On Tue, Nov 7, 2023 at 12:41 PM Jayanth Reddy <jayanthreddy5...@gmail.com> wrote: > > Hello Wesley and Casey, > > We've ended up with the same issue and here it appears that even the user > with "--admin" isn't able to do anything. We're now unable to figure out if > it is due to bucket policies, ACLs or IAM of some sort. I'm seeing these IAM > errors in the logs > > ``` > > Nov 7 00:02:00 ceph-05 radosgw[4054570]: req 8786689665323103851 > 0.003999968s s3:get_obj Error reading IAM Policy: Terminate parsing due to > Handler error. > > Nov 7 22:51:40 ceph-05 radosgw[4054570]: req 13293029267332025583 > 0.000000000s s3:list_bucket Error reading IAM Policy: Terminate parsing due > to Handler error.
it's failing to parse the bucket policy document, but the error message doesn't say what's wrong with it disabling rgw_policy_reject_invalid_principals might help if it's failing on the Principal > Nov 7 22:51:40 ceph-05 radosgw[4054570]: req 13293029267332025583 > 0.000000000s s3:list_bucket init_permissions on > :window-dev[1d0fa0b4-04eb-48f9-889b-a60de865ccd8.24143.10]) failed, ret=-13 > Nov 7 22:51:40 ceph-feed-05 radosgw[4054570]: req 13293029267332025583 > 0.000000000s op->ERRORHANDLER: err_no=-13 new_err_no=-13 > > ``` > > Please help what's wrong here. We're in Ceph v17.2.7. > > Regards, > Jayanth > > On Thu, Oct 26, 2023 at 7:14 PM Wesley Dillingham <w...@wesdillingham.com> > wrote: >> >> Thank you, this has worked to remove the policy. >> >> Respectfully, >> >> *Wes Dillingham* >> w...@wesdillingham.com >> LinkedIn <http://www.linkedin.com/in/wesleydillingham> >> >> >> On Wed, Oct 25, 2023 at 5:10 PM Casey Bodley <cbod...@redhat.com> wrote: >> >> > On Wed, Oct 25, 2023 at 4:59 PM Wesley Dillingham <w...@wesdillingham.com> >> > wrote: >> > > >> > > Thank you, I am not sure (inherited cluster). I presume such an admin >> > user created after-the-fact would work? >> > >> > yes >> > >> > > Is there a good way to discover an admin user other than iterate over >> > all users and retrieve user information? (I presume radosgw-admin user info >> > --uid=<user>" would illustrate such administrative access? >> > >> > not sure there's an easy way to search existing users, but you could >> > create a temporary admin user for this repair >> > >> > > >> > > Respectfully, >> > > >> > > Wes Dillingham >> > > w...@wesdillingham.com >> > > LinkedIn >> > > >> > > >> > > On Wed, Oct 25, 2023 at 4:41 PM Casey Bodley <cbod...@redhat.com> wrote: >> > >> >> > >> if you have an administrative user (created with --admin), you should >> > >> be able to use its credentials with awscli to delete or overwrite this >> > >> bucket policy >> > >> >> > >> On Wed, Oct 25, 2023 at 4:11 PM Wesley Dillingham < >> > w...@wesdillingham.com> wrote: >> > >> > >> > >> > I have a bucket which got injected with bucket policy which locks the >> > >> > bucket even to the bucket owner. The bucket now cannot be accessed >> > (even >> > >> > get its info or delete bucket policy does not work) I have looked in >> > the >> > >> > radosgw-admin command for a way to delete a bucket policy but do not >> > see >> > >> > anything. I presume I will need to somehow remove the bucket policy >> > from >> > >> > however it is stored in the bucket metadata / omap etc. If anyone can >> > point >> > >> > me in the right direction on that I would appreciate it. Thanks >> > >> > >> > >> > Respectfully, >> > >> > >> > >> > *Wes Dillingham* >> > >> > w...@wesdillingham.com >> > >> > LinkedIn <http://www.linkedin.com/in/wesleydillingham> >> > >> > _______________________________________________ >> > >> > ceph-users mailing list -- ceph-users@ceph.io >> > >> > To unsubscribe send an email to ceph-users-le...@ceph.io >> > >> > >> > >> >> > >> > >> _______________________________________________ >> ceph-users mailing list -- ceph-users@ceph.io >> To unsubscribe send an email to ceph-users-le...@ceph.io _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io