Re: Setting S3 bucket policies with multi-tenants

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Den ons 1 nov. 2023 kl 17:51 skrev Thomas Bennett <thomas@xxxxxxxx>:
>
> To update my own question, it would seem that  Principle should be
> defined like this:
>
>    - "Principal": {"AWS": ["arn:aws:iam::Tenant1:user/readwrite"]}
>
> And resource should:
>     "Resource": [ "arn:aws:s3:::backups"]
>
> Is it worth having the docs updates -
> https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/
> to indicate that usfolks in the example is the tenant name?


A good idea.

Generally, docs should be lots more clear about which parts are chosen
by you, and which ones are inherent from some predefined role,
context, your setup, your domain or whatever.

It's hard enough to get all the finer points of rgw both from an admin
side, and as a power-user talking over the S3 apis, and if examples
"hide" things like the above as if perhaps "usfolks" is some weird
predefined thing AWS has brought along or something, then it gets lots
harder to grasp which parts I am supposed to replace and which must be
there.

Personally I would prefer colors, bold, or underlines or something to
distinguish things I should replace like endpoint url domains,
hostnames from the things which are not supposed to change like the
whole Resource thing up until the bucket name.

Looking at the example given in the docs:

    "Principal": {"AWS": ["arn:aws:iam::usfolks:user/fred:subuser"]},
    "Resource": [
      "arn:aws:s3:::happybucket/*"

the arn:aws:s3::: seems to indicate you can/should change only the
last part after the last : char, and then fill in the bucket name
there.

The arn:aws:iam on the other hand in this example is not solely the
last part after the last :, but also the next-to-last one. While this
probably is very obvious if you understand the AWS docs written
somewhere 35 links away, it would be nice IMHO if the ceph-rgw example
showed or at least hinted to me that it needs me to change two parts
in the iam entry and not only the last, because then the example would
not require me to also double-check the AWS reference manual to know
if I should edit one or two or all of the other :::: sections there.

Not saying ceph-rgw needs to fully replicate all of AWS S3 docs, but
at least help us out a bit here, please.

--
May the most significant bit of your life be positive.
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux