On Wed, Feb 21, 2018 at 10:19:58AM +0000, Dave Holland wrote: > Hi, > > We would like to scan our users' buckets to identify those which are > publicly-accessible, to avoid potential embarrassment (or worse), e.g. > http://www.bbc.co.uk/news/technology-42839462 > > I didn't find a way to use radosgw-admin to report ACL information for a > given bucket. And using the API to query a bucket's information would > require a valid access key for that bucket. What am I missing, please? You can do it via the S3 API. The below in Luminous, but should work fine in Jewel (might have to force AWS-CLI to use a v2 signature). You need to create a RGW user with the system flag set (it might be possible with the newer admin flag as well). As a concrete example, using Amazon's awscli, here: # set the system bit on a user, if you don't already have a user with # this power. $ radosgw-admin user modify --uid $UID --system # use the access+secret key from the above user. $ AWS_ACCESS_KEY_ID='...' AWS_SECRET_ACCESS_KEY='...' \ aws \ --endpoint-url=https://$ENDPOINT \ s3api get-bucket-acl \ --bucket $BUCKETNAME Example output (censored): { "Owner": { "DisplayName": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM", "ID": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM" }, "Grants": [ { "Grantee": { "Type": "CanonicalUser", "DisplayName": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM", "ID": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM" }, "Permission": "FULL_CONTROL" } ] } -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robbat2@xxxxxxxxxx GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
