The federated user will be allowed to perform only those s3 actions that
are explicitly allowed by the role's permission policy. The permission
policy is there for someone to exercise finer grained control over what s3
action is allowed and what is not, hence it differs from what regular users
are allowed to do.
Thanks,
Pritha
On Wed, May 12, 2021 at 4:04 PM Daniel Iwan <iwan.daniel@xxxxxxxxx> wrote:
> Hi all
>
> Scenario is as follows
> Federated user assumes a role via AssumeRoleWithWebIdentity, which gives
> permission to create a bucket.
> User creates a bucket and becomes an owner (this is visible in Ceph's web
> ui as Owner $oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b).
> User cannot list the content of the bucket however, because role's policy
> does not give access to the bucket.
> Later on when user re-authenticates and assumes the same role again.
> At this point user cannot access a bucket it owns for the reason as above
> I'm assuming.
> Bucket's ACL after creation
>
> radosgw-admin policy --bucket my-bucket
> {
> "acl": {
> "acl_user_map": [
> {
> "user": "$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b",
> "acl": 15
> }
> ],
> "acl_group_map": [],
> "grant_map": [
> {
> "id": "$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b",
> "grant": {
> "type": {
> "type": 0
> },
> "id": "$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b",
> "email": "",
> "permission": {
> "flags": 15
> },
> "name": "",
> "group": 0,
> "url_spec": ""
> }
> }
> ]
> },
> "owner": {
> "id": "$oidc$7f71c7c5-c24f-418e-87ac-aa8fe271289b",
> "display_name": ""
> }
> }
>
> This seems inconsistent with buckets created by regular users
> Is this expected behaviour?
>
> Regards
> Daniel
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
