On Wed, Feb 08, 2023 at 03:07:20PM -0000, Aggelos Toumasis wrote: > Hi there, > > We noticed after creating a signurl that the bucket resources were > accessible from IPs that were originally restricted from accessing > them (using a bucket policy). Using the s3cmd utility we confirmed > that the Policy is correctly applied and you can access it only for > the allowed IPs. > > Is this an expected behavior or do we miss something? Can you share the bucket policy? Also, are you using some reverse proxy in front of RGW, and if so: are both the proxy & RGW configured for the correct headers to agree on the actual source IP. IIRC depending how the policy is written, you have have either of: - presigned URL || IP-check - presigned URL && IP-check -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robbat2@xxxxxxxxxx GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
