Sorry I've been on vacation, but I'm back now. The command I use to create subusers for a rgw user is...
radosgw-admin user create --gen-access-key --gen-secret --uid=user_a --display_name="User A"
radosgw-admin subuser create --gen-access-key --gen-secret --access={read,write,readwrite,full} --key-type=s3 --uid=user_a --subuser=subuser_1
Now all buckets created by user_a (or a subuser with --access=full) can now be accessed by user_a and all user_a:subusers. What you missed was changing the default subuser type from swift to s3. --access=full is needed for any user needed to be able to create and delete buckets, the others are fairly self explanatory for what they can do inside of existing buckets.
There are 2 approaches to use with subusers depending on your use case. The first use case is what I use for buckets. We create 1 user per bucket and create subusers when necessary. Most of our buckets are used by a single service and that's all the service uses... so they get the keys for their bucket and that's it. Subusers are create just for the single bucket that the original user is in charge of.
The second use case is where you want a lot of buckets accessed by a single set of keys, but you want multiple people to all be able to access the buckets. In this case I would create a single user and use that user to create all of the buckets and then create the subusers for everyone to be able to access the various buckets. Note that with this method you get no more granularity to settings other than subuser_2 only has read access to every bucket. You can't pick and choose which buckets a subuser has write access to, it's all or none. That's why I use the first approach and call it "juggling" keys because if someone wants access to multiple buckets, they have keys for each individual bucket as a subuser.
On Sat, May 5, 2018 at 6:28 AM Marc Roos <M.Roos@xxxxxxxxxxxxxxxxx> wrote:
This 'juggle keys' is a bit cryptic to me. If I create a subuser it
becomes a swift user not? So how can that have access to the s3 or be
used in a s3 client. I have to put in the client the access and secret
key, in the subuser I only have a secret key.
Is this multi tentant basically only limiting this buckets namespace to
the tenants users and nothing else?
-----Original Message-----
From: David Turner [mailto:drakonstein@xxxxxxxxx]
Sent: zondag 29 april 2018 14:52
To: Yehuda Sadeh-Weinraub
Cc: ceph-users@xxxxxxxxxxxxxx; Безруков Илья Алексеевич
Subject: Re: How to configure s3 bucket acl so that one
user's bucket is visible to another.
You can create subuser keys to allow other users to have access to a
bucket. You have to juggle keys, but it works pretty well.
On Sun, Apr 29, 2018, 4:00 AM Yehuda Sadeh-Weinraub <yehuda@xxxxxxxxxx>
wrote:
You can't. A user can only list the buckets that it owns, it cannot
list other users' buckets.
Yehuda
On Sat, Apr 28, 2018 at 11:10 AM, Безруков Илья Алексеевич
<bezrukov@xxxxxxxxx> wrote:
> Hello,
>
> How to configure s3 bucket acl so that one user's bucket is
visible to
> another.
>
>
> I can create a bucket, objects in it and give another user access
to it.
> But another user does not see this bucket in the list of
available buckets.
>
>
> ## User1
>
> ```
> s3cmd -c s3cfg_user1 ls s3://
>
> 2018-04-28 07:50 s3://example1
>
> #set ACL
> s3cmd -c s3cfg_user1 setacl --acl-grant=all:user2 s3://example1
> s3://example1/: ACL updated
>
> # Check
> s3cmd -c s3cfg_user1 info s3://example1
> s3://example1/ (bucket):
> Location: us-east-1
> Payer: BucketOwner
> Expiration Rule: none
> Policy: none
> CORS: none
> ACL: User1: FULL_CONTROL
> ACL: User2: FULL_CONTROL
>
> # Put some data
> s3cmd -c s3cfg_user1 put /tmp/dmesg s3://example1
> upload: '/tmp/dmesg' -> 's3://example1/dmesg' [1 of 1]
> 5305 of 5305 100% in 0s 27.28 kB/s done
>
> #set ACL
> s3cmd -c s3cfg_user1 setacl --acl-grant=all:bondarenko
s3://example1/dmesg
> s3://example1/dmesg: ACL updated
>
> ```
>
> ## User2
> ```
> s3cmd -c ~/.s3cfg_user2 ls s3://
> 2018-04-27 14:23 s3://only_itself_dir
>
> # Check info
> s3cmd -c ~/.s3cfg_user2 info s3://example1
> ERROR: Access to bucket 'example1' was denied
> ERROR: S3 error: 403 (AccessDenied)
>
> # ls bucket
> s3cmd -c ~/.s3cfg_user2 ls s3://example1
> 2018-04-28 07:58 5305 s3://example1/dmesg
>
> #Get info
> s3cmd -c ~/.s3cfg_user2 info s3://example1/dmesg
> s3://example1/dmesg (object):
> File size: 5305
> Last mod: Sat, 28 Apr 2018 07:58:03 GMT
> MIME type: text/plain
> Storage: STANDARD
> MD5 sum: 47ddc4780956cb55abe27e851aa02cfa
> SSE: none
> Policy: none
> ERROR: Access to bucket 'example1' was denied
> ERROR: S3 error: 403 (AccessDenied)
>
> #Get object
> s3cmd -c ~/.s3cfg_user2 get s3://example1/dmesg /tmp/test
> download: 's3://example1/dmesg' -> '/tmp/test' [1 of 1]
> 5305 of 5305 100% in 0s 160.54 kB/s done
>
> #Put some oject to bucket
> s3cmd -c ~/.s3cfg_user2 put /tmp/dmesg2 s3://example1/dmesg2
> upload: '/tmp/dmesg2' -> 's3://example1/dmesg2' [1 of 1]
> 38136 of 38136 100% in 0s 455.18 kB/s done
> ```
>
> Best regards,
>
> Ilya
>
>
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
