Did you actually get this working? I am trying to replicate your steps but
am not being successful doing this with multi-tenant.
Respectfully,
*Wes Dillingham*
LinkedIn <http://www.linkedin.com/in/wesleydillingham>
wes(a)wesdillingham.com
On Wed, Nov 1, 2023 at 12:52 PM Thomas Bennett <thomas(a)tsolo.io> wrote:
To update my own question, it would seem that
Principle should be
defined like this:
- "Principal": {"AWS":
["arn:aws:iam::Tenant1:user/readwrite"]}
And resource should:
"Resource": [ "arn:aws:s3:::backups"]
Is it worth having the docs updates -
https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/
to indicate that usfolks in the example is the tenant name?
On Wed, 1 Nov 2023 at 18:27, Thomas Bennett <thomas(a)tsolo.io> wrote:
Hi,
I'm running Ceph Quincy (17.2.6) with a rados-gateway. I have muti
tenants, for example:
- Tenant1$manager
- Tenant1$readwrite
I would like to set a policy on a bucket (backups for example) owned by
*Tenant1$manager* to allow *Tenant1$readwrite* access to that bucket. I
can't find any documentation that discusses this scenario.
Does anyone know how to specify the Principle and Resource section of a
policy.json file? Or any other configuration that I might be missing?
I've tried some variations on Principal and Resource including and
excluding tenant information, but not no luck yet.
For example:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS":
["arn:aws:iam:::user/*Tenant1$readwrite*"]},
"Action": ["s3:ListBucket","s3:GetObject",
,"s3:PutObject"],
"Resource": [
"arn:aws:s3:::*Tenant1/backups*"
]
}]
}
I'm using s3cmd for testing, so:
s3cmd --config s3cfg.manager setpolicy policy.json s3://backups/
Returns:
s3://backups/: Policy updated
And then testing:
s3cmd --config s3cfg.readwrite ls s3://backups/
ERROR: Access to bucket 'backups' was denied
ERROR: S3 error: 403 (AccessDenied)
Thanks,
Tom
_______________________________________________
ceph-users mailing list -- ceph-users(a)ceph.io
To unsubscribe send an email to ceph-users-leave(a)ceph.io