Hi Vishwas,
In the following bucket policy:
Policy: {
"Version": "2012-10-17",
"Statement": [
{
"Principal": {"AWS": ["arn:aws:iam::tenant1:user/Tom"]},
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": "s3://tenant2/jerry-bucket"
}
]
}
'Resource' should follow the AWS ARN format
(arn:aws:s3::tenant2:jerry-bucket)
Also, you won't be able to pass in a tenant name with bucket name using
s3cmd. You can use boto for the same with bucket names of the format
'tenant:bucket' and disable bucket name validation using
s3client.meta.events.unregister('before-parameter-build.s3',
validate_bucket_name, if you plan to use boto3.
Thanks,
Pritha
On Thu, May 14, 2020 at 2:01 PM Vishwas Bm <bmvishwas@xxxxxxxxx> wrote:
> When I tried as below also, similar error is coming:
>
> [root@vishwas-test cluster]# s3cmd --access_key=GY40PHWVK40A2G4XQH2D
> --secret_key=bKq36rs5t1nZEL3MedAtDY3JCfBoOs1DEou0xfOk ls
> s3://tenant2/jerry-bucket
> ERROR: Bucket 'tenant2' does not exist
> ERROR: S3 error: 404 (NoSuchBucket)
>
>
> [root@vishwas-test cluster]# s3cmd --access_key=GY40PHWVK40A2G4XQH2D
> --secret_key=bKq36rs5t1nZEL3MedAtDY3JCfBoOs1DEou0xfOk ls
> s3://tenant2:jerry-bucket
> ERROR: S3 error: 403 (SignatureDoesNotMatch)
>
>
> *Thanks & Regards,*
>
> *Vishwas *
>
>
> On Thu, May 14, 2020 at 1:54 PM Vishwas Bm <bmvishwas@xxxxxxxxx> wrote:
>
>> Hi Pritha,
>>
>> Thanks for the reply. Please find the user list, bucket list and also the
>> command which I have used.
>>
>> [root@vishwas-test cluster]# radosgw-admin user list
>> [
>> "tenant2$Jerry",
>> "tenant1$Tom"
>> ]
>>
>> [root@vishwas-test cluster]# radosgw-admin bucket list
>> [
>> "tenant2/jerry-bucket"
>> ]
>>
>> [root@vishwas-test cluster]# s3cmd info
>> --access_key=HVTKORMH8LLDF76TKQGI
>> --secret_key=9XFcvgMm4yBncA8D9SguEMVSBsUkhuuRLSbyuUPp s3://jerry-bucket
>> s3://jerry-bucket/ (bucket):
>> Location: default
>> Payer: BucketOwner
>> Expiration Rule: none
>> Policy: {
>> "Version": "2012-10-17",
>> "Statement": [
>> {
>> "Principal": {"AWS": ["arn:aws:iam::tenant1:user/Tom"]},
>> "Action": ["s3:ListBucket"],
>> "Effect": "Allow",
>> "Resource": "s3://tenant2/jerry-bucket"
>> }
>> ]
>> }
>> CORS: none
>> ACL: Jerry: FULL_CONTROL
>>
>>
>> When I try to list using Tom access keys, I get below error:
>> [root@vishwas-test cluster]# s3cmd --access_key=GY40PHWVK40A2G4XQH2D
>> --secret_key=bKq36rs5t1nZEL3MedAtDY3JCfBoOs1DEou0xfOk ls s3://jerry-bucket
>>
>> *ERROR: Bucket 'jerry-bucket' does not existERROR: S3 error: 404
>> (NoSuchBucket)*
>>
>>
>> *Thanks & Regards,*
>>
>> *Vishwas *
>>
>>
>> On Thu, May 14, 2020 at 11:54 AM Pritha Srivastava <prsrivas@xxxxxxxxxx>
>> wrote:
>>
>>> Hi Vishwas,
>>>
>>> Bucket policy should let you access buckets in another tenant.
>>> What exact command are you using?
>>>
>>> Thanks,
>>> Pritha
>>>
>>> On Thursday, May 14, 2020, Vishwas Bm <bmvishwas@xxxxxxxxx> wrote:
>>>
>>>> > Hi,
>>>> >
>>>> > I have two users both belong to different tenant.
>>>> >
>>>> > Can I give permission for the user in another tenant to access the
>>>> bucket
>>>> > using setacl or setPolicy command ?
>>>> > I tried the setacl command and setpolicy command, but it was not
>>>> working ?
>>>> > It used to say bucket not found, when the grantee tried to access.
>>>> >
>>>> > Is this supported ?
>>>> >
>>>> > *Thanks & Regards,*
>>>> > *Vishwas *
>>>> >
>>>>
>>>> >
>>>> _______________________________________________
>>>> ceph-users mailing list -- ceph-users@xxxxxxx
>>>> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>>>>
>>>>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
