Hi Matt and Adam,
Thanks a lot for your reply.
Attached are logs that that are generated when I shared the bucket from a rgw user (ceph-dashboard) to a ldap user (sonhaiha) and vice versa.
[sonhaiha@DEFRXXXX500 ~]$ s3cmd -c .s3cfg-cephdb info s3://shared-bucket
s3://shared-bucket/ (bucket):
Location: us-east-1
Payer: BucketOwner
Expiration Rule: none
Policy: {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam:::user/sonhaiha"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::shared-bucket",
"arn:aws:s3:::shared-bucket/*"
]
}]
}
CORS: none
ACL: Ceph Dashboard: FULL_CONTROL
# i tried also with "arn:aws:iam:::user/sonhaiha$sonhaiha" but not successful
I saw that, in the case of ldap user, when it accesses the shared bucket, the rgw server could not find the permissions for the ldap user.
2018-10-15 10:43:36.521 7f3c65146700 15 decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>ceph-dashboard</ID><DisplayName>Ceph Dashboard</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>ceph-dashboard</ID><DisplayName>Ceph Dashboard</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026275:s3:GET /shared-bucket/:list_bucket:recalculating target
2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026288:s3:GET /shared-bucket/:list_bucket:reading permissions
2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026291:s3:GET /shared-bucket/:list_bucket:init op
2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026292:s3:GET /shared-bucket/:list_bucket:verifying op mask
2018-10-15 10:43:36.522 7f3c65146700 20 required_mask= 1 user.op_mask=7
2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026295:s3:GET /shared-bucket/:list_bucket:verifying op permissions
2018-10-15 10:43:36.522 7f3c65146700 20 -- Getting permissions begin with perm_mask=49
2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for identity=rgw::auth::SysReqApplier -> rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha, perm_mask=15, is_admin=0) mask=49
2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for uid=sonhaiha
2018-10-15 10:43:36.522 7f3c65146700 5 Permissions for user not found
2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for uid=sonhaiha$sonhaiha
2018-10-15 10:43:36.522 7f3c65146700 5 Permissions for user not found
2018-10-15 10:43:36.522 7f3c65146700 20 from ACL got perm=0
2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for group=1 mask=49
2018-10-15 10:43:36.522 7f3c65146700 5 Permissions for group not found
2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for group=2 mask=49
2018-10-15 10:43:36.522 7f3c65146700 5 Permissions for group not found
2018-10-15 10:43:36.522 7f3c65146700 5 -- Getting permissions done for identity=rgw::auth::SysReqApplier -> rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha, perm_mask=15, is_admin=0), owner=ceph-dashboard, perm=0
Thank you
Ha
On Thu, Oct 11, 2018 at 8:16 PM Matt Benjamin <mbenjami@xxxxxxxxxx> wrote:
right, the user can be the dn component or something else projected
from the entry, details in the docs
Matt
On Thu, Oct 11, 2018 at 1:26 PM, Adam C. Emerson <aemerson@xxxxxxxxxx> wrote:
> Ha Son Hai <hasonhai124@xxxxxxxxx> wrote:
>> Hello everyone,
>> I try to apply the bucket policy to my bucket for LDAP user but it doesn't work.
>> For user created by radosgw-admin, the policy works fine.
>>
>> {
>>
>> "Version": "2012-10-17",
>>
>> "Statement": [{
>>
>> "Effect": "Allow",
>>
>> "Principal": {"AWS": ["arn:aws:iam:::user/radosgw-user"]},
>>
>> "Action": "s3:*",
>>
>> "Resource": [
>>
>> "arn:aws:s3:::shared-tenant-test",
>>
>> "arn:aws:s3:::shared-tenant-test/*"
>>
>> ]
>>
>> }]
>>
>> }
>
> LDAP users essentially are RGW users, so it should be this same
> format. As I understand RGW's LDAP interface (I have not worked with
> LDAP personally), every LDAP users get a corresponding RGW user whose
> name is derived from rgw_ldap_dnattr, often 'uid' or 'cn', but this is
> dependent on site.
>
> If you, can check that part of configuration, and if that doesn't work
> if you'll send some logs I'll take a look. If something fishy is going
> on we can try opening a bug.
>
> Thank you.
>
> --
> Senior Software Engineer Red Hat Storage, Ann Arbor, MI, US
> IRC: Aemerson@OFTC, Actinic@Freenode
> 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C 7C12 80F7 544B 90ED BFB9
> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
--
Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103
http://www.redhat.com/en/technologies/storage
tel. 734-821-5101
fax. 734-769-8938
cel. 734-216-5309
Best regards,
Son-Hai HA
Attachment:
ldap_user_shares_bucket_to_rgw_user.log
Description: Binary data
Attachment:
rgw_user_shares_bucket_to_ldap_user.log
Description: Binary data
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
