Re: [ceph-users] identifying public buckets
On Thu, Feb 22, 2018 at 06:00:12AM +, Robin H. Johnson wrote: > You need to create a RGW user with the system flag set (it might be > possible with the newer admin flag as well). That was the missing piece - thanks very much! I have it working now. Cheers, Dave -- ** Dave Holland ** Systems Support -- Informatics Systems Group ** ** 01223 496923 **Wellcome Sanger Institute, Hinxton, UK** -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] identifying public buckets
On Wed, Feb 21, 2018 at 10:19:58AM +, Dave Holland wrote:
> Hi,
>
> We would like to scan our users' buckets to identify those which are
> publicly-accessible, to avoid potential embarrassment (or worse), e.g.
> http://www.bbc.co.uk/news/technology-42839462
>
> I didn't find a way to use radosgw-admin to report ACL information for a
> given bucket. And using the API to query a bucket's information would
> require a valid access key for that bucket. What am I missing, please?
You can do it via the S3 API. The below in Luminous, but should work fine in
Jewel (might have to force AWS-CLI to use a v2 signature).
You need to create a RGW user with the system flag set (it might be
possible with the newer admin flag as well).
As a concrete example, using Amazon's awscli, here:
# set the system bit on a user, if you don't already have a user with
# this power.
$ radosgw-admin user modify --uid $UID --system
# use the access+secret key from the above user.
$ AWS_ACCESS_KEY_ID='...' AWS_SECRET_ACCESS_KEY='...' \
aws \
--endpoint-url=https://$ENDPOINT \
s3api get-bucket-acl \
--bucket $BUCKETNAME
Example output (censored):
{
"Owner": {
"DisplayName": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM",
"ID": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM"
},
"Grants": [
{
"Grantee": {
"Type": "CanonicalUser",
"DisplayName": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM",
"ID": "ANOTHER-USER-THAT-WAS-NOT-SYSTEM"
},
"Permission": "FULL_CONTROL"
}
]
}
--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail : robb...@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
signature.asc
Description: Digital signature
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[ceph-users] identifying public buckets
Hi, We would like to scan our users' buckets to identify those which are publicly-accessible, to avoid potential embarrassment (or worse), e.g. http://www.bbc.co.uk/news/technology-42839462 I didn't find a way to use radosgw-admin to report ACL information for a given bucket. And using the API to query a bucket's information would require a valid access key for that bucket. What am I missing, please? (Ceph 10.2.7) thanks, Dave -- ** Dave Holland ** Systems Support -- Informatics Systems Group ** ** 01223 496923 **Wellcome Sanger Institute, Hinxton, UK** -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
