堆栈内存溢出
  简体   繁体   English

只读用户 - 列出我拥有读取权限的所有存储桶

[英]Read only users - list all the buckets I have read rights to

 原文  2021-05-06 16:08:19       amazon-s3/ ceph/ radosgw

问题描述

We are using ceph and have several buckets.我们正在使用 ceph 并且有几个存储桶。

We are using one read-only user to make backups of these buckets.我们正在使用一个只读用户来备份这些存储桶。

If I know the list, I can backup all my bucket.如果我知道列表,我可以备份我的所有存储桶。

I don't understand why, but I can't list all buckets.我不明白为什么,但我无法列出所有存储桶。

Is it at all possible in ceph radosgw?在 ceph radosgw 中是否有可能? I suspect not.我怀疑不是。

The policy looks like this:该政策如下所示:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam:::user/read-only"]},
    "Action": [
       "s3:ListBucket",
       "s3:ListAllMyBuckets",
       "s3:GetObject"
     ],
    "Resource": [
      "arn:aws:s3:::bucket",
      "arn:aws:s3:::bucket/*"
    ]
  }]
}

And I don't have anything special at the user level.而且我在用户层面没有什么特别之处。

But when I try to list, I get the following:但是当我尝试列出时,我得到以下信息:

export AWS_SECRET_ACCESS_KEY=xx
export AWS_ACCESS_KEY_ID=
export MC_HOST_ceph=https://${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}@radosgwdns
mc ls ceph
mc ls ceph/
mc ls ceph/bucket

Only the last command is listing things.只有最后一个命令是列出内容。

In this link it is said that it is basically not possible: https://help.switch.ch/engines/documentation/s3-like-object-storage/s3_policy/在这个链接中据说基本上不可能: https://help.switch.ch/engines/documentation/s3-like-object-storage/s3_policy/

Only S3 bucket policy is available, S3 user policy is not implemented in Ceph S3.

On this release page, they maybe speak about it: https://ceph.io/releases/v16-2-0-pacific-released/在这个发布页面上,他们可能会谈论它: https://ceph.io/releases/v16-2-0-pacific-released/

RGW: Improved configuration of S3 tenanted users.

Thanks for your help!谢谢你的帮助!

1 个解决方案

解决方案1
 0  2021-05-19 15:42:23

When you get access to a bucket with a bucket policy to a user it will not appear in the user's bucket listing.当您通过对用户的存储桶策略访问存储桶时,它不会出现在用户的存储桶列表中。 If you want it to be you can create a subuser with none permission and again give access to it using bucket policy.如果你想要它,你可以创建一个none权限的子用户,并再次使用存储桶策略授予对它的访问权限。 Now when the subuser lists buckets it will see the bucket and because of none permission, it has only access to the bucket you specified.现在,当子用户列出存储桶时,它将看到该存储桶,并且由于none权限,它只能访问您指定的存储桶。 The principal for the subuser would be like this:子用户的主体是这样的:

"Principal": {"AWS": ["arn:aws:iam:::user/MAIN_USER:SUBUSER"]},

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 是否可以列出我有权访问的所有AWS S3存储桶? - Is it possible to list all the AWS S3 buckets I have access to? 仅从多个文件夹的 s3 存储桶中读取特定的 json 文件 - read only particular json files from s3 buckets from multiple folders 我如何使用glueContext.create_dynamic_frame_from_options 读取大量的Json 存储桶 - how do I read in tons of Json buckets using glueContext.create_dynamic_frame_from_options 如何编写 AWS IAM 策略来授予对其他所有人的存储桶的读取访问权限? - How do I write an AWS IAM policy that grants read access to everyone else's buckets? 我该如何使用s3策略拒绝访问除以字符串“ xyz”开头的存储桶之外的所有存储桶? - How can i have s3 policy that denies access to all buckets except the ones that start with string “xyz”? 我应该使用哪个S3 API来查看我所有的存储桶列表 - Which S3 API should I use to see the list of buckets owned by me only 授予用户访问所有外部存储桶的权限,但排除我们自己的帐户存储桶 - grant users access to all external buckets but exclude our own account buckets 如何获取正在访问 S3 存储桶中对象的用户列表? - How to get list of users who are accessing the objects in S3 Buckets? 使用Spark从同一区域的多个s3桶中读取 - Read from multiple s3 buckets in the same region using Spark 从 S3 存储桶读取火花的 AWS 费用? - AWS charges for spark read from S3 buckets?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM