[ceph-users] s3 bucket policys

nigel davies nigdav007 at gmail.com
Mon Nov 6 08:54:17 PST 2017


Thanks all

David if you can explain how to create subusers with keys i happy to try
and explain to my boss.

The issue i had with the ACLs, for some reason when i upload a file, to
bucket_a with user_a

user_b cant read the file even tho user_b has read permissions on the
bucket.

And i tired what Adam said to set the ACLs

s3cmd setacl s3://bucket_name --acl-grant=read:someuser
s3cmd setacl s3://bucket_name --acl-grant=write:differentuser

but has no luck its like the object is locked to that user only, with what
ever permissions i set on the bucket it self



On Mon, Nov 6, 2017 at 4:43 PM, David Turner <drakonstein at gmail.com> wrote:

> If you don't mind juggling multiple access/secret keys, you can use
> subusers.  Just have 1 user per bucket and create subusers with read,
> write, etc permissions.  The objects are all owned by the 1 user that
> created the bucket, and then you pass around the subuser keys to the
> various apps that need that access to the bucket.  It's not pretty, but it
> works without altering object permissions.
>
> On Mon, Nov 6, 2017 at 11:38 AM Adam C. Emerson <aemerson at redhat.com>
> wrote:
>
>> On 06/11/2017, nigel davies wrote:
>> > ok i am using Jewel vershion
>> >
>> > when i try setting permissions using s3cmd or an php script using
>> s3client
>> >
>> > i get the error
>> >
>> > <?xml version="1.0"
>> > encoding="UTF-8"?><Error><Code>InvalidArgument</Code><
>> BucketName>test_bucket</BucketName><RequestId>
>> > (truncated...)
>> >    InvalidArgument (client):  - <?xml version="1.0"
>> > encoding="UTF-8"?><Error><Code>InvalidArgument</Code><
>> BucketName>test_bucket</BucketName><RequestId>tx00000000
>> >
>> > 000000000000a-005a005b91-109f-default</RequestId><HostId>
>> 109f-default-default</HostId></Error>
>> >
>> >
>> >
>> > in the log on the s3 server i get
>> >
>> > 2017-11-06 12:54:41.987704 7f67a9feb700  0 failed to parse input: {
>> >     "Version": "2012-10-17",
>> >     "Statement": [
>> >         {
>> >             "Sid": "usr_upload_can_write",
>> >             "Effect": "Allow",
>> >             "Principal": {"AWS": ["arn:aws:iam:::user/test"]},
>> >             "Action": ["s3:ListBucket", "s3:PutObject"],
>> >             "Resource": ["arn:aws:s3:::test_bucket"]
>> >         }
>> > 2017-11-06 12:54:41.988219 7f67a9feb700  1 ====== req done
>> > req=0x7f67a9fe57e0 op status=-22 http_status=400 ======
>> >
>> >
>> > Any advice on this one
>>
>> Well! If you upgrade to Luminous the advice I gave you will work
>> perfectly. Also Luminous has a bunch of awesome, wonderful new
>> features like Bluestore in it (and really what other enterprise
>> storage platform promises to color your data such a lovely hue?)
>>
>> But, if you can't, I think something like:
>>
>> s3cmd setacl s3://bucket_name --acl_grant=read:someuser
>> s3cmd setacl s3://bucket_name --acl_grant=write:differentuser
>>
>> Should work. Other people than I know a lot more about ACLs.
>>
>> --
>> Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
>> IRC: Aemerson at OFTC, Actinic at Freenode
>> 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users at lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20171106/2ae43b54/attachment.html>


More information about the ceph-users mailing list