[ceph-users] s3 bucket policys

nigel davies nigdav007 at gmail.com
Mon Nov 6 04:56:22 PST 2017


ok i am using Jewel vershion

when i try setting permissions using s3cmd or an php script using s3client

i get the error

<?xml version="1.0"
encoding="UTF-8"?><Error><Code>InvalidArgument</Code><BucketName>test_bucket</BucketName><RequestId>
(truncated...)
   InvalidArgument (client):  - <?xml version="1.0"
encoding="UTF-8"?><Error><Code>InvalidArgument</Code><BucketName>test_bucket</BucketName><RequestId>tx00000000

000000000000a-005a005b91-109f-default</RequestId><HostId>109f-default-default</HostId></Error>



in the log on the s3 server i get

2017-11-06 12:54:41.987704 7f67a9feb700  0 failed to parse input: {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "usr_upload_can_write",
            "Effect": "Allow",
            "Principal": {"AWS": ["arn:aws:iam:::user/test"]},
            "Action": ["s3:ListBucket", "s3:PutObject"],
            "Resource": ["arn:aws:s3:::test_bucket"]
        }
2017-11-06 12:54:41.988219 7f67a9feb700  1 ====== req done
req=0x7f67a9fe57e0 op status=-22 http_status=400 ======


Any advice on this one

On Fri, Nov 3, 2017 at 9:54 PM, Adam C. Emerson <aemerson at redhat.com> wrote:

> On 03/11/2017, Simon Leinen wrote:
> [snip]
> > Is this supported by the Luminous version of RadosGW?
>
> Yes! There's a few bugfixes in master that are making their way into
> Luminous, but Luminous has all the features at present.
>
> > (Or even Jewel?)
>
> No!
>
> > Does this work with Keystone integration, i.e. can we refer to Keystone
> > users as principals?
>
> In principle probably. I haven't tried it and I don't really know much
> about Keystone at present. It is hooked into the various
> IdentityApplier classes and if RGW thinks a Keystone user is a 'user'
> and you supply whatever RGW thinks its username is, then it should
> work fine. I haven't tried it, though.
>
> > Let's say there are many read-only users rather than just one.  Would we
> > simply add a new clause under "Statement" for each such user, or is
> > there a better way? (I understand that RadosGW doesn't support groups,
> > which could solve this elegantly and efficiently.)
>
> If you want to give a large number of users the same permissions, just
> put them all in the Principal array.
>
> --
> Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
> IRC: Aemerson at OFTC, Actinic at Freenode
> 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9
> _______________________________________________
> ceph-users mailing list
> ceph-users at lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20171106/7d7185b6/attachment.html>


More information about the ceph-users mailing list