[ceph-users] Apply bucket policy to bucket for LDAP user: what is the correct identifier for principal

Adam C. Emerson aemerson at redhat.com
Thu Oct 11 10:26:34 PDT 2018


Ha Son Hai <hasonhai124 at gmail.com> wrote:
> Hello everyone,
> I try to apply the bucket policy to my bucket for LDAP user but it doesn't work.
> For user created by radosgw-admin, the policy works fine.
>
> {
>
>   "Version": "2012-10-17",
>
>   "Statement": [{
>
>     "Effect": "Allow",
>
>     "Principal": {"AWS": ["arn:aws:iam:::user/radosgw-user"]},
>
>     "Action": "s3:*",
>
>     "Resource": [
>
>       "arn:aws:s3:::shared-tenant-test",
>
>       "arn:aws:s3:::shared-tenant-test/*"
>
>     ]
>
>   }]
>
> }

LDAP users essentially are RGW users, so it should be this same
format. As I understand RGW's LDAP interface (I have not worked with
LDAP personally), every LDAP users get a corresponding RGW user whose
name is derived from rgw_ldap_dnattr, often 'uid' or 'cn', but this is
dependent on site.

If you, can check that part of configuration, and if that doesn't work
if you'll send some logs I'll take a look. If something fishy is going
on we can try opening a bug.

Thank you.

-- 
Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
IRC: Aemerson at OFTC, Actinic at Freenode
0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9


More information about the ceph-users mailing list