Re: [ceph-users] Apply bucket policy to bucket for LDAP user: what is the correct identifier for principal

Mon, 15 Oct 2018 02:26:19 -0700 

Hi Matt and Adam,
Thanks a lot for your reply.

Attached are logs that that are generated when I shared the bucket from a
rgw user (ceph-dashboard) to a ldap user (sonhaiha) and vice versa.

[sonhaiha@DEFRXXXX500 ~]$ s3cmd -c .s3cfg-cephdb info s3://shared-bucket
s3://shared-bucket/ (bucket):
   Location:  us-east-1
   Payer:     BucketOwner
   Expiration Rule: none
   Policy:    {
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam:::user/sonhaiha"]},
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::shared-bucket",
      "arn:aws:s3:::shared-bucket/*"
    ]
  }]
}

   CORS:      none
   ACL:       Ceph Dashboard: FULL_CONTROL
# i tried also with "arn:aws:iam:::user/sonhaiha$sonhaiha" but not
successful

I saw that, in the case of ldap user, when it accesses the shared bucket,
the rgw server could not find the permissions for the ldap user.

2018-10-15 10:43:36.521 7f3c65146700 15 decode_policy Read
AccessControlPolicy<AccessControlPolicy xmlns="
http://s3.amazonaws.com/doc/2006-03-01/";><Owner><ID>ceph-dashboard</ID><DisplayName>Ceph
Dashboard</DisplayName></Owner><AccessControlList><Grant><Grantee
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="CanonicalUser"><ID>ceph-dashboard</ID><DisplayName>Ceph
Dashboard</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026275:s3:GET
/shared-bucket/:list_bucket:recalculating target
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026288:s3:GET
/shared-bucket/:list_bucket:reading permissions
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026291:s3:GET
/shared-bucket/:list_bucket:init op
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026292:s3:GET
/shared-bucket/:list_bucket:verifying op mask
2018-10-15 10:43:36.522 7f3c65146700 20 required_mask= 1 user.op_mask=7
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026295:s3:GET
/shared-bucket/:list_bucket:verifying op permissions
2018-10-15 10:43:36.522 7f3c65146700 20 -- Getting permissions begin with
perm_mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for
identity=rgw::auth::SysReqApplier ->
rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha,
perm_mask=15, is_admin=0) mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for
uid=sonhaiha
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for user not found
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for
uid=sonhaiha$sonhaiha
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for user not found
2018-10-15 10:43:36.522 7f3c65146700 20 from ACL got perm=0
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for group=1
mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for group not found
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for group=2
mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for group not found
2018-10-15 10:43:36.522 7f3c65146700  5 -- Getting permissions done for
identity=rgw::auth::SysReqApplier ->
rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha,
perm_mask=15, is_admin=0), owner=ceph-dashboard, perm=0

Thank you
Ha

On Thu, Oct 11, 2018 at 8:16 PM Matt Benjamin <mbenj...@redhat.com> wrote:

> right, the user can be the dn component or something else projected
> from the entry, details in the docs
>
> Matt
>
> On Thu, Oct 11, 2018 at 1:26 PM, Adam C. Emerson <aemer...@redhat.com>
> wrote:
> > Ha Son Hai <hasonhai...@gmail.com> wrote:
> >> Hello everyone,
> >> I try to apply the bucket policy to my bucket for LDAP user but it
> doesn't work.
> >> For user created by radosgw-admin, the policy works fine.
> >>
> >> {
> >>
> >>   "Version": "2012-10-17",
> >>
> >>   "Statement": [{
> >>
> >>     "Effect": "Allow",
> >>
> >>     "Principal": {"AWS": ["arn:aws:iam:::user/radosgw-user"]},
> >>
> >>     "Action": "s3:*",
> >>
> >>     "Resource": [
> >>
> >>       "arn:aws:s3:::shared-tenant-test",
> >>
> >>       "arn:aws:s3:::shared-tenant-test/*"
> >>
> >>     ]
> >>
> >>   }]
> >>
> >> }
> >
> > LDAP users essentially are RGW users, so it should be this same
> > format. As I understand RGW's LDAP interface (I have not worked with
> > LDAP personally), every LDAP users get a corresponding RGW user whose
> > name is derived from rgw_ldap_dnattr, often 'uid' or 'cn', but this is
> > dependent on site.
> >
> > If you, can check that part of configuration, and if that doesn't work
> > if you'll send some logs I'll take a look. If something fishy is going
> > on we can try opening a bug.
> >
> > Thank you.
> >
> > --
> > Senior Software Engineer           Red Hat Storage, Ann Arbor, MI, US
> > IRC: Aemerson@OFTC, Actinic@Freenode
> > 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C  7C12 80F7 544B 90ED BFB9
> > _______________________________________________
> > ceph-users mailing list
> > ceph-users@lists.ceph.com
> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
>
>
> --
>
> Matt Benjamin
> Red Hat, Inc.
> 315 West Huron Street, Suite 140A
> Ann Arbor, Michigan 48103
>
> http://www.redhat.com/en/technologies/storage
>
> tel.  734-821-5101
> fax.  734-769-8938
> cel.  734-216-5309
>


-- 
Best regards,
Son-Hai HA

Attachment: ldap_user_shares_bucket_to_rgw_user.log
Description: Binary data

Attachment: rgw_user_shares_bucket_to_ldap_user.log
Description: Binary data

_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to