Re: [ceph-users] Apply bucket policy to bucket for LDAP user: what is the correct identifier for principal

2018-10-19 Thread Ha Son Hai 
Hello,
I found that the metadata of ldap user and normal radosgw user different in
the "type". Can it be the cause that the bucket policy does not work?
# Normal radosgw user
{
"user_id": "ceph-dashboard",
"display_name": "Ceph Dashboard",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [
{
"user": "ceph-dashboard",
"access_key": "... bla bla bla ...",
"secret_key": "... bla bla bla ..."
}
],
"swift_keys": [],
"caps": [
{
  ... bla bla bla ...
}
],
"op_mask": "read, write, delete",
"system": "true",
"default_placement": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"temp_url_keys": [],
"type": "rgw",
"mfa_ids": []
}

# LDAP user
{
"user_id": "sonhaiha",
"display_name": "sonhaiha",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"temp_url_keys": [],
"type": "ldap",
"mfa_ids": []
}

On Mon, Oct 15, 2018 at 11:24 AM Ha Son Hai  wrote:

> Hi Matt and Adam,
> Thanks a lot for your reply.
>
> Attached are logs that that are generated when I shared the bucket from a
> rgw user (ceph-dashboard) to a ldap user (sonhaiha) and vice versa.
>
> [sonhaiha@DEFR500 ~]$ s3cmd -c .s3cfg-cephdb info s3://shared-bucket
> s3://shared-bucket/ (bucket):
>Location:  us-east-1
>Payer: BucketOwner
>Expiration Rule: none
>Policy:{
>   "Version": "2012-10-17",
>   "Statement": [{
> "Effect": "Allow",
> "Principal": {"AWS": ["arn:aws:iam:::user/sonhaiha"]},
> "Action": "s3:*",
> "Resource": [
>   "arn:aws:s3:::shared-bucket",
>   "arn:aws:s3:::shared-bucket/*"
> ]
>   }]
> }
>
>CORS:  none
>ACL:   Ceph Dashboard: FULL_CONTROL
> # i tried also with "arn:aws:iam:::user/sonhaiha$sonhaiha" but not
> successful
>
> I saw that, in the case of ldap user, when it accesses the shared bucket,
> the rgw server could not find the permissions for the ldap user.
>
> 2018-10-15 10:43:36.521 7f3c65146700 15 decode_policy Read
> AccessControlPolicyhttp://s3.amazonaws.com/doc/2006-03-01/;>ceph-dashboardCeph
> Dashboard xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:type="CanonicalUser">ceph-dashboardCeph
> DashboardFULL_CONTROL
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026275:s3:GET
> /shared-bucket/:list_bucket:recalculating target
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026288:s3:GET
> /shared-bucket/:list_bucket:reading permissions
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026291:s3:GET
> /shared-bucket/:list_bucket:init op
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026292:s3:GET
> /shared-bucket/:list_bucket:verifying op mask
> 2018-10-15 10:43:36.522 7f3c65146700 20 required_mask= 1 user.op_mask=7
> 2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026295:s3:GET
> /shared-bucket/:list_bucket:verifying op permissions
> 2018-10-15 10:43:36.522 7f3c65146700 20 -- Getting permissions begin with
> perm_mask=49
> 2018-10-15 10:43:36.522 7f3c65146700  5 Search

Re: [ceph-users] Apply bucket policy to bucket for LDAP user: what is the correct identifier for principal

2018-10-15 Thread Ha Son Hai 
Hi Matt and Adam,
Thanks a lot for your reply.

Attached are logs that that are generated when I shared the bucket from a
rgw user (ceph-dashboard) to a ldap user (sonhaiha) and vice versa.

[sonhaiha@DEFR500 ~]$ s3cmd -c .s3cfg-cephdb info s3://shared-bucket
s3://shared-bucket/ (bucket):
   Location:  us-east-1
   Payer: BucketOwner
   Expiration Rule: none
   Policy:{
  "Version": "2012-10-17",
  "Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam:::user/sonhaiha"]},
"Action": "s3:*",
"Resource": [
  "arn:aws:s3:::shared-bucket",
  "arn:aws:s3:::shared-bucket/*"
]
  }]
}

   CORS:  none
   ACL:   Ceph Dashboard: FULL_CONTROL
# i tried also with "arn:aws:iam:::user/sonhaiha$sonhaiha" but not
successful

I saw that, in the case of ldap user, when it accesses the shared bucket,
the rgw server could not find the permissions for the ldap user.

2018-10-15 10:43:36.521 7f3c65146700 15 decode_policy Read
AccessControlPolicyhttp://s3.amazonaws.com/doc/2006-03-01/;>ceph-dashboardCeph
Dashboardhttp://www.w3.org/2001/XMLSchema-instance;
xsi:type="CanonicalUser">ceph-dashboardCeph
DashboardFULL_CONTROL
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026275:s3:GET
/shared-bucket/:list_bucket:recalculating target
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026288:s3:GET
/shared-bucket/:list_bucket:reading permissions
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026291:s3:GET
/shared-bucket/:list_bucket:init op
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026292:s3:GET
/shared-bucket/:list_bucket:verifying op mask
2018-10-15 10:43:36.522 7f3c65146700 20 required_mask= 1 user.op_mask=7
2018-10-15 10:43:36.522 7f3c65146700  2 req 4:0.026295:s3:GET
/shared-bucket/:list_bucket:verifying op permissions
2018-10-15 10:43:36.522 7f3c65146700 20 -- Getting permissions begin with
perm_mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for
identity=rgw::auth::SysReqApplier ->
rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha,
perm_mask=15, is_admin=0) mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for
uid=sonhaiha
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for user not found
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for
uid=sonhaiha$sonhaiha
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for user not found
2018-10-15 10:43:36.522 7f3c65146700 20 from ACL got perm=0
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for group=1
mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for group not found
2018-10-15 10:43:36.522 7f3c65146700  5 Searching permissions for group=2
mask=49
2018-10-15 10:43:36.522 7f3c65146700  5 Permissions for group not found
2018-10-15 10:43:36.522 7f3c65146700  5 -- Getting permissions done for
identity=rgw::auth::SysReqApplier ->
rgw::auth::RemoteApplier(acct_user=sonhaiha, acct_name=sonhaiha,
perm_mask=15, is_admin=0), owner=ceph-dashboard, perm=0

Thank you
Ha

On Thu, Oct 11, 2018 at 8:16 PM Matt Benjamin  wrote:

> right, the user can be the dn component or something else projected
> from the entry, details in the docs
>
> Matt
>
> On Thu, Oct 11, 2018 at 1:26 PM, Adam C. Emerson 
> wrote:
> > Ha Son Hai  wrote:
> >> Hello everyone,
> >> I try to apply the bucket policy to my bucket for LDAP user but it
> doesn't work.
> >> For user created by radosgw-admin, the policy works fine.
> >>
> >> {
> >>
> >>   "Version": "2012-10-17",
> >>
> >>   "Statement": [{
> >>
> >> "Effect": "Allow",
> >>
> >> "Principal": {"AWS": ["arn:aws:iam:::user/radosgw-user"]},
> >>
> >> "Action": "s3:*",
> >>
> >> "Resource": [
> >>
> >>   "arn:aws:s3:::shared-tenant-test",
> >>
> >>   "arn:aws:s3:::shared-tenant-test/*"
> >>
> >> ]
> >>
> >>   }]
> >>
> >> }
> >
> > LDAP users essentially are RGW users, so it should be this same
> > format. As I understand RGW's LDAP interface (I have not worked with
> > LDAP personally), every LDAP users get a corresponding RGW user whose
> > name is derived from rgw_ldap_dnattr, often 'uid' or 'cn', but this is
> > dependent on site.
> >
> > If you, can check that part of configuration, and if that doesn't work
> > if you'll send some logs I'll take a look. If something fishy is going
> > on we can try opening a bug.
> >
> >

[ceph-users] Apply bucket policy to bucket for LDAP user: what is the correct identifier for principal

2018-10-11 Thread Ha Son Hai 
Hello everyone,
I try to apply the bucket policy to my bucket for LDAP user but it doesn't
work.
For user created by radosgw-admin, the policy works fine.

{

  "Version": "2012-10-17",

  "Statement": [{

"Effect": "Allow",

"Principal": {"AWS": ["arn:aws:iam:::user/radosgw-user"]},

"Action": "s3:*",

"Resource": [

  "arn:aws:s3:::shared-tenant-test",

  "arn:aws:s3:::shared-tenant-test/*"

]

  }]

}

I would like to know whether the principal identifier for LDAP user is
different from rgw user? Anyone knows the identifier for LDAP user? Isn't
it "arn:aws:iam:::user/ldap-user"?

Thanks a lot
Ha
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[ceph-users] Run ceph-rest-api in Mimic

2018-08-01 Thread Ha, Son Hai 
Hello everybody!

Because some of my applications are depended on the obsoleted ceph-rest-api 
module, I would like to know if there is a way to run it in Mimic? If I 
understood correctly, the new restful plugin 
(http://docs.ceph.com/docs/mimic/mgr/restful/) in mgr does not provide cluster 
information as rich as the old one.

--
With best regards,
Son Hai Ha



--
KPMG AG
Wirtschaftsprüfungsgesellschaft

Sitz/Registergericht: Berlin/AG Charlottenburg, HRB 106191B

Vorstand:  WP StB Klaus Becker (Sprecher), WP Karl Braun, StB Frank W. Grube, 
Christian Rast, WP StB Boris Schroer

Aufsichtsratsvorsitzender: WP Ulrich Maas

Allgemeine Informationen zur Datenverarbeitung im Rahmen unserer allgemeinen 
Geschäftstätigkeit sowie im Mandatsverhältnis gemäß EU 
Datenschutz-Grundverordnung sind hier 

 abrufbar.
 
Die Information in dieser E-Mail ist vertraulich und kann dem Berufsgeheimnis 
unterliegen. Sie ist ausschließlich für den Adressaten bestimmt. Jeglicher 
Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist 
untersagt. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist 
Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das 
Ergreifen oder Unterlassen von Maßnahmen im Vertrauen auf erlangte Information 
untersagt. In dieser E-Mail enthaltene Meinungen oder Empfehlungen unterliegen 
den Bedingungen des jeweiligen Mandatsverhältnisses mit dem Adressaten.

The information in this e-mail is confidential and may be legally privileged. 
It is intended solely for the addressee. Access to this e-mail by anyone else 
is unauthorized. If you are not the intended recipient, any disclosure, 
copying, distribution or any action taken or omitted to be taken in reliance on 
it, is prohibited and may be unlawful. Any opinions or advice contained in this 
e-mail are subject to the terms and conditions expressed in the governing KPMG 
client engagement letter.
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com