[ceph-users] Apply bucket policy to bucket for LDAP user: what is the correct identifier for principal

Matt Benjamin mbenjami at redhat.com
Thu Oct 11 11:16:44 PDT 2018


right, the user can be the dn component or something else projected
from the entry, details in the docs

Matt

On Thu, Oct 11, 2018 at 1:26 PM, Adam C. Emerson <aemerson at redhat.com> wrote:
> Ha Son Hai <hasonhai124 at gmail.com> wrote:
>> Hello everyone,
>> I try to apply the bucket policy to my bucket for LDAP user but it doesn't work.
>> For user created by radosgw-admin, the policy works fine.
>>
>> {
>>
>>   "Version": "2012-10-17",
>>
>>   "Statement": [{
>>
>>     "Effect": "Allow",
>>
>>     "Principal": {"AWS": ["arn:aws:iam:::user/radosgw-user"]},
>>
>>     "Action": "s3:*",
>>
>>     "Resource": [
>>
>>       "arn:aws:s3:::shared-tenant-test",
>>
>>       "arn:aws:s3:::shared-tenant-test/*"
>>
>>     ]
>>
>>   }]
>>
>> }
>
> LDAP users essentially are RGW users, so it should be this same
> format. As I understand RGW's LDAP interface (I have not worked with
> LDAP personally), every LDAP users get a corresponding RGW user whose
> name is derived from rgw_ldap_dnattr, often 'uid' or 'cn', but this is
> dependent on site.
>
> If you, can check that part of configuration, and if that doesn't work
> if you'll send some logs I'll take a look. If something fishy is going
> on we can try opening a bug.
>
> Thank you.
>
> --
> Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
> IRC: Aemerson at OFTC, Actinic at Freenode
> 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9
> _______________________________________________
> ceph-users mailing list
> ceph-users at lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



-- 

Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103

http://www.redhat.com/en/technologies/storage

tel.  734-821-5101
fax.  734-769-8938
cel.  734-216-5309


More information about the ceph-users mailing list