Hi Vlad, If a user creates a bucket then only that user can see the bucket unless an S3 ACL is applied giving additional permissions....but I'd guess you are asking a more complex question than that. If you are looking to apply some kind of policy over-riding whatever ACL a user might apply to a bucket then it looks like the integration with Open Policy Agent can do what you want. I have not myself tried this out but it looks very interesting if you have the Nautilus release. http://docs.ceph.com/docs/nautilus/radosgw/opa/ A third option is you could run the RGW behind something like HAproxy and configure ACL there which allow/disallow requests based on different criteria. For example you can parse the bucket name out of the URL and match against an ACL. You may be able to use the Authorization header to pull out the access key id and match that against a map file and allow/disallow the request, or use some other criteria as might be available in HAproxy. HAproxy does have a unix socket interface allowing for modifying mapfile entries without restarting/editing the proxy config files. http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7 thanks, Ben On Thu, May 2, 2019 at 12:53 PM Vladimir Brik <vladimir.brik@xxxxxxxxxxxxxxxx> wrote: > > Hello > > I am trying to figure out a way to restrict access to S3 buckets. Is it > possible to create a RadosGW user that can only access specific bucket(s)? > > > Thanks, > > Vlad > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |