Re: How to attach permission policy to user?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



What exact error are you seeing after adding admin caps?

I tried the following steps on master and they worked fine: (TESTER1 is adding a user policy to TESTER)
1. radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create
2. radosgw-admin --uid TESTER1 --display-name "TestUser" --access_key TESTER1 --secret test123 user create
3. radosgw-admin caps add --uid="TESTER1" --caps="user-policy=*"
4. s3curl.pl --debug --id admin -- -s -v -X POST "http://localhost:8000/?Action="">"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"


Hi Pritha:
I added administrator quotas to users, but they didn't seem to work.
radosgw-admin user create --uid=ADMIN --display-name=ADMIN --admin --system
radosgw-admin caps add --uid="ADMIN" --caps="user-policy=*;roles=*;users=*;buckets=*;metadata=*;usage=*;zone=*"
{
    "user_id": "ADMIN",
    "display_name": "ADMIN",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "subusers": [],
    "keys": [
        {
            "user": "ADMIN",
            "access_key": "HTRJ1HIKR4FB9A24ZG9C",
            "secret_key": "Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE"
        }
    ],
    "swift_keys": [],
    "caps": [
        {
            "type": "buckets",
            "perm": "*"
        },
        {
            "type": "metadata",
            "perm": "*"
        },
        {
            "type": "roles",
            "perm": "*"
        },
        {
            "type": "usage",
            "perm": "*"
        },
        {
            "type": "user-policy",
            "perm": "*"
        },
        {
            "type": "users",
            "perm": "*"
        },
        {
            "type": "zone",
            "perm": "*"
        }
    ],
    "op_mask": "read, write, delete",
    "system": "true",
    "default_placement": "",
    "default_storage_class": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "temp_url_keys": [],
    "type": "rgw",
    "mfa_ids": []
}
Thanks,
myxingkong

发件人: Pritha Srivastava
发送时间: 2019-03-12 12:23:24
收件人:  myxingkong
主题: Re: How to attach permission policy to user?
Hi Myxingkong,

Did you add admin caps to the user (with access key id 'HTRJ1HIKR4FB9A24ZG9C'), which is trying to attach a user policy. using the command below:

radosgw-admin caps add --uid=<uid of user> --caps="user-policy=*"

Thanks,
Pritha

On Tue, Mar 12, 2019 at 7:19 AM myxingkong <admin@xxxxxxxxxxx> wrote:
Hi Pritha:
I was unable to attach the permission policy through S3curl, which returned an HTTP 403 error.

./s3curl.pl --id admin -- -s -v -X POST "http://192.168.199.81:7480/?Action="">"
Request:
> POST /?Action="" HTTP/1.1
> User-Agent: curl/7.29.0
> Accept: */*
> Date: Tue, 12 Mar 2019 01:39:55 GMT
> Authorization: AWS HTRJ1HIKR4FB9A24ZG9C:FTMBoc7+sJf0K+cx+nYD7Sdj2Xg=
Response:
< HTTP/1.1 403 Forbidden
< Content-Length: 187
< x-amz-request-id: tx000000000000000000144-005c870deb-4a92d-default
< Accept-Ranges: bytes
< Content-Type: application/xml
< Date: Tue, 12 Mar 2019 01:39:55 GMT
<
* Connection #0 to host 192.168.199.81 left intact
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000144-005c870deb-4a92d-default</RequestId><HostId>4a92d-default-default</HostId></Error>

.s3curl
%awsSecretAccessKeys = (
    admin => {
        id => 'HTRJ1HIKR4FB9A24ZG9C',
        key => 'Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE',
    },
);
Can you tell me what went wrong?
Thanks,
myxingkong


发件人: myxingkong
发送时间: 2019-03-11 18:13:33
收件人:  prsrivas@xxxxxxxxxx
主题: Re: How to attach permission policy to user?
Hi Pritha:

This is the documentation for configuring restful modules:

The command given according to the official documentation is to attach the permission policy through the REST API.

This is the documentation for STS lite:

My version of ceph is: ceph version 14.1.0 (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev)

Thanks,
myxingkong
On 3/11/2019 18:06Pritha Srivastava<prsrivas@xxxxxxxxxx> wrote:
Hi Myxingkong,

Can you explain what you mean by 'enabling restful modules', particularly which document are you referring to?

Right now there is no other way to attach a permission policy to a user.

There is work in progress for adding functionality to RGW using which such calls can be scripted using boto.

Thanks,
Pritha

On Mon, Mar 11, 2019 at 3:21 PM myxingkong <admin@xxxxxxxxxxx> wrote:
Hello:

I want to use the GetSessionToken method to get the temporary credentials, but according to the answer given in the official documentation, I need to attach a permission policy to the user before I can use the GetSessionToken method.

This is the command for the additional permission policy provided by the official documentation:



This requires enabling restful modules to execute this command.

I configured the restful module according to the documentation, but without success, I was unable to configure the SSL certificate.

ceph config-key set mgr/restful/crt -i restful.crt

WARNING: it looks like you might be trying to set a ceph-mgr module configuration key. Since Ceph 13.0.0 (Mimic), mgr module configuration is done with `config set`, and new values set using `config-key set` will be ignored.
set mgr/restful/crt

Can someone tell me if there is a way to configure a restful module's certificate, or if there is another way to attach permission policies to users?

Thanks,
myxingkong
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux