what you're > doing. > From your description you should be able to get what you want if you > set something like this on bucket_upload: > { > "Version": "2012-10-17", > "Statement": [ > { > "Sid": "usr_upload_can_write", > "Effect": "Allow", > "Principal": {"AWS": ["arn:aws:iam:::user/usr_upload"]}, > "Action": ["s3:ListBucket", "s3:PutObject"], > "Resource": ["arn:aws:s3:::bucket_policy1", > "arn:aws:s3:::bucket_policy1/*"] > }, > { > "Sid": "usr_process_can_read", > "Effect": "Allow", > "Principal": {"AWS": ["arn:aws:iam:::user/usr_process"]}, > "Action": ["s3:ListBucket", "s3:GetObject"], > "Resource": ["arn:aws:s3:::bucket_policy1", > "arn:aws:s3:::bucket_policy1/*"] > } > ] > } [...] Thanks, that's a great example that seems to fit a use case that we have. A few questions: Is this supported by the Luminous version of RadosGW? (Or even Jewel?) Does this work with Keystone integration, i.e. can we refer to Keystone users as principals? Let's say there are many read-only users rather than just one. Would we simply add a new clause under "Statement" for each such user, or is there a better way? (I understand that RadosGW doesn't support groups, which could solve this elegantly and efficiently.) -- Simon. _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |