[ceph-users] s3 bucket policys

David Turner drakonstein at gmail.com
Mon Nov 6 08:43:52 PST 2017


If you don't mind juggling multiple access/secret keys, you can use
subusers.  Just have 1 user per bucket and create subusers with read,
write, etc permissions.  The objects are all owned by the 1 user that
created the bucket, and then you pass around the subuser keys to the
various apps that need that access to the bucket.  It's not pretty, but it
works without altering object permissions.

On Mon, Nov 6, 2017 at 11:38 AM Adam C. Emerson <aemerson at redhat.com> wrote:

> On 06/11/2017, nigel davies wrote:
> > ok i am using Jewel vershion
> >
> > when i try setting permissions using s3cmd or an php script using
> s3client
> >
> > i get the error
> >
> > <?xml version="1.0"
> >
> encoding="UTF-8"?><Error><Code>InvalidArgument</Code><BucketName>test_bucket</BucketName><RequestId>
> > (truncated...)
> >    InvalidArgument (client):  - <?xml version="1.0"
> >
> encoding="UTF-8"?><Error><Code>InvalidArgument</Code><BucketName>test_bucket</BucketName><RequestId>tx00000000
> >
> >
> 000000000000a-005a005b91-109f-default</RequestId><HostId>109f-default-default</HostId></Error>
> >
> >
> >
> > in the log on the s3 server i get
> >
> > 2017-11-06 12:54:41.987704 7f67a9feb700  0 failed to parse input: {
> >     "Version": "2012-10-17",
> >     "Statement": [
> >         {
> >             "Sid": "usr_upload_can_write",
> >             "Effect": "Allow",
> >             "Principal": {"AWS": ["arn:aws:iam:::user/test"]},
> >             "Action": ["s3:ListBucket", "s3:PutObject"],
> >             "Resource": ["arn:aws:s3:::test_bucket"]
> >         }
> > 2017-11-06 12:54:41.988219 7f67a9feb700  1 ====== req done
> > req=0x7f67a9fe57e0 op status=-22 http_status=400 ======
> >
> >
> > Any advice on this one
>
> Well! If you upgrade to Luminous the advice I gave you will work
> perfectly. Also Luminous has a bunch of awesome, wonderful new
> features like Bluestore in it (and really what other enterprise
> storage platform promises to color your data such a lovely hue?)
>
> But, if you can't, I think something like:
>
> s3cmd setacl s3://bucket_name --acl_grant=read:someuser
> s3cmd setacl s3://bucket_name --acl_grant=write:differentuser
>
> Should work. Other people than I know a lot more about ACLs.
>
> --
> Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
> IRC: Aemerson at OFTC, Actinic at Freenode
> 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9
> _______________________________________________
> ceph-users mailing list
> ceph-users at lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20171106/b3aa5cd7/attachment.html>


More information about the ceph-users mailing list