What exact error are you seeing after adding admin caps? I tried the following steps on master and they worked fine: (TESTER1 is adding a user policy to TESTER) 1. radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create 2. radosgw-admin --uid TESTER1 --display-name "TestUser" --access_key TESTER1 --secret test123 user create 3. radosgw-admin caps add --uid="TESTER1" --caps="user-policy=*" 4. s3curl.pl --debug --id admin -- -s -v -X POST " http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument=\{\ "Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"
.s3curl is as follows for me: %awsSecretAccessKeys = ( # personal account admin => { id => 'TESTER1', key => 'test123', } ); On Tue, Mar 12, 2019 at 11:09 AM myxingkong <ad...@xingkong.io> wrote: > Hi Pritha: > I added administrator quotas to users, but they didn't seem to work. > radosgw-admin user create --uid=ADMIN --display-name=ADMIN --admin > --system > radosgw-admin caps add --uid="ADMIN" > --caps="user-policy=*;roles=*;users=*;buckets=*;metadata=*;usage=*;zone=*" > { > "user_id": "ADMIN", > "display_name": "ADMIN", > "email": "", > "suspended": 0, > "max_buckets": 1000, > "subusers": [], > "keys": [ > { > "user": "ADMIN", > "access_key": "HTRJ1HIKR4FB9A24ZG9C", > "secret_key": "Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE" > } > ], > "swift_keys": [], > "caps": [ > { > "type": "buckets", > "perm": "*" > }, > { > "type": "metadata", > "perm": "*" > }, > { > "type": "roles", > "perm": "*" > }, > { > "type": "usage", > "perm": "*" > }, > { > "type": "user-policy", > "perm": "*" > }, > { > "type": "users", > "perm": "*" > }, > { > "type": "zone", > "perm": "*" > } > ], > "op_mask": "read, write, delete", > "system": "true", > "default_placement": "", > "default_storage_class": "", > "placement_tags": [], > "bucket_quota": { > "enabled": false, > "check_on_raw": false, > "max_size": -1, > "max_size_kb": 0, > "max_objects": -1 > }, > "user_quota": { > "enabled": false, > "check_on_raw": false, > "max_size": -1, > "max_size_kb": 0, > "max_objects": -1 > }, > "temp_url_keys": [], > "type": "rgw", > "mfa_ids": [] > } > Thanks, > myxingkong > > *发件人:* Pritha Srivastava <prsri...@redhat.com> > *发送时间:* 2019-03-12 12:23:24 > *收件人:* myxingkong <ad...@xingkong.io> > *抄送:* ceph-users@lists.ceph.com > *主题:* Re: [ceph-users] How to attach permission policy to user? > > Hi Myxingkong, > > Did you add admin caps to the user (with access key id > 'HTRJ1HIKR4FB9A24ZG9C'), which is trying to attach a user policy. using the > command below: > > radosgw-admin caps add --uid=<uid of user> --caps="user-policy=*" > > Thanks, > Pritha > > On Tue, Mar 12, 2019 at 7:19 AM myxingkong <ad...@xingkong.io> wrote: > >> Hi Pritha: >> I was unable to attach the permission policy through S3curl, which >> returned an HTTP 403 error. >> >> ./s3curl.pl --id admin -- -s -v -X POST " >> http://192.168.199.81:7480/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08 >> " >> Request: >> > POST >> /?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument={"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"s3:*","Resource":["*"],"Condition":{"BoolIfExists":{"sts:authentication":"false"}}},{"Effect":"Allow","Action":"sts:GetSessionToken","Resource":"*","Condition":{"BoolIfExists":{"sts:authentication":"false"}}}]}&Version=2010-05-08 >> HTTP/1.1 >> > User-Agent: curl/7.29.0 >> > Host: 192.168.199.81:7480 >> > Accept: */* >> > Date: Tue, 12 Mar 2019 01:39:55 GMT >> > Authorization: AWS HTRJ1HIKR4FB9A24ZG9C:FTMBoc7+sJf0K+cx+nYD7Sdj2Xg= >> Response: >> < HTTP/1.1 403 Forbidden >> < Content-Length: 187 >> < x-amz-request-id: tx000000000000000000144-005c870deb-4a92d-default >> < Accept-Ranges: bytes >> < Content-Type: application/xml >> < Date: Tue, 12 Mar 2019 01:39:55 GMT >> < >> * Connection #0 to host 192.168.199.81 left intact >> <?xml version="1.0" >> encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000144-005c870deb-4a92d-default</RequestId><HostId>4a92d-default-default</HostId></Error> >> >> .s3curl >> %awsSecretAccessKeys = ( >> admin => { >> id => 'HTRJ1HIKR4FB9A24ZG9C', >> key => 'Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE', >> }, >> ); >> Can you tell me what went wrong? >> Thanks, >> myxingkong >> >> >> *发件人:* myxingkong <ad...@xingkong.io> >> *发送时间:* 2019-03-11 18:13:33 >> *收件人:* prsri...@redhat.com >> *抄送:* ceph-users@lists.ceph.com >> *主题:* Re: [ceph-users] How to attach permission policy to user? >> >> Hi Pritha: >> >> This is the documentation for configuring restful modules: >> http://docs.ceph.com/docs/nautilus/mgr/restful/ >> >> The command given according to the official documentation is to attach >> the permission policy through the REST API. >> >> This is the documentation for STS lite: >> http://docs.ceph.com/docs/nautilus/radosgw/STSLite/ >> >> My version of ceph is: ceph version 14.1.0 >> (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev) >> >> Thanks, >> myxingkong >> On 3/11/2019 18:06,Pritha Srivastava<prsri...@redhat.com> >> <prsri...@redhat.com> wrote: >> >> Hi Myxingkong, >> >> Can you explain what you mean by 'enabling restful modules', particularly >> which document are you referring to? >> >> Right now there is no other way to attach a permission policy to a user. >> >> There is work in progress for adding functionality to RGW using which >> such calls can be scripted using boto. >> >> Thanks, >> Pritha >> >> On Mon, Mar 11, 2019 at 3:21 PM myxingkong <ad...@xingkong.io> wrote: >> >>> Hello: >>> >>> I want to use the GetSessionToken method to get the temporary >>> credentials, but according to the answer given in the official >>> documentation, I need to attach a permission policy to the user before I >>> can use the GetSessionToken method. >>> >>> This is the command for the additional permission policy provided by the >>> official documentation: >>> >>> s3curl.pl --debug --id admin -- -s -v -X POST " >>> http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER1&PolicyDocument=\{\ >>> "Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08" >>> >>> >>> This requires enabling restful modules to execute this command. >>> >>> I configured the restful module according to the documentation, but >>> without success, I was unable to configure the SSL certificate. >>> >>> ceph config-key set mgr/restful/crt -i restful.crt >>> >>> WARNING: it looks like you might be trying to set a ceph-mgr module >>> configuration key. Since Ceph 13.0.0 (Mimic), mgr module configuration is >>> done with `config set`, and new values set using `config-key set` will be >>> ignored. >>> set mgr/restful/crt >>> >>> Can someone tell me if there is a way to configure a restful module's >>> certificate, or if there is another way to attach permission policies to >>> users? >>> >>> Thanks, >>> myxingkong >>> _______________________________________________ >>> ceph-users mailing list >>> ceph-users@lists.ceph.com >>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >>> >>
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com