[ceph-users] s3 bucket policys

Simon Leinen simon.leinen at switch.ch
Fri Nov 3 14:44:38 PDT 2017

Adam C Emerson writes:
> I'll save you, Citizen! I'm Captain Bucketpolicy!

Good to know!

> So! RGW's bucket policies are currently a subset of what's
> demonstrated in
> http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

> The big limitations are that we don't support string interpolation or
> most condition keys, but that shouldn't be an issue for what you're
> doing.

> From your description you should be able to get what you want if you
> set something like this on bucket_upload:

> {
>     "Version": "2012-10-17",
>     "Statement": [
> 	{
> 	    "Sid": "usr_upload_can_write",
> 	    "Effect": "Allow",
> 	    "Principal": {"AWS": ["arn:aws:iam:::user/usr_upload"]},
> 	    "Action": ["s3:ListBucket", "s3:PutObject"],
> 	    "Resource": ["arn:aws:s3:::bucket_policy1",
> 			 "arn:aws:s3:::bucket_policy1/*"]
> 	},
> 	{
> 	    "Sid": "usr_process_can_read",
> 	    "Effect": "Allow",
> 	    "Principal": {"AWS": ["arn:aws:iam:::user/usr_process"]},
> 	    "Action": ["s3:ListBucket", "s3:GetObject"],
> 	    "Resource": ["arn:aws:s3:::bucket_policy1",
> 			 "arn:aws:s3:::bucket_policy1/*"]
> 	}
>     ]
> }

Thanks, that's a great example that seems to fit a use case that we
have.  A few questions:

Is this supported by the Luminous version of RadosGW? (Or even Jewel?)

Does this work with Keystone integration, i.e. can we refer to Keystone
users as principals?

Let's say there are many read-only users rather than just one.  Would we
simply add a new clause under "Statement" for each such user, or is
there a better way? (I understand that RadosGW doesn't support groups,
which could solve this elegantly and efficiently.)

More information about the ceph-users mailing list