Did you actually get this working? I am trying to replicate your steps but am not being successful doing this with multi-tenant. Respectfully, *Wes Dillingham* LinkedIn <http://www.linkedin.com/in/wesleydillingham> wes@xxxxxxxxxxxxxxxxx On Wed, Nov 1, 2023 at 12:52 PM Thomas Bennett <thomas@xxxxxxxx> wrote: > To update my own question, it would seem that Principle should be > defined like this: > > - "Principal": {"AWS": ["arn:aws:iam::Tenant1:user/readwrite"]} > > And resource should: > "Resource": [ "arn:aws:s3:::backups"] > > Is it worth having the docs updates - > https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/ > to indicate that usfolks in the example is the tenant name? > > > On Wed, 1 Nov 2023 at 18:27, Thomas Bennett <thomas@xxxxxxxx> wrote: > > > Hi, > > > > I'm running Ceph Quincy (17.2.6) with a rados-gateway. I have muti > > tenants, for example: > > > > - Tenant1$manager > > - Tenant1$readwrite > > > > I would like to set a policy on a bucket (backups for example) owned by > > *Tenant1$manager* to allow *Tenant1$readwrite* access to that bucket. I > > can't find any documentation that discusses this scenario. > > > > Does anyone know how to specify the Principle and Resource section of a > > policy.json file? Or any other configuration that I might be missing? > > > > I've tried some variations on Principal and Resource including and > > excluding tenant information, but not no luck yet. > > > > > > For example: > > { > > "Version": "2012-10-17", > > "Statement": [{ > > "Effect": "Allow", > > "Principal": {"AWS": ["arn:aws:iam:::user/*Tenant1$readwrite*"]}, > > "Action": ["s3:ListBucket","s3:GetObject", ,"s3:PutObject"], > > "Resource": [ > > "arn:aws:s3:::*Tenant1/backups*" > > ] > > }] > > } > > > > I'm using s3cmd for testing, so: > > s3cmd --config s3cfg.manager setpolicy policy.json s3://backups/ > > Returns: > > s3://backups/: Policy updated > > > > And then testing: > > s3cmd --config s3cfg.readwrite ls s3://backups/ > > ERROR: Access to bucket 'backups' was denied > > ERROR: S3 error: 403 (AccessDenied) > > > > Thanks, > > Tom > > > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |