[ceph-users] Apply bucket policy to bucket for LDAP user: what is the correct identifier for principal

Ha Son Hai hasonhai124 at gmail.com
Fri Oct 19 02:13:28 PDT 2018


Hello,
I found that the metadata of ldap user and normal radosgw user different in
the "type". Can it be the cause that the bucket policy does not work?
# Normal radosgw user
{
    "user_id": "ceph-dashboard",
    "display_name": "Ceph Dashboard",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "auid": 0,
    "subusers": [],
    "keys": [
        {
            "user": "ceph-dashboard",
            "access_key": "... bla bla bla ...",
            "secret_key": "... bla bla bla ..."
        }
    ],
    "swift_keys": [],
    "caps": [
        {
          ... bla bla bla ...
        }
    ],
    "op_mask": "read, write, delete",
    "system": "true",
    "default_placement": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "temp_url_keys": [],
    "type": "rgw",
    "mfa_ids": []
}

# LDAP user
{
    "user_id": "sonhaiha",
    "display_name": "sonhaiha",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "auid": 0,
    "subusers": [],
    "keys": [],
    "swift_keys": [],
    "caps": [],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "temp_url_keys": [],
    "type": "ldap",
    "mfa_ids": []
}

On Mon, Oct 15, 2018 at 11:24 AM Ha Son Hai <hasonhai124 at gmail.com> wrote:

> Hi Matt and Adam,
> Thanks a lot for your reply.
>
> Attached are logs that that are generated when I shared the bucket from a
> rgw user (ceph-dashboard) to a ldap user (sonhaiha) and vice versa.
>
> [sonhaiha at DEFRXXXX500 ~]$ s3cmd -c .s3cfg-cephdb info s3://shared-bucket
> s3://shared-bucket/ (bucket):
>    Location:  us-east-1
>    Payer:     BucketOwner
>    Expiration Rule: none
>    Policy:    {
>   "Version": "2012-10-17",
>   "Statement": [{
>     "Effect": "Allow",
>     "Principal": {"AWS": ["arn:aws:iam:::user/sonhaiha"]},
>     "Action": "s3:*",
>     "Resource": [
>       "arn:aws:s3:::shared-bucket",
>       "arn:aws:s3:::shared-bucket/*"
>     ]
>   }]
> }
>
>    CORS:      none
>    ACL:       Ceph Dashboard: FULL_CONTROL
> # i tried also with "arn:aws:iam:::user/sonhaiha$sonhaiha" but not
> successful
>
> I saw that, in the case of ldap user, when it accesses the shared bucket,
> the rgw server could not find the permissions for the ldap user.
>
> 2018-10-15 10:43:36.521 7f3c65146700 15 decode_policy Read
> AccessControlPolicy<AccessControlPolicy xmlns="
> http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>ceph-dashboard</ID><DisplayName>Ceph
> Dashboard</DisplayName></Owner><AccessControlList><Grant><Grantee
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="CanonicalUser"><ID>ceph-dashboard</ID><DisplayName>Ceph
> Dashboard</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026275:s3:GET
> /shared-bucket/:list_bucket:recalculating target
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026288:s3:GET
> /shared-bucket/:list_bucket:reading permissions
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026291:s3:GET
> /shared-bucket/:list_bucket:init op
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026292:s3:GET
> /shared-bucket/:list_bucket:verifying op mask
> 2018-10-15 10:43:36.522 7f3c65146700 20 required_mask= 1 user.op_mask=7
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026295:s3:GET
> /shared-bucket/:list_bucket:verifying op permissions
> 2018-10-15 10:43:36.522 7f3c65146700 20 -- Getting permissions begin with
> perm_mask=49
> 2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for
> identity=rgw::auth::SysReqApplier ->
> rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha,
> perm_mask=15, is_admin=0) mask=49
> 2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for
> uid=sonhaiha
> 2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for user not found
> 2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for
> uid=sonhaiha$sonhaiha
> 2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for user not found
> 2018-10-15 10:43:36.522 7f3c65146700 20 from ACL got perm=0
> 2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for group=1
> mask=49
> 2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for group not found
> 2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for group=2
> mask=49
> 2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for group not found
> 2018-10-15 10:43:36.522 7f3c65146700  5 -- Getting permissions done for
> identity=rgw::auth::SysReqApplier ->
> rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha,
> perm_mask=15, is_admin=0), owner=ceph-dashboard, perm=0
>
> Thank you
> Ha
>
> On Thu, Oct 11, 2018 at 8:16 PM Matt Benjamin <mbenjami at redhat.com> wrote:
>
>> right, the user can be the dn component or something else projected
>> from the entry, details in the docs
>>
>> Matt
>>
>> On Thu, Oct 11, 2018 at 1:26 PM, Adam C. Emerson <aemerson at redhat.com>
>> wrote:
>> > Ha Son Hai <hasonhai124 at gmail.com> wrote:
>> >> Hello everyone,
>> >> I try to apply the bucket policy to my bucket for LDAP user but it
>> doesn't work.
>> >> For user created by radosgw-admin, the policy works fine.
>> >>
>> >> {
>> >>
>> >>   "Version": "2012-10-17",
>> >>
>> >>   "Statement": [{
>> >>
>> >>     "Effect": "Allow",
>> >>
>> >>     "Principal": {"AWS": ["arn:aws:iam:::user/radosgw-user"]},
>> >>
>> >>     "Action": "s3:*",
>> >>
>> >>     "Resource": [
>> >>
>> >>       "arn:aws:s3:::shared-tenant-test",
>> >>
>> >>       "arn:aws:s3:::shared-tenant-test/*"
>> >>
>> >>     ]
>> >>
>> >>   }]
>> >>
>> >> }
>> >
>> > LDAP users essentially are RGW users, so it should be this same
>> > format. As I understand RGW's LDAP interface (I have not worked with
>> > LDAP personally), every LDAP users get a corresponding RGW user whose
>> > name is derived from rgw_ldap_dnattr, often 'uid' or 'cn', but this is
>> > dependent on site.
>> >
>> > If you, can check that part of configuration, and if that doesn't work
>> > if you'll send some logs I'll take a look. If something fishy is going
>> > on we can try opening a bug.
>> >
>> > Thank you.
>> >
>> > --
>> > Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
>> > IRC: Aemerson at OFTC, Actinic at Freenode
>> > 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9
>> > _______________________________________________
>> > ceph-users mailing list
>> > ceph-users at lists.ceph.com
>> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>
>>
>>
>> --
>>
>> Matt Benjamin
>> Red Hat, Inc.
>> 315 West Huron Street, Suite 140A
>> Ann Arbor, Michigan 48103
>>
>> http://www.redhat.com/en/technologies/storage
>>
>> tel.  734-821-5101
>> fax.  734-769-8938
>> cel.  734-216-5309
>>
>
>
> --
> Best regards,
> Son-Hai HA
>


-- 
Best regards,
Son-Hai HA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20181019/4f16cb02/attachment.html>


More information about the ceph-users mailing list