Re: [ceph-users] Radosgw s3 subuser permissions

Thu, 24 Jan 2019 14:41:40 -0800 


This should do it sort of.

{
  "Id": "Policy1548367105316",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1548367099807",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Principal": { "AWS": "arn:aws:iam::Company:user/testuser" },
      "Resource": "arn:aws:s3:::archive"
    },
    {
      "Sid": "Stmt1548369229354",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Principal": { "AWS": "arn:aws:iam::Company:user/testuser" },
      "Resource": "arn:aws:s3:::archive/folder2/*"
    }
  ]
} 





-----Original Message-----
From: Matt Benjamin [mailto:[email protected]] 
Sent: 24 January 2019 21:36
To: Marc Roos
Cc: ceph-users
Subject: Re: [ceph-users] Radosgw s3 subuser permissions

Hi Marc,

I'm not actually certain whether the traditional ACLs permit any 
solution for that, but I believe with bucket policy, you can achieve 
precise control within and across tenants, for any set of desired 
resources (buckets).

Matt

On Thu, Jan 24, 2019 at 3:18 PM Marc Roos <[email protected]> 
wrote:
>
>
> It is correct that it is NOT possible for s3 subusers to have 
> different permissions on folders created by the parent account?
> Thus the --access=[ read | write | readwrite | full ] is for 
> everything the parent has created, and it is not possible to change 
> that for specific folders/buckets?
>
> radosgw-admin subuser create --uid='Company$archive' 
> --subuser=testuser
> --key-type=s3
>
> Thus if archive created this bucket/folder structure.
> └── bucket
>     ├── folder1
>     ├── folder2
>     └── folder3
>         └── folder4
>
> It is not possible to allow testuser to only write in folder2?
>
>
> _______________________________________________
> ceph-users mailing list
> [email protected]
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



-- 

Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103

http://www.redhat.com/en/technologies/storage

tel.  734-821-5101
fax.  734-769-8938
cel.  734-216-5309


_______________________________________________
ceph-users mailing list
[email protected]
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to