[ceph-users] How to attach permission policy to user?

Pritha Srivastava prsrivas at redhat.com
Mon Mar 11 21:23:24 PDT 2019


Hi Myxingkong,

Did you add admin caps to the user (with access key id
'HTRJ1HIKR4FB9A24ZG9C'), which is trying to attach a user policy. using the
command below:

radosgw-admin caps add --uid=<uid of user> --caps="user-policy=*"

Thanks,
Pritha

On Tue, Mar 12, 2019 at 7:19 AM myxingkong <admin at xingkong.io> wrote:

> Hi Pritha:
> I was unable to attach the permission policy through S3curl, which
> returned an HTTP 403 error.
>
> ./s3curl.pl --id admin -- -s -v -X POST "
> http://192.168.199.81:7480/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"
>
> Request:
> > POST
> /?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument={"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"s3:*","Resource":["*"],"Condition":{"BoolIfExists":{"sts:authentication":"false"}}},{"Effect":"Allow","Action":"sts:GetSessionToken","Resource":"*","Condition":{"BoolIfExists":{"sts:authentication":"false"}}}]}&Version=2010-05-08
> HTTP/1.1
> > User-Agent: curl/7.29.0
> > Host: 192.168.199.81:7480
> > Accept: */*
> > Date: Tue, 12 Mar 2019 01:39:55 GMT
> > Authorization: AWS HTRJ1HIKR4FB9A24ZG9C:FTMBoc7+sJf0K+cx+nYD7Sdj2Xg=
> Response:
> < HTTP/1.1 403 Forbidden
> < Content-Length: 187
> < x-amz-request-id: tx000000000000000000144-005c870deb-4a92d-default
> < Accept-Ranges: bytes
> < Content-Type: application/xml
> < Date: Tue, 12 Mar 2019 01:39:55 GMT
> <
> * Connection #0 to host 192.168.199.81 left intact
> <?xml version="1.0"
> encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000144-005c870deb-4a92d-default</RequestId><HostId>4a92d-default-default</HostId></Error>
>
>
> .s3curl
> %awsSecretAccessKeys = (
>     admin => {
>         id => 'HTRJ1HIKR4FB9A24ZG9C',
>         key => 'Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE',
>     },
> );
> Can you tell me what went wrong?
> Thanks,
> myxingkong
>
>
> *发件人:* myxingkong <admin at xingkong.io>
> *发送时间:* 2019-03-11 18:13:33
> *收件人:*  prsrivas at redhat.com
> *抄送:*  ceph-users at lists.ceph.com
> *主题:* Re: [ceph-users] How to attach permission policy to user?
>
> Hi Pritha:
>
> This is the documentation for configuring restful modules:
> http://docs.ceph.com/docs/nautilus/mgr/restful/
>
> The command given according to the official documentation is to attach the
> permission policy through the REST API.
>
> This is the documentation for STS lite:
> http://docs.ceph.com/docs/nautilus/radosgw/STSLite/
>
> My version of ceph is: ceph version 14.1.0
> (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev)
>
> Thanks,
> myxingkong
> On 3/11/2019 18:06,Pritha Srivastava<prsrivas at redhat.com>
> <prsrivas at redhat.com> wrote:
>
> Hi Myxingkong,
>
> Can you explain what you mean by 'enabling restful modules', particularly
> which document are you referring to?
>
> Right now there is no other way to attach a permission policy to a user.
>
> There is work in progress for adding functionality to RGW using which such
> calls can be scripted using boto.
>
> Thanks,
> Pritha
>
> On Mon, Mar 11, 2019 at 3:21 PM myxingkong <admin at xingkong.io> wrote:
>
>> Hello:
>>
>> I want to use the GetSessionToken method to get the temporary
>> credentials, but according to the answer given in the official
>> documentation, I need to attach a permission policy to the user before I
>> can use the GetSessionToken method.
>>
>> This is the command for the additional permission policy provided by the
>> official documentation:
>>
>> s3curl.pl --debug --id admin -- -s -v -X POST "
>> http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER1&PolicyDocument=\{\
>> "Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"
>>
>>
>> This requires enabling restful modules to execute this command.
>>
>> I configured the restful module according to the documentation, but
>> without success, I was unable to configure the SSL certificate.
>>
>> ceph config-key set mgr/restful/crt -i restful.crt
>>
>> WARNING: it looks like you might be trying to set a ceph-mgr module
>> configuration key. Since Ceph 13.0.0 (Mimic), mgr module configuration is
>> done with `config set`, and new values set using `config-key set` will be
>> ignored.
>> set mgr/restful/crt
>>
>> Can someone tell me if there is a way to configure a restful module's
>> certificate, or if there is another way to attach permission policies to
>> users?
>>
>> Thanks,
>> myxingkong
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users at lists.ceph.com
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20190312/8bc6616a/attachment.html>


More information about the ceph-users mailing list