Hello,
I am experiencing some issues with the RADOSGW Admin Ops API in Ceph
Tentacle (20.2.0). According to the latest documentation[1], it should
be possible (since Squid) to perform calls to /admin/account. However,
in my setup this endpoint consistently returns 403 AccessDenied.
What I find confusing is that these /admin/account options are only
present in the latest documentation. They do not appear in the Squid or
Tentacle version specific documentation.
My user is created with the following caps:
radosgw-admin caps add \
--uid="<user>" \
--
caps="accounts=*;buckets=*;info=read;metadata=read;usage=read;users=*"
For example, a call to the metadata endpoint works without any issues:
curl -sS \
--user "${ACCESS_KEY}:${SECRET_KEY}" \
--aws-sigv4 "aws:amz:us-east-1:s3" \
"${RGW_URL}/admin/metadata/account?format=json"
Response:
["RGW67272693614667731","RGW60101944561690517","RGW31205003107553515"]
However, a call to /admin/account returns AccessDenied:
curl -sS \
--user "${ACCESS_KEY}:${SECRET_KEY}" \
--aws-sigv4 "aws:amz:us-east-1:s3" \
"${RGW_URL}/admin/account?id=RGW67272693614667731&format=json"
Response:
{"Code":"AccessDenied","Message":"","RequestId":"tx00000f330b10a36af581
f-00699ef8b2-24707-default","HostId":"24707-default-default"}
>From my testing, the /admin/account endpoint works when the user is
marked as a system user. But returns AccessDenied when using a
"regular" user that has accounts=* caps.
Should accounts=* be sufficient to access /admin/account, as the
documentation suggests? Or is a system user explicitly required for
these endpoints?
Additionally, can someone clarify whether /admin/account is fully
supported in Tentacle? Given that it only appears in the latest
documentation and not in the version specific Tentacle docs?
Thanks in advance!
Kind regards,
Jeffrey
[1] https://docs.ceph.com/en/latest/radosgw/adminops/#get-account-info
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
