1 Nov
2023
1 Nov
'23
4:27 p.m.
Hi,
I'm running Ceph Quincy (17.2.6) with a rados-gateway. I have muti tenants,
for example:
- Tenant1$manager
- Tenant1$readwrite
I would like to set a policy on a bucket (backups for example) owned by
*Tenant1$manager* to allow *Tenant1$readwrite* access to that bucket. I
can't find any documentation that discusses this scenario.
Does anyone know how to specify the Principle and Resource section of a
policy.json file? Or any other configuration that I might be missing?
I've tried some variations on Principal and Resource including and
excluding tenant information, but not no luck yet.
For example:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS":
["arn:aws:iam:::user/*Tenant1$readwrite*"]},
"Action": ["s3:ListBucket","s3:GetObject",
,"s3:PutObject"],
"Resource": [
"arn:aws:s3:::*Tenant1/backups*"
]
}]
}
I'm using s3cmd for testing, so:
s3cmd --config s3cfg.manager setpolicy policy.json s3://backups/
Returns:
s3://backups/: Policy updated
And then testing:
s3cmd --config s3cfg.readwrite ls s3://backups/
ERROR: Access to bucket 'backups' was denied
ERROR: S3 error: 403 (AccessDenied)
Thanks,
Tom
1 Nov
1 Nov
4:49 p.m.
To update my own question, it would seem that Principle should be
defined like this:
- "Principal": {"AWS":
["arn:aws:iam::Tenant1:user/readwrite"]}
And resource should:
"Resource": [ "arn:aws:s3:::backups"]
Is it worth having the docs updates -
https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/
to indicate that usfolks in the example is the tenant name?
On Wed, 1 Nov 2023 at 18:27, Thomas Bennett <thomas(a)tsolo.io> wrote:
Hi,
I'm running Ceph Quincy (17.2.6) with a rados-gateway. I have muti
tenants, for example:
- Tenant1$manager
- Tenant1$readwrite
I would like to set a policy on a bucket (backups for example) owned by
*Tenant1$manager* to allow *Tenant1$readwrite* access to that bucket. I
can't find any documentation that discusses this scenario.
Does anyone know how to specify the Principle and Resource section of a
policy.json file? Or any other configuration that I might be missing?
I've tried some variations on Principal and Resource including and
excluding tenant information, but not no luck yet.
For example:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS":
["arn:aws:iam:::user/*Tenant1$readwrite*"]},
"Action": ["s3:ListBucket","s3:GetObject",
,"s3:PutObject"],
"Resource": [
"arn:aws:s3:::*Tenant1/backups*"
]
}]
}
I'm using s3cmd for testing, so:
s3cmd --config s3cfg.manager setpolicy policy.json s3://backups/
Returns:
s3://backups/: Policy updated
And then testing:
s3cmd --config s3cfg.readwrite ls s3://backups/
ERROR: Access to bucket 'backups' was denied
ERROR: S3 error: 403 (AccessDenied)
Thanks,
Tom
2 Nov
2 Nov
8:49 a.m.
Den ons 1 nov. 2023 kl 17:51 skrev Thomas Bennett <thomas(a)tsolo.io>io>:
To update my own question, it would seem that Principle should be
defined like this:
- "Principal": {"AWS":
["arn:aws:iam::Tenant1:user/readwrite"]}
And resource should:
"Resource": [ "arn:aws:s3:::backups"]
Is it worth having the docs updates -
https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/
to indicate that usfolks in the example is the tenant name?
A good idea.
Generally, docs should be lots more clear about which parts are chosen
by you, and which ones are inherent from some predefined role,
context, your setup, your domain or whatever.
It's hard enough to get all the finer points of rgw both from an admin
side, and as a power-user talking over the S3 apis, and if examples
"hide" things like the above as if perhaps "usfolks" is some weird
predefined thing AWS has brought along or something, then it gets lots
harder to grasp which parts I am supposed to replace and which must be
there.
Personally I would prefer colors, bold, or underlines or something to
distinguish things I should replace like endpoint url domains,
hostnames from the things which are not supposed to change like the
whole Resource thing up until the bucket name.
Looking at the example given in the docs:
"Principal": {"AWS":
["arn:aws:iam::usfolks:user/fred:subuser"]},
"Resource": [
"arn:aws:s3:::happybucket/*"
the arn:aws:s3::: seems to indicate you can/should change only the
last part after the last : char, and then fill in the bucket name
there.
The arn:aws:iam on the other hand in this example is not solely the
last part after the last :, but also the next-to-last one. While this
probably is very obvious if you understand the AWS docs written
somewhere 35 links away, it would be nice IMHO if the ceph-rgw example
showed or at least hinted to me that it needs me to change two parts
in the iam entry and not only the last, because then the example would
not require me to also double-check the AWS reference manual to know
if I should edit one or two or all of the other :::: sections there.
Not saying ceph-rgw needs to fully replicate all of AWS S3 docs, but
at least help us out a bit here, please.
--
May the most significant bit of your life be positive.
12 Apr
12 Apr
6:54 p.m.
Did you actually get this working? I am trying to replicate your steps but
am not being successful doing this with multi-tenant.
Respectfully,
*Wes Dillingham*
LinkedIn <http://www.linkedin.com/in/wesleydillingham>
wes(a)wesdillingham.com
On Wed, Nov 1, 2023 at 12:52 PM Thomas Bennett <thomas(a)tsolo.io> wrote:
To update my own question, it would seem that
Principle should be
defined like this:
- "Principal": {"AWS":
["arn:aws:iam::Tenant1:user/readwrite"]}
And resource should:
"Resource": [ "arn:aws:s3:::backups"]
Is it worth having the docs updates -
https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/
to indicate that usfolks in the example is the tenant name?
On Wed, 1 Nov 2023 at 18:27, Thomas Bennett <thomas(a)tsolo.io> wrote:
Hi,
I'm running Ceph Quincy (17.2.6) with a rados-gateway. I have muti
tenants, for example:
- Tenant1$manager
- Tenant1$readwrite
I would like to set a policy on a bucket (backups for example) owned by
*Tenant1$manager* to allow *Tenant1$readwrite* access to that bucket. I
can't find any documentation that discusses this scenario.
Does anyone know how to specify the Principle and Resource section of a
policy.json file? Or any other configuration that I might be missing?
I've tried some variations on Principal and Resource including and
excluding tenant information, but not no luck yet.
For example:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS":
["arn:aws:iam:::user/*Tenant1$readwrite*"]},
"Action": ["s3:ListBucket","s3:GetObject",
,"s3:PutObject"],
"Resource": [
"arn:aws:s3:::*Tenant1/backups*"
]
}]
}
I'm using s3cmd for testing, so:
s3cmd --config s3cfg.manager setpolicy policy.json s3://backups/
Returns:
s3://backups/: Policy updated
And then testing:
s3cmd --config s3cfg.readwrite ls s3://backups/
ERROR: Access to bucket 'backups' was denied
ERROR: S3 error: 403 (AccessDenied)
Thanks,
Tom
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io
15 Apr
15 Apr
8:29 a.m.
On 12.04.2024 20:54, Wesley Dillingham wrote:
Did you actually get this working? I am trying to
replicate your steps
but
am not being successful doing this with multi-tenant.
This is what we are using, the second statement is so that bucket owner
will have access to the object that the user is uploading.
s3-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::<tenant>:user/<user>"
]
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
},
{
"Sid": "owner_full_access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::<owners-tenant>:user/<owner-user>"
]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
}
]
}
And then run
s3cmd setpolicy s3-policy.json s3://<bucket-name>
--
Kai Stian Olstad
17
days inactive
183
days old
4 comments
4 participants
participants (4)
-
Janne Johansson -
Kai Stian Olstad -
Thomas Bennett -
Wesley Dillingham