Re: [ceph-users] Reset Object ACLs in RGW

[thomas]

Hi Casey,

Thanks for the tip in the right direction. I originally tried creating an
admin user to accomplish this and I didn't realise the different between an
admin and system user. Using a system user I was able to iterate over the
contents of the buckets and reset the object ownership back to the bucket
owner. Below is a very very ugly bash script I used to achieve this which I
don't recommend anyone using, but for reference of anyone else in a similar
predicament to me:

IFS=$'\n'; for i in $(aws s3api --endpoint-url
https://ceph-rgw-endpoint-here list-objects --bucket "bucketname" --output
json | jq -r '.Contents[] | (.Key)') ; do echo restoring ownership on $i ;
aws s3api --endpoint-url https://ceph-rgw-endpoint-here put-object-acl
--grant-full-control id=idhere --bucket "bucketname" --key $i ; done ; unset
IFS

You'll need to install the aws toolkit and jq of course and configure them.

Thanks again,

Tom


-Original Message-
From: ceph-users  On Behalf Of Casey
Bodley
Sent: 02 August 2018 17:08
To: ceph-users@lists.ceph.com
Subject: Re: [ceph-users] Reset Object ACLs in RGW


On 08/02/2018 07:35 AM, Thomas White wrote:
> Hi all,
>
> At present I have a cluster with a user on the RGW who has lost access to
many of his files. The bucket has the correct ACL to be accessed by the
account and so with their access and secret key many items can be listed,
but are unable to be downloaded.
>
> Is there a way of using the radosgw-admin tool to reset (or set) ACLs on
individual files or recursively across bucket objects to restore access for
them?
>
> Kind Regards,
>
> Tom
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Hi Tom,

I don't think radosgw-admin can do this. But you can create a system user
(radosgw-admin user create --system ...) which overrides permission checks,
and use it to issue s3 operations to manipulate the acls.

Casey
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com


___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Re: [ceph-users] Reset Object ACLs in RGW

[Casey Bodley]

On 08/02/2018 07:35 AM, Thomas White wrote:

Hi all,

At present I have a cluster with a user on the RGW who has lost access to many 
of his files. The bucket has the correct ACL to be accessed by the account and 
so with their access and secret key many items can be listed, but are unable to 
be downloaded.

Is there a way of using the radosgw-admin tool to reset (or set) ACLs on 
individual files or recursively across bucket objects to restore access for 
them?

Kind Regards,

Tom
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com


Hi Tom,

I don't think radosgw-admin can do this. But you can create a system 
user (radosgw-admin user create --system ...) which overrides permission 
checks, and use it to issue s3 operations to manipulate the acls.


Casey
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[ceph-users] Reset Object ACLs in RGW

[Thomas White]

Hi all,

At present I have a cluster with a user on the RGW who has lost access to many 
of his files. The bucket has the correct ACL to be accessed by the account and 
so with their access and secret key many items can be listed, but are unable to 
be downloaded.

Is there a way of using the radosgw-admin tool to reset (or set) ACLs on 
individual files or recursively across bucket objects to restore access for 
them?

Kind Regards,

Tom
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com