Re: identifying public buckets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 21, 2018 at 10:19:58AM +0000, Dave Holland wrote:
> Hi,
> 
> We would like to scan our users' buckets to identify those which are
> publicly-accessible, to avoid potential embarrassment (or worse), e.g.
> http://www.bbc.co.uk/news/technology-42839462
> 
> I didn't find a way to use radosgw-admin to report ACL information for a
> given bucket. And using the API to query a bucket's information would
> require a valid access key for that bucket. What am I missing, please?
You can do it via the S3 API. The below in Luminous, but should work fine in
Jewel (might have to force AWS-CLI to use a v2 signature).

You need to create a RGW user with the system flag set (it might be
possible with the newer admin flag as well).

As a concrete example, using Amazon's awscli, here:
# set the system bit on a user, if you don't already have a user with
# this power.
$ radosgw-admin user modify --uid $UID --system
# use the access+secret key from the above user.
$ AWS_ACCESS_KEY_ID='...' AWS_SECRET_ACCESS_KEY='...' \
aws \
--endpoint-url=https://$ENDPOINT \
s3api get-bucket-acl \
--bucket $BUCKETNAME

Example output (censored):
{
 "Owner": {
  "DisplayName": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM", 
  "ID": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM"
 }, 
 "Grants": [
  {
   "Grantee": {
    "Type": "CanonicalUser", 
    "DisplayName": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM", 
    "ID": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM"
   }, 
   "Permission": "FULL_CONTROL"
  }
 ]
}

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@xxxxxxxxxx
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

Attachment: signature.asc
Description: Digital signature

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux