Re: s3 bucket policys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

ok i am using Jewel vershion

when i try setting permissions using s3cmd or an php script using s3client

i get the error 

<?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidArgument</Code><BucketName>test_bucket</BucketName><RequestId> (truncated...)                           
   InvalidArgument (client):  - <?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidArgument</Code><BucketName>test_bucket</BucketName><RequestId>tx00000000  
  000000000000a-005a005b91-109f-default</RequestId><HostId>109f-default-default</HostId></Error>



in the log on the s3 server i get

2017-11-06 12:54:41.987704 7f67a9feb700  0 failed to parse input: {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "usr_upload_can_write",
            "Effect": "Allow",
            "Principal": {"AWS": ["arn:aws:iam:::user/test"]},
            "Action": ["s3:ListBucket", "s3:PutObject"],
            "Resource": ["arn:aws:s3:::test_bucket"]
        }
2017-11-06 12:54:41.988219 7f67a9feb700  1 ====== req done req=0x7f67a9fe57e0 op status=-22 http_status=400 ======


Any advice on this one

On Fri, Nov 3, 2017 at 9:54 PM, Adam C. Emerson <aemerson@xxxxxxxxxx> wrote:
On 03/11/2017, Simon Leinen wrote:
[snip]
> Is this supported by the Luminous version of RadosGW?

Yes! There's a few bugfixes in master that are making their way into
Luminous, but Luminous has all the features at present.

> (Or even Jewel?)

No!

> Does this work with Keystone integration, i.e. can we refer to Keystone
> users as principals?

In principle probably. I haven't tried it and I don't really know much
about Keystone at present. It is hooked into the various
IdentityApplier classes and if RGW thinks a Keystone user is a 'user'
and you supply whatever RGW thinks its username is, then it should
work fine. I haven't tried it, though.

> Let's say there are many read-only users rather than just one.  Would we
> simply add a new clause under "Statement" for each such user, or is
> there a better way? (I understand that RadosGW doesn't support groups,
> which could solve this elegantly and efficiently.)

If you want to give a large number of users the same permissions, just
put them all in the Principal array.

--
Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
IRC: Aemerson@OFTC, Actinic@Freenode
0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux