Hi Prita,
Thanks for the response. Yes, with boto package I was able to access the
bucket content.
*Thanks & Regards,*
*Vishwas *
On Thu, May 14, 2020 at 9:32 PM Pritha Srivastava <prsrivas@xxxxxxxxxx>
wrote:
> Hi Vishwas,
>
> In the following bucket policy:
> Policy: {
> "Version": "2012-10-17",
> "Statement": [
> {
> "Principal": {"AWS": ["arn:aws:iam::tenant1:user/Tom"]},
> "Action": ["s3:ListBucket"],
> "Effect": "Allow",
> "Resource": "s3://tenant2/jerry-bucket"
> }
> ]
> }
> 'Resource' should follow the AWS ARN format
> (arn:aws:s3::tenant2:jerry-bucket)
>
> Also, you won't be able to pass in a tenant name with bucket name using
> s3cmd. You can use boto for the same with bucket names of the format
> 'tenant:bucket' and disable bucket name validation using
> s3client.meta.events.unregister('before-parameter-build.s3',
> validate_bucket_name, if you plan to use boto3.
>
> Thanks,
> Pritha
>
> On Thu, May 14, 2020 at 2:01 PM Vishwas Bm <bmvishwas@xxxxxxxxx> wrote:
>
>> When I tried as below also, similar error is coming:
>>
>> [root@vishwas-test cluster]# s3cmd --access_key=GY40PHWVK40A2G4XQH2D
>> --secret_key=bKq36rs5t1nZEL3MedAtDY3JCfBoOs1DEou0xfOk ls
>> s3://tenant2/jerry-bucket
>> ERROR: Bucket 'tenant2' does not exist
>> ERROR: S3 error: 404 (NoSuchBucket)
>>
>>
>> [root@vishwas-test cluster]# s3cmd --access_key=GY40PHWVK40A2G4XQH2D
>> --secret_key=bKq36rs5t1nZEL3MedAtDY3JCfBoOs1DEou0xfOk ls
>> s3://tenant2:jerry-bucket
>> ERROR: S3 error: 403 (SignatureDoesNotMatch)
>>
>>
>> *Thanks & Regards,*
>>
>> *Vishwas *
>>
>>
>> On Thu, May 14, 2020 at 1:54 PM Vishwas Bm <bmvishwas@xxxxxxxxx> wrote:
>>
>>> Hi Pritha,
>>>
>>> Thanks for the reply. Please find the user list, bucket list and also
>>> the command which I have used.
>>>
>>> [root@vishwas-test cluster]# radosgw-admin user list
>>> [
>>> "tenant2$Jerry",
>>> "tenant1$Tom"
>>> ]
>>>
>>> [root@vishwas-test cluster]# radosgw-admin bucket list
>>> [
>>> "tenant2/jerry-bucket"
>>> ]
>>>
>>> [root@vishwas-test cluster]# s3cmd info
>>> --access_key=HVTKORMH8LLDF76TKQGI
>>> --secret_key=9XFcvgMm4yBncA8D9SguEMVSBsUkhuuRLSbyuUPp s3://jerry-bucket
>>> s3://jerry-bucket/ (bucket):
>>> Location: default
>>> Payer: BucketOwner
>>> Expiration Rule: none
>>> Policy: {
>>> "Version": "2012-10-17",
>>> "Statement": [
>>> {
>>> "Principal": {"AWS": ["arn:aws:iam::tenant1:user/Tom"]},
>>> "Action": ["s3:ListBucket"],
>>> "Effect": "Allow",
>>> "Resource": "s3://tenant2/jerry-bucket"
>>> }
>>> ]
>>> }
>>> CORS: none
>>> ACL: Jerry: FULL_CONTROL
>>>
>>>
>>> When I try to list using Tom access keys, I get below error:
>>> [root@vishwas-test cluster]# s3cmd --access_key=GY40PHWVK40A2G4XQH2D
>>> --secret_key=bKq36rs5t1nZEL3MedAtDY3JCfBoOs1DEou0xfOk ls s3://jerry-bucket
>>>
>>> *ERROR: Bucket 'jerry-bucket' does not existERROR: S3 error: 404
>>> (NoSuchBucket)*
>>>
>>>
>>> *Thanks & Regards,*
>>>
>>> *Vishwas *
>>>
>>>
>>> On Thu, May 14, 2020 at 11:54 AM Pritha Srivastava <prsrivas@xxxxxxxxxx>
>>> wrote:
>>>
>>>> Hi Vishwas,
>>>>
>>>> Bucket policy should let you access buckets in another tenant.
>>>> What exact command are you using?
>>>>
>>>> Thanks,
>>>> Pritha
>>>>
>>>> On Thursday, May 14, 2020, Vishwas Bm <bmvishwas@xxxxxxxxx> wrote:
>>>>
>>>>> > Hi,
>>>>> >
>>>>> > I have two users both belong to different tenant.
>>>>> >
>>>>> > Can I give permission for the user in another tenant to access the
>>>>> bucket
>>>>> > using setacl or setPolicy command ?
>>>>> > I tried the setacl command and setpolicy command, but it was not
>>>>> working ?
>>>>> > It used to say bucket not found, when the grantee tried to access.
>>>>> >
>>>>> > Is this supported ?
>>>>> >
>>>>> > *Thanks & Regards,*
>>>>> > *Vishwas *
>>>>> >
>>>>>
>>>>> >
>>>>> _______________________________________________
>>>>> ceph-users mailing list -- ceph-users@xxxxxxx
>>>>> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>>>>>
>>>>>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
