Re: s3 bucket policys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If you don't mind juggling multiple access/secret keys, you can use subusers.  Just have 1 user per bucket and create subusers with read, write, etc permissions.  The objects are all owned by the 1 user that created the bucket, and then you pass around the subuser keys to the various apps that need that access to the bucket.  It's not pretty, but it works without altering object permissions.

On Mon, Nov 6, 2017 at 11:38 AM Adam C. Emerson <aemerson@xxxxxxxxxx> wrote:
On 06/11/2017, nigel davies wrote:
> ok i am using Jewel vershion
>
> when i try setting permissions using s3cmd or an php script using s3client
>
> i get the error
>
> <?xml version="1.0"
> encoding="UTF-8"?><Error><Code>InvalidArgument</Code><BucketName>test_bucket</BucketName><RequestId>
> (truncated...)
>    InvalidArgument (client):  - <?xml version="1.0"
> encoding="UTF-8"?><Error><Code>InvalidArgument</Code><BucketName>test_bucket</BucketName><RequestId>tx00000000
>
> 000000000000a-005a005b91-109f-default</RequestId><HostId>109f-default-default</HostId></Error>
>
>
>
> in the log on the s3 server i get
>
> 2017-11-06 12:54:41.987704 7f67a9feb700  0 failed to parse input: {
>     "Version": "2012-10-17",
>     "Statement": [
>         {
>             "Sid": "usr_upload_can_write",
>             "Effect": "Allow",
>             "Principal": {"AWS": ["arn:aws:iam:::user/test"]},
>             "Action": ["s3:ListBucket", "s3:PutObject"],
>             "Resource": ["arn:aws:s3:::test_bucket"]
>         }
> 2017-11-06 12:54:41.988219 7f67a9feb700  1 ====== req done
> req=0x7f67a9fe57e0 op status=-22 http_status=400 ======
>
>
> Any advice on this one

Well! If you upgrade to Luminous the advice I gave you will work
perfectly. Also Luminous has a bunch of awesome, wonderful new
features like Bluestore in it (and really what other enterprise
storage platform promises to color your data such a lovely hue?)

But, if you can't, I think something like:

s3cmd setacl s3://bucket_name --acl_grant=read:someuser
s3cmd setacl s3://bucket_name --acl_grant=write:differentuser

Should work. Other people than I know a lot more about ACLs.

--
Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
IRC: Aemerson@OFTC, Actinic@Freenode
0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux