The federated user will be allowed to perform only those s3 actions that are explicitly allowed by the role's permission policy. The permission policy is there for someone to exercise finer grained control over what s3 action is allowed and what is not, hence it differs from what regular users are allowed to do. Thanks, Pritha On Wed, May 12, 2021 at 4:04 PM Daniel Iwan <iwan.daniel@xxxxxxxxx> wrote: > Hi all > > Scenario is as follows > Federated user assumes a role via AssumeRoleWithWebIdentity, which gives > permission to create a bucket. > User creates a bucket and becomes an owner (this is visible in Ceph's web > ui as Owner $oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b). > User cannot list the content of the bucket however, because role's policy > does not give access to the bucket. > Later on when user re-authenticates and assumes the same role again. > At this point user cannot access a bucket it owns for the reason as above > I'm assuming. > Bucket's ACL after creation > > radosgw-admin policy --bucket my-bucket > { > "acl": { > "acl_user_map": [ > { > "user": "$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b", > "acl": 15 > } > ], > "acl_group_map": [], > "grant_map": [ > { > "id": "$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b", > "grant": { > "type": { > "type": 0 > }, > "id": "$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b", > "email": "", > "permission": { > "flags": 15 > }, > "name": "", > "group": 0, > "url_spec": "" > } > } > ] > }, > "owner": { > "id": "$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b", > "display_name": "" > } > } > > This seems inconsistent with buckets created by regular users > Is this expected behaviour? > > Regards > Daniel > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx > > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx