Hi Matt and Adam, Thanks a lot for your reply. Attached are logs that that are generated when I shared the bucket from a rgw user (ceph-dashboard) to a ldap user (sonhaiha) and vice versa.
[sonhaiha@DEFRXXXX500 ~]$ s3cmd -c .s3cfg-cephdb info s3://shared-bucket s3://shared-bucket/ (bucket): Location: us-east-1 Payer: BucketOwner Expiration Rule: none Policy: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam:::user/sonhaiha"]}, "Action": "s3:*", "Resource": [ "arn:aws:s3:::shared-bucket", "arn:aws:s3:::shared-bucket/*" ] }] } CORS: none ACL: Ceph Dashboard: FULL_CONTROL # i tried also with "arn:aws:iam:::user/sonhaiha$sonhaiha" but not successful I saw that, in the case of ldap user, when it accesses the shared bucket, the rgw server could not find the permissions for the ldap user. 2018-10-15 10:43:36.521 7f3c65146700 15 decode_policy Read AccessControlPolicy<AccessControlPolicy xmlns=" http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>ceph-dashboard</ID><DisplayName>Ceph Dashboard</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>ceph-dashboard</ID><DisplayName>Ceph Dashboard</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy> 2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026275:s3:GET /shared-bucket/:list_bucket:recalculating target 2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026288:s3:GET /shared-bucket/:list_bucket:reading permissions 2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026291:s3:GET /shared-bucket/:list_bucket:init op 2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026292:s3:GET /shared-bucket/:list_bucket:verifying op mask 2018-10-15 10:43:36.522 7f3c65146700 20 required_mask= 1 user.op_mask=7 2018-10-15 10:43:36.522 7f3c65146700 2 req 4:0.026295:s3:GET /shared-bucket/:list_bucket:verifying op permissions 2018-10-15 10:43:36.522 7f3c65146700 20 -- Getting permissions begin with perm_mask=49 2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for identity=rgw::auth::SysReqApplier -> rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha, perm_mask=15, is_admin=0) mask=49 2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for uid=sonhaiha 2018-10-15 10:43:36.522 7f3c65146700 5 Permissions for user not found 2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for uid=sonhaiha$sonhaiha 2018-10-15 10:43:36.522 7f3c65146700 5 Permissions for user not found 2018-10-15 10:43:36.522 7f3c65146700 20 from ACL got perm=0 2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for group=1 mask=49 2018-10-15 10:43:36.522 7f3c65146700 5 Permissions for group not found 2018-10-15 10:43:36.522 7f3c65146700 5 Searching permissions for group=2 mask=49 2018-10-15 10:43:36.522 7f3c65146700 5 Permissions for group not found 2018-10-15 10:43:36.522 7f3c65146700 5 -- Getting permissions done for identity=rgw::auth::SysReqApplier -> rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha, perm_mask=15, is_admin=0), owner=ceph-dashboard, perm=0 Thank you Ha On Thu, Oct 11, 2018 at 8:16 PM Matt Benjamin <mbenj...@redhat.com> wrote: > right, the user can be the dn component or something else projected > from the entry, details in the docs > > Matt > > On Thu, Oct 11, 2018 at 1:26 PM, Adam C. Emerson <aemer...@redhat.com> > wrote: > > Ha Son Hai <hasonhai...@gmail.com> wrote: > >> Hello everyone, > >> I try to apply the bucket policy to my bucket for LDAP user but it > doesn't work. > >> For user created by radosgw-admin, the policy works fine. > >> > >> { > >> > >> "Version": "2012-10-17", > >> > >> "Statement": [{ > >> > >> "Effect": "Allow", > >> > >> "Principal": {"AWS": ["arn:aws:iam:::user/radosgw-user"]}, > >> > >> "Action": "s3:*", > >> > >> "Resource": [ > >> > >> "arn:aws:s3:::shared-tenant-test", > >> > >> "arn:aws:s3:::shared-tenant-test/*" > >> > >> ] > >> > >> }] > >> > >> } > > > > LDAP users essentially are RGW users, so it should be this same > > format. As I understand RGW's LDAP interface (I have not worked with > > LDAP personally), every LDAP users get a corresponding RGW user whose > > name is derived from rgw_ldap_dnattr, often 'uid' or 'cn', but this is > > dependent on site. > > > > If you, can check that part of configuration, and if that doesn't work > > if you'll send some logs I'll take a look. If something fishy is going > > on we can try opening a bug. > > > > Thank you. > > > > -- > > Senior Software Engineer Red Hat Storage, Ann Arbor, MI, US > > IRC: Aemerson@OFTC, Actinic@Freenode > > 0x80F7544B90EDBFB9 E707 86BA 0C1B 62CC 152C 7C12 80F7 544B 90ED BFB9 > > _______________________________________________ > > ceph-users mailing list > > ceph-users@lists.ceph.com > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > > -- > > Matt Benjamin > Red Hat, Inc. > 315 West Huron Street, Suite 140A > Ann Arbor, Michigan 48103 > > http://www.redhat.com/en/technologies/storage > > tel. 734-821-5101 > fax. 734-769-8938 > cel. 734-216-5309 > -- Best regards, Son-Hai HA
ldap_user_shares_bucket_to_rgw_user.log
Description: Binary data
rgw_user_shares_bucket_to_ldap_user.log
Description: Binary data
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com