[ceph-users] Re: Setting S3 bucket policies with multi-tenants

2024-04-15 Thread Kai Stian Olstad 

On 12.04.2024 20:54, Wesley Dillingham wrote:
Did you actually get this working? I am trying to replicate your steps 
but

am not being successful doing this with multi-tenant.


This is what we are using, the second statement is so that bucket owner 
will have access to the object that the user is uploading.


s3-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
{
  "Effect": "Allow",
  "Principal": {
"AWS": [
  "arn:aws:iamuser/"
]
  },
  "Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
  ],
  "Resource": [
"arn:aws:s3:::/*",
"arn:aws:s3:::"
  ]
},
{
  "Sid": "owner_full_access",
  "Effect": "Allow",
  "Principal": {
"AWS": [
  "arn:aws:iamuser/"
]
  },
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::*"
}
  ]
}

And then run
s3cmd setpolicy s3-policy.json s3://


--
Kai Stian Olstad
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io

[ceph-users] Re: Setting S3 bucket policies with multi-tenants

2024-04-12 Thread Wesley Dillingham 
Did you actually get this working? I am trying to replicate your steps but
am not being successful doing this with multi-tenant.

Respectfully,

*Wes Dillingham*
LinkedIn 
w...@wesdillingham.com




On Wed, Nov 1, 2023 at 12:52 PM Thomas Bennett  wrote:

> To update my own question, it would seem that  Principle should be
> defined like this:
>
>- "Principal": {"AWS": ["arn:aws:iam::Tenant1:user/readwrite"]}
>
> And resource should:
> "Resource": [ "arn:aws:s3:::backups"]
>
> Is it worth having the docs updates -
> https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/
> to indicate that usfolks in the example is the tenant name?
>
>
> On Wed, 1 Nov 2023 at 18:27, Thomas Bennett  wrote:
>
> > Hi,
> >
> > I'm running Ceph Quincy (17.2.6) with a rados-gateway. I have muti
> > tenants, for example:
> >
> >- Tenant1$manager
> >- Tenant1$readwrite
> >
> > I would like to set a policy on a bucket (backups for example) owned by
> > *Tenant1$manager* to allow *Tenant1$readwrite* access to that bucket. I
> > can't find any documentation that discusses this scenario.
> >
> > Does anyone know how to specify the Principle and Resource section of a
> > policy.json file? Or any other configuration that I might be missing?
> >
> > I've tried some variations on Principal and Resource including and
> > excluding tenant information, but not no luck yet.
> >
> >
> > For example:
> > {
> >   "Version": "2012-10-17",
> >   "Statement": [{
> > "Effect": "Allow",
> > "Principal": {"AWS": ["arn:aws:iam:::user/*Tenant1$readwrite*"]},
> > "Action": ["s3:ListBucket","s3:GetObject", ,"s3:PutObject"],
> > "Resource": [
> >   "arn:aws:s3:::*Tenant1/backups*"
> > ]
> >   }]
> > }
> >
> > I'm using s3cmd for testing, so:
> > s3cmd --config s3cfg.manager setpolicy policy.json s3://backups/
> > Returns:
> > s3://backups/: Policy updated
> >
> > And then testing:
> > s3cmd --config s3cfg.readwrite ls s3://backups/
> > ERROR: Access to bucket 'backups' was denied
> > ERROR: S3 error: 403 (AccessDenied)
> >
> > Thanks,
> > Tom
> >
> ___
> ceph-users mailing list -- ceph-users@ceph.io
> To unsubscribe send an email to ceph-users-le...@ceph.io
>
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io

[ceph-users] Re: Setting S3 bucket policies with multi-tenants

2023-11-02 Thread Janne Johansson 
Den ons 1 nov. 2023 kl 17:51 skrev Thomas Bennett :
>
> To update my own question, it would seem that  Principle should be
> defined like this:
>
>- "Principal": {"AWS": ["arn:aws:iam::Tenant1:user/readwrite"]}
>
> And resource should:
> "Resource": [ "arn:aws:s3:::backups"]
>
> Is it worth having the docs updates -
> https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/
> to indicate that usfolks in the example is the tenant name?


A good idea.

Generally, docs should be lots more clear about which parts are chosen
by you, and which ones are inherent from some predefined role,
context, your setup, your domain or whatever.

It's hard enough to get all the finer points of rgw both from an admin
side, and as a power-user talking over the S3 apis, and if examples
"hide" things like the above as if perhaps "usfolks" is some weird
predefined thing AWS has brought along or something, then it gets lots
harder to grasp which parts I am supposed to replace and which must be
there.

Personally I would prefer colors, bold, or underlines or something to
distinguish things I should replace like endpoint url domains,
hostnames from the things which are not supposed to change like the
whole Resource thing up until the bucket name.

Looking at the example given in the docs:

"Principal": {"AWS": ["arn:aws:iam::usfolks:user/fred:subuser"]},
"Resource": [
  "arn:aws:s3:::happybucket/*"

the arn:aws:s3::: seems to indicate you can/should change only the
last part after the last : char, and then fill in the bucket name
there.

The arn:aws:iam on the other hand in this example is not solely the
last part after the last :, but also the next-to-last one. While this
probably is very obvious if you understand the AWS docs written
somewhere 35 links away, it would be nice IMHO if the ceph-rgw example
showed or at least hinted to me that it needs me to change two parts
in the iam entry and not only the last, because then the example would
not require me to also double-check the AWS reference manual to know
if I should edit one or two or all of the other  sections there.

Not saying ceph-rgw needs to fully replicate all of AWS S3 docs, but
at least help us out a bit here, please.

--
May the most significant bit of your life be positive.
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io

[ceph-users] Re: Setting S3 bucket policies with multi-tenants

2023-11-01 Thread Thomas Bennett 
To update my own question, it would seem that  Principle should be
defined like this:

   - "Principal": {"AWS": ["arn:aws:iam::Tenant1:user/readwrite"]}

And resource should:
"Resource": [ "arn:aws:s3:::backups"]

Is it worth having the docs updates -
https://docs.ceph.com/en/quincy/radosgw/bucketpolicy/
to indicate that usfolks in the example is the tenant name?


On Wed, 1 Nov 2023 at 18:27, Thomas Bennett  wrote:

> Hi,
>
> I'm running Ceph Quincy (17.2.6) with a rados-gateway. I have muti
> tenants, for example:
>
>- Tenant1$manager
>- Tenant1$readwrite
>
> I would like to set a policy on a bucket (backups for example) owned by
> *Tenant1$manager* to allow *Tenant1$readwrite* access to that bucket. I
> can't find any documentation that discusses this scenario.
>
> Does anyone know how to specify the Principle and Resource section of a
> policy.json file? Or any other configuration that I might be missing?
>
> I've tried some variations on Principal and Resource including and
> excluding tenant information, but not no luck yet.
>
>
> For example:
> {
>   "Version": "2012-10-17",
>   "Statement": [{
> "Effect": "Allow",
> "Principal": {"AWS": ["arn:aws:iam:::user/*Tenant1$readwrite*"]},
> "Action": ["s3:ListBucket","s3:GetObject", ,"s3:PutObject"],
> "Resource": [
>   "arn:aws:s3:::*Tenant1/backups*"
> ]
>   }]
> }
>
> I'm using s3cmd for testing, so:
> s3cmd --config s3cfg.manager setpolicy policy.json s3://backups/
> Returns:
> s3://backups/: Policy updated
>
> And then testing:
> s3cmd --config s3cfg.readwrite ls s3://backups/
> ERROR: Access to bucket 'backups' was denied
> ERROR: S3 error: 403 (AccessDenied)
>
> Thanks,
> Tom
>
___
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io