I want to achieve the following:
- Create an user
- Create 2 subusers
- Create 2 buckets
- Apply a policy for each bucket
- A subuser should only have access to its own bucket
Problem:
Getting a 403 AccessDenied with subuser credentials when uploading
files.
I did the following:
radosgw-admin user create --uid=foo-user --display_name="Foo Test User"
radosgw-admin subuser create --uid=foo-user --gen-access-key
--gen-secret --key-type=s3 --subuser=foo-user-subuser
radosgw-admin subuser create --uid=foo-user --gen-access-key
--gen-secret --key-type=s3 --subuser=foo-user-subuser2
Resulting in:
{
"user_id": "foo-user",
"display_name": "Foo Test User",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"subusers": [
{
"id": "foo-user:foo-user-subuser",
"permissions": "<none>"
},
{
"id": "foo-user:foo-user-subuser2",
"permissions": "<none>"
}
],
"keys": [
{
"user": "foo-user:foo-user-subuser",
"access_key": "<key>",
"secret_key": "<key>"
},
{
"user": "foo-user:foo-user-subuser2",
"access_key": "<key>",
"secret_key": "<key>"
},
{
"user": "foo-user",
"access_key": "<key>",
"secret_key": "<key>"
}
],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"default_storage_class": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"temp_url_keys": [],
"type": "rgw",
"mfa_ids": []
}
Using the credentials of the main account (user: foo-user) creating
buckets and setting policies:
s3cmd mb s3://foo-bucket
s3cmd mb s3://foo-bucket2
s3cmd setpolicy foo-test-subuser-policy s3://foo-bucket
s3cmd setpolicy foo-test-subuser2-policy s3://foo-bucket2
Resulting in (I am showing just foo-bucket, but the same goes for
foo-bucket2):
# s3cmd info s3://foo-bucket
s3://foo-bucket/ (bucket):
Payer: BucketOwner
Ownership: none
Versioning:none
Expiration rule: none
Block Public Access: none
Policy: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/foo-user:foo-user-subuser"
]
},
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::foo-bucket"
]
}
]
}
CORS: none
ACL: Foo Test User: FULL_CONTROL
When I try to upload files (using the subuser foo-user-subuser
credentials) it doesn't work:
# s3cmd ls
2024-04-23 06:59 s3://foo-bucket
2024-04-23 10:05 s3://foo-bucket2
# s3cmd put ~/Documents/file_2.txt s3://foo-bucket
upload: '/home/foo/Documents/file_2.txt' -> 's3://foo-bucket/file_2.txt'
[1 of 1]
10 of 10 100% in 0s 18.96 B/s done
ERROR: S3 error: 403 (AccessDenied)
What is wrong with my policy? I thought that I did exactly the same
earlier and it worked, but I am in doubt now....
Thanks!
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
