Hi Vlad,
If a user creates a bucket then only that user can see the bucket
unless an S3 ACL is applied giving additional permissionsbut I'd
guess you are asking a more complex question than that.
If you are looking to apply some kind of policy over-riding whatever
ACL a user might apply to a bucket then it looks like the integration
with Open Policy Agent can do what you want. I have not myself tried
this out but it looks very interesting if you have the Nautilus
release.
http://docs.ceph.com/docs/nautilus/radosgw/opa/
A third option is you could run the RGW behind something like HAproxy
and configure ACL there which allow/disallow requests based on
different criteria. For example you can parse the bucket name out of
the URL and match against an ACL. You may be able to use the
Authorization header to pull out the access key id and match that
against a map file and allow/disallow the request, or use some other
criteria as might be available in HAproxy. HAproxy does have a unix
socket interface allowing for modifying mapfile entries without
restarting/editing the proxy config files.
http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7
thanks,
Ben
On Thu, May 2, 2019 at 12:53 PM Vladimir Brik
wrote:
>
> Hello
>
> I am trying to figure out a way to restrict access to S3 buckets. Is it
> possible to create a RadosGW user that can only access specific bucket(s)?
>
>
> Thanks,
>
> Vlad
> ___
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com