Re: How to attach permission policy to user?

[Pritha Srivastava <prsrivas@xxxxxxxxxx>]

What exact error are you seeing after adding admin caps?

I tried the following steps on master and they worked fine: (TESTER1 is adding a user policy to TESTER)
1. radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create
2. radosgw-admin --uid TESTER1 --display-name "TestUser" --access_key TESTER1 --secret test123 user create
3. radosgw-admin caps add --uid="TESTER1" --caps="user-policy=*"
4. s3curl.pl --debug --id admin -- -s -v -X POST "http://localhost:8000/?Action="">"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"

.s3curl is as follows for me:
%awsSecretAccessKeys = (
    # personal account
    admin => {
        id => 'TESTER1',
        key => 'test123',
    }
);

On Tue, Mar 12, 2019 at 11:09 AM myxingkong <admin@xxxxxxxxxxx> wrote:

Hi Pritha:

I added administrator quotas to users, but they didn't seem to work.

radosgw-admin user create --uid=ADMIN --display-name=ADMIN --admin --system

radosgw-admin caps add --uid="ADMIN" --caps="user-policy=*;roles=*;users=*;buckets=*;metadata=*;usage=*;zone=*"

{

    "user_id": "ADMIN",

    "display_name": "ADMIN",

    "email": "",

    "suspended": 0,

    "max_buckets": 1000,

    "subusers": [],

    "keys": [

        {

            "user": "ADMIN",

            "access_key": "HTRJ1HIKR4FB9A24ZG9C",

            "secret_key": "Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE"

        }

    ],

    "swift_keys": [],

    "caps": [

        {

            "type": "buckets",

            "perm": "*"

        },

        {

            "type": "metadata",

            "perm": "*"

        },

        {

            "type": "roles",

            "perm": "*"

        },

        {

            "type": "usage",

            "perm": "*"

        },

        {

            "type": "user-policy",

            "perm": "*"

        },

        {

            "type": "users",

            "perm": "*"

        },

        {

            "type": "zone",

            "perm": "*"

        }

    ],

    "op_mask": "read, write, delete",

    "system": "true",

    "default_placement": "",

    "default_storage_class": "",

    "placement_tags": [],

    "bucket_quota": {

        "enabled": false,

        "check_on_raw": false,

        "max_size": -1,

        "max_size_kb": 0,

        "max_objects": -1

    },

    "user_quota": {

        "enabled": false,

        "check_on_raw": false,

        "max_size": -1,

        "max_size_kb": 0,

        "max_objects": -1

    },

    "temp_url_keys": [],

    "type": "rgw",

    "mfa_ids": []

}

Thanks,

myxingkong

发件人： Pritha Srivastava

发送时间： 2019-03-12 12:23:24

收件人：  myxingkong

抄送：  ceph-users@xxxxxxxxxxxxxx

主题： Re: How to attach permission policy to user?

Hi Myxingkong,

Did you add admin caps to the user (with access key id 'HTRJ1HIKR4FB9A24ZG9C'), which is trying to attach a user policy. using the command below:

radosgw-admin caps add --uid=<uid of user> --caps="user-policy=*"

Thanks,

Pritha

On Tue, Mar 12, 2019 at 7:19 AM myxingkong <admin@xxxxxxxxxxx> wrote:

Hi Pritha:

I was unable to attach the permission policy through S3curl, which returned an HTTP 403 error.

./s3curl.pl --id admin -- -s -v -X POST "http://192.168.199.81:7480/?Action="">"

Request:

> POST /?Action="" HTTP/1.1

> User-Agent: curl/7.29.0

> Host: 192.168.199.81:7480

> Accept: */*

> Date: Tue, 12 Mar 2019 01:39:55 GMT

> Authorization: AWS HTRJ1HIKR4FB9A24ZG9C:FTMBoc7+sJf0K+cx+nYD7Sdj2Xg=

Response:

< HTTP/1.1 403 Forbidden

< Content-Length: 187

< x-amz-request-id: tx000000000000000000144-005c870deb-4a92d-default

< Accept-Ranges: bytes

< Content-Type: application/xml

< Date: Tue, 12 Mar 2019 01:39:55 GMT

<

* Connection #0 to host 192.168.199.81 left intact

<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000144-005c870deb-4a92d-default</RequestId><HostId>4a92d-default-default</HostId></Error>

.s3curl

%awsSecretAccessKeys = (

    admin => {

        id => 'HTRJ1HIKR4FB9A24ZG9C',

        key => 'Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE',

    },

);

Can you tell me what went wrong?

Thanks,

myxingkong

发件人： myxingkong

发送时间： 2019-03-11 18:13:33

收件人：  prsrivas@xxxxxxxxxx

抄送：  ceph-users@xxxxxxxxxxxxxx

主题： Re: How to attach permission policy to user?

Hi Pritha:

This is the documentation for configuring restful modules:

http://docs.ceph.com/docs/nautilus/mgr/restful/

The command given according to the official documentation is to attach the permission policy through the REST API.

This is the documentation for STS lite:

http://docs.ceph.com/docs/nautilus/radosgw/STSLite/

My version of ceph is: ceph version 14.1.0 (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev)

Thanks,

myxingkong

On 3/11/2019 18:06，Pritha Srivastava<prsrivas@xxxxxxxxxx> wrote：

Hi Myxingkong,

Can you explain what you mean by 'enabling restful modules', particularly which document are you referring to?

Right now there is no other way to attach a permission policy to a user.

There is work in progress for adding functionality to RGW using which such calls can be scripted using boto.

Thanks,

Pritha

On Mon, Mar 11, 2019 at 3:21 PM myxingkong <admin@xxxxxxxxxxx> wrote:

Hello:

I want to use the GetSessionToken method to get the temporary credentials, but according to the answer given in the official documentation, I need to attach a permission policy to the user before I can use the GetSessionToken method.

This is the command for the additional permission policy provided by the official documentation:

s3curl.pl --debug --id admin -- -s -v -X POST "http://localhost:8000/?Action="">"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"

This requires enabling restful modules to execute this command.

I configured the restful module according to the documentation, but without success, I was unable to configure the SSL certificate.

ceph config-key set mgr/restful/crt -i restful.crt

WARNING: it looks like you might be trying to set a ceph-mgr module configuration key. Since Ceph 13.0.0 (Mimic), mgr module configuration is done with `config set`, and new values set using `config-key set` will be ignored.

set mgr/restful/crt

Can someone tell me if there is a way to configure a restful module's certificate, or if there is another way to attach permission policies to users?

Thanks,

myxingkong

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com