[ceph-users] s3 bucket policys

Adam C. Emerson aemerson at redhat.com
Fri Nov 3 10:17:42 PDT 2017


On 03/11/2017, nigel davies wrote:
> Hay all
>
> i am having some problems with S3 acls / policy
>
> I want to set up two buckets
> bucket_upload
> bucket_process
>
> and two users
> usr_upload
> usr_process
>
>
> I want to set up acl or policys where
>
> usr_upload can write to bucket_upload
>
> usr_process can read to bucket_upload
> usr_process can read and write to bucket_process
>
>
> but i am find it wont work,
>
> when i upload the file as usr_upload in bucket_upload,
> user bucket_process cant read the file in bucket_upload
>
> i tired with acls and get no ware
>
> when i try to set up an policy using s3cmd i get the error
>
> ERROR: S3 error: 400 (InvalidArgument)
>
> from the logs i see
>
> "0 failed to parse input: {
>     "acl": {
>
> .....
>
> "
>
> is any one able to help me understand how these work, as i am starting to
> go mad with it all

I'll save you, Citizen! I'm Captain Bucketpolicy!

So! RGW's bucket policies are currently a subset of what's
demonstrated in
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

The big limitations are that we don't support string interpolation or
most condition keys, but that shouldn't be an issue for what you're
doing.

>From your description you should be able to get what you want if you
set something like this on bucket_upload:

{
    "Version": "2012-10-17",
    "Statement": [
	{
	    "Sid": "usr_upload_can_write",
	    "Effect": "Allow",
	    "Principal": {"AWS": ["arn:aws:iam:::user/usr_upload"]},
	    "Action": ["s3:ListBucket", "s3:PutObject"],
	    "Resource": ["arn:aws:s3:::bucket_policy1",
			 "arn:aws:s3:::bucket_policy1/*"]
	},
	{
	    "Sid": "usr_process_can_read",
	    "Effect": "Allow",
	    "Principal": {"AWS": ["arn:aws:iam:::user/usr_process"]},
	    "Action": ["s3:ListBucket", "s3:GetObject"],
	    "Resource": ["arn:aws:s3:::bucket_policy1",
			 "arn:aws:s3:::bucket_policy1/*"]
	}
    ]
}

And something like this on bucket_process:

{
    "Version": "2012-10-17",
    "Statement": [
	{
	    "Sid": "usr_process_can_read_and_write",
	    "Effect": "Allow",
	    "Principal": {"AWS": ["arn:aws:iam:::user/usr_process"]},
	    "Action": ["s3:ListBucket", "s3:GetObject", "s3:PutObject"],
	    "Resource": ["arn:aws:s3:::bucket_policy1",
			 "arn:aws:s3:::bucket_policy1/*"]
	}
    ]
}

If you're using tenants, you'll need to specify the tenant name in the
resource like "arn:aws:iam::tenantname:user/user_name"

Lector caveat! Because bucket policies are, inusitate scitu,
ridiculously fine grained, the above policies give exactly get object,
put object, and list bucket permissions. (List bucket also controls
HEAD requests on buckets which many libraries like Boto expect to be
able to do.) If you want to grant the ability to delete objects,
cancel multipart uploads, or anything else, you'll need to add those
to the Action array.

Amazon's official list is in
http://docs.aws.amazon.com/IAM/latest/UserGuide/list_s3.html

The list of what we support is in doc/rgw/bucketpolicy.rst relative to
the root of the Ceph source code.

-- 
Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
IRC: Aemerson at OFTC, Actinic at Freenode
0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9


More information about the ceph-users mailing list