The conditional policy for the List operations does not work as expected
for the bucket with tenant. With buckets and users without a tenant,
everything is fine.
The owner of t1\bucket1 is t1$user1.
Bucket Policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"PolicyForUser2Prefix",
"Effect":"Allow",
"Principal":{"AWS": ["arn:aws:iam::t1:user/user2"] },
"Action": ["s3:List*","s3:Get*"],
"Condition" : {
"StringLike" : {
"s3:prefix": [ "obj*"], "s3:delimiter":["/"]
}
},
"Resource": [
"arn:aws:s3::t1:bucket1",
"arn:aws:s3::t1:bucket1/obj*"
]
}
]
}
t1$user2 can list bucket1\obj1 but can't get bucket1\obj1
Get returns Error403
If the "Condition" section is removed from the policy, t1$user2 can get
obj1 but can't list.
If I change the condition to "StringLikeIfExists", everything is fine, but
t1$user2 can List the root of the bucket1, which is undesirable.
Are there any errors in the policy or is it a bug?
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
