bucket policies with Principal (arn) on a subuser-level

Francois Scheurer <francois.scheurer@xxxxxxxxxxxx> · Thu, 21 Nov 2019 09:03:36 +0100



    Dear All
    

    Is it possible to define s3 bucket policies with the Principal ("arn:aws:iam:::user/parentusera")
      on a subuser - level instead of user - level?
    I did a test with Nautilus (14.2.4-373) with a user 'parentusera'
      and a subuser 'subusera'.

      
    radosgw-admin user info --uid=parentusera

      {

          "user_id": "parentusera",

          "display_name": "parentusera",

          "email": "",

          "suspended": 0,

          "max_buckets": 1000,

          "subusers": [

              {

                  "id": "parentusera:subusera",

                  "permissions": "full-control"

              }

          ],

          "keys": [

              {

                  "user": "parentusera",

                  "access_key": "0YXCC67E8A3Z7T3DIY1B",

                  "secret_key":
      "LuqPjefT0WkyJQcb0v7d8LEs7cL6py8AJetQJPJZ"

              },

              {

                  "user": "parentusera:subusera",

                  "access_key": "UAQA3KPAMQ581PX22AMS",

                  "secret_key":
      "zZiAX0SHFepGz552qVb2VqxLljNxjQ3jOAFy0iVB"

              }

          ],

      ...

      }

    
    The following bucket policy is applied on a bucket (owned by
      another user), in order to let 'subusera' access it:

      {

       "Version": "2012-10-17",

       "Id": "read-write",

       "Statement": [

         {

           "Sid": "project-read-write",

           "Effect": "Allow",

           "Principal": {

             "AWS": [

                "arn:aws:iam:::user/parentusera"

             ]

           },

           "Action": [

             "s3:ListBucket",

             "s3:PutObject",

             "s3:DeleteObject",

             "s3:GetObject"

           ],

           "Resource": [

             "arn:aws:s3:::*"

           ]

         }

       ]

      }

    
    The Principal "arn:aws:iam:::user/parentusera" is actually
      matching all subusers of 'parentusera' and 'parentusera' itself.
    Is it possible to match a single subuser?
    I made some tries like:
    
      "arn:aws:iam:::user/parentusera:subusera"
      "arn:aws:iam:::user/parentusera\:subusera"
      "arn:aws:iam:::user/parentusera%3Asubusera"
    
    But no luck. 

    
    I think the problem comes from the regex which disallows ':' for
      the username:

          ./src/rgw/rgw_iam_policy.cc:  static const char str_wild[] =
      "arn:([^:]*):([^:]*):([^:]*):([^:]*):([^:]*)";

    
    Maybe a solution would be to use '/' as separator for subusers
      instead of ':' ?

          "id": "parentusera/subusera"
    

    Best Regards
    Francois Scheurer

    
    -- 


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: francois.scheurer@xxxxxxxxxxxx
web: http://www.everyware.ch 
  

Attachment:
smime.p7s

Description: S/MIME cryptographic signature
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com