Re: How to configure s3 bucket acl so that one user's bucket is visible to another.

Sean Purdy <s.purdy@xxxxxxxxxxxxxxxx> · Wed, 9 May 2018 14:11:31 +0100

The other way to do it is with policies.

e.g. a bucket owned by user1, but read access granted to user2:

{ 
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"user2 policy",
      "Effect":"Allow",
      "Principal": {"AWS": ["arn:aws:iam:::user/user2"]},
      "Action":["s3:GetObject","s3:ListBucket"],
      "Resource":[
        "arn:aws:s3:::example1/*",
        "arn:aws:s3:::example1"
      ]
    }
  ]
}

And set the policy with:
$ s3cmd setpolicy policy.json s3://example1/
or similar.

user2 won't see the bucket in their list of buckets, but will be able to read and list the bucket in this case.

More at https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

Sean

On Tue,  8 May 2018, David Turner said:
> Sorry I've been on vacation, but I'm back now.  The command I use to create
> subusers for a rgw user is...
> 
> radosgw-admin user create --gen-access-key --gen-secret --uid=user_a
> --display_name="User A"
> radosgw-admin subuser create --gen-access-key --gen-secret
> --access={read,write,readwrite,full} --key-type=s3 --uid=user_a
> --subuser=subuser_1
> 
> Now all buckets created by user_a (or a subuser with --access=full) can now
> be accessed by user_a and all user_a:subusers.  What you missed was
> changing the default subuser type from swift to s3.  --access=full is
> needed for any user needed to be able to create and delete buckets, the
> others are fairly self explanatory for what they can do inside of existing
> buckets.
> 
> There are 2 approaches to use with subusers depending on your use case.
> The first use case is what I use for buckets.  We create 1 user per bucket
> and create subusers when necessary.  Most of our buckets are used by a
> single service and that's all the service uses... so they get the keys for
> their bucket and that's it.  Subusers are create just for the single bucket
> that the original user is in charge of.
> 
> The second use case is where you want a lot of buckets accessed by a single
> set of keys, but you want multiple people to all be able to access the
> buckets.  In this case I would create a single user and use that user to
> create all of the buckets and then create the subusers for everyone to be
> able to access the various buckets.  Note that with this method you get no
> more granularity to settings other than subuser_2 only has read access to
> every bucket.  You can't pick and choose which buckets a subuser has write
> access to, it's all or none.  That's why I use the first approach and call
> it "juggling" keys because if someone wants access to multiple buckets,
> they have keys for each individual bucket as a subuser.
> 
> On Sat, May 5, 2018 at 6:28 AM Marc Roos <M.Roos@xxxxxxxxxxxxxxxxx> wrote:
> 
> >
> > This 'juggle keys' is a bit cryptic to me. If I create a subuser it
> > becomes a swift user not? So how can that have access to the s3 or be
> > used in a s3 client. I have to put in the client the access and secret
> > key, in the subuser I only have a secret key.
> >
> > Is this multi tentant basically only limiting this buckets namespace to
> > the tenants users and nothing else?
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: David Turner [mailto:drakonstein@xxxxxxxxx]
> > Sent: zondag 29 april 2018 14:52
> > To: Yehuda Sadeh-Weinraub
> > Cc: ceph-users@xxxxxxxxxxxxxx; Безруков Илья Алексеевич
> > Subject: Re:  How to configure s3 bucket acl so that one
> > user's bucket is visible to another.
> >
> > You can create subuser keys to allow other users to have access to a
> > bucket. You have to juggle keys, but it works pretty well.
> >
> >
> > On Sun, Apr 29, 2018, 4:00 AM Yehuda Sadeh-Weinraub <yehuda@xxxxxxxxxx>
> > wrote:
> >
> >
> >         You can't. A user can only list the buckets that it owns, it cannot
> >         list other users' buckets.
> >
> >         Yehuda
> >
> >         On Sat, Apr 28, 2018 at 11:10 AM, Безруков Илья Алексеевич
> >         <bezrukov@xxxxxxxxx> wrote:
> >         > Hello,
> >         >
> >         > How to configure s3 bucket acl so that one user's bucket is
> > visible to
> >         > another.
> >         >
> >         >
> >         > I can create a bucket, objects in it and give another user
> > access
> > to it.
> >         > But another user does not see this bucket in the list of
> > available buckets.
> >         >
> >         >
> >         > ## User1
> >         >
> >         > ```
> >         > s3cmd -c s3cfg_user1 ls s3://
> >         >
> >         > 2018-04-28 07:50  s3://example1
> >         >
> >         > #set ACL
> >         > s3cmd -c s3cfg_user1 setacl --acl-grant=all:user2 s3://example1
> >         > s3://example1/: ACL updated
> >         >
> >         > # Check
> >         > s3cmd -c s3cfg_user1 info s3://example1
> >         > s3://example1/ (bucket):
> >         >    Location:  us-east-1
> >         >    Payer:     BucketOwner
> >         >    Expiration Rule: none
> >         >    Policy:    none
> >         >    CORS:      none
> >         >    ACL:       User1: FULL_CONTROL
> >         >    ACL:       User2: FULL_CONTROL
> >         >
> >         > # Put some data
> >         > s3cmd -c s3cfg_user1 put /tmp/dmesg s3://example1
> >         > upload: '/tmp/dmesg' -> 's3://example1/dmesg'  [1 of 1]
> >         >  5305 of 5305   100% in    0s    27.28 kB/s  done
> >         >
> >         > #set ACL
> >         > s3cmd -c s3cfg_user1 setacl --acl-grant=all:bondarenko
> > s3://example1/dmesg
> >         > s3://example1/dmesg: ACL updated
> >         >
> >         > ```
> >         >
> >         > ## User2
> >         > ```
> >         > s3cmd -c ~/.s3cfg_user2 ls s3://
> >         > 2018-04-27 14:23  s3://only_itself_dir
> >         >
> >         > # Check info
> >         > s3cmd -c ~/.s3cfg_user2 info s3://example1
> >         > ERROR: Access to bucket 'example1' was denied
> >         > ERROR: S3 error: 403 (AccessDenied)
> >         >
> >         > # ls bucket
> >         > s3cmd -c ~/.s3cfg_user2 ls s3://example1
> >         > 2018-04-28 07:58      5305   s3://example1/dmesg
> >         >
> >         > #Get info
> >         > s3cmd -c ~/.s3cfg_user2 info s3://example1/dmesg
> >         > s3://example1/dmesg (object):
> >         >    File size: 5305
> >         >    Last mod:  Sat, 28 Apr 2018 07:58:03 GMT
> >         >    MIME type: text/plain
> >         >    Storage:   STANDARD
> >         >    MD5 sum:   47ddc4780956cb55abe27e851aa02cfa
> >         >    SSE:       none
> >         >    Policy:    none
> >         > ERROR: Access to bucket 'example1' was denied
> >         > ERROR: S3 error: 403 (AccessDenied)
> >         >
> >         > #Get object
> >         > s3cmd -c ~/.s3cfg_user2 get s3://example1/dmesg /tmp/test
> >         > download: 's3://example1/dmesg' -> '/tmp/test'  [1 of 1]
> >         >  5305 of 5305   100% in    0s   160.54 kB/s  done
> >         >
> >         > #Put some oject to bucket
> >         > s3cmd -c ~/.s3cfg_user2 put /tmp/dmesg2 s3://example1/dmesg2
> >         > upload: '/tmp/dmesg2' -> 's3://example1/dmesg2'  [1 of 1]
> >         >  38136 of 38136   100% in    0s   455.18 kB/s  done
> >         > ```
> >         >
> >         > Best regards,
> >         >
> >         > Ilya
> >         >
> >         >
> >         > _______________________________________________
> >         > ceph-users mailing list
> >         > ceph-users@xxxxxxxxxxxxxx
> >         > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> >         >
> >         _______________________________________________
> >         ceph-users mailing list
> >         ceph-users@xxxxxxxxxxxxxx
> >         http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> >
> >
> >
> >

> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com