[英]Read only users - list all the buckets I have read rights to
We are using ceph and have several buckets.我们正在使用 ceph 并且有几个存储桶。
We are using one read-only user to make backups of these buckets.我们正在使用一个只读用户来备份这些存储桶。
If I know the list, I can backup all my bucket.如果我知道列表,我可以备份我的所有存储桶。
I don't understand why, but I can't list all buckets.我不明白为什么,但我无法列出所有存储桶。
Is it at all possible in ceph radosgw?在 ceph radosgw 中是否有可能? I suspect not.
我怀疑不是。
The policy looks like this:该政策如下所示:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam:::user/read-only"]},
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
}]
}
And I don't have anything special at the user level.而且我在用户层面没有什么特别之处。
But when I try to list, I get the following:但是当我尝试列出时,我得到以下信息:
export AWS_SECRET_ACCESS_KEY=xx
export AWS_ACCESS_KEY_ID=
export MC_HOST_ceph=https://${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}@radosgwdns
mc ls ceph
mc ls ceph/
mc ls ceph/bucket
Only the last command is listing things.只有最后一个命令是列出内容。
In this link it is said that it is basically not possible: https://help.switch.ch/engines/documentation/s3-like-object-storage/s3_policy/在这个链接中据说基本上不可能: https://help.switch.ch/engines/documentation/s3-like-object-storage/s3_policy/
Only S3 bucket policy is available, S3 user policy is not implemented in Ceph S3.
On this release page, they maybe speak about it: https://ceph.io/releases/v16-2-0-pacific-released/在这个发布页面上,他们可能会谈论它: https://ceph.io/releases/v16-2-0-pacific-released/
RGW: Improved configuration of S3 tenanted users.
Thanks for your help!谢谢你的帮助!
When you get access to a bucket with a bucket policy to a user it will not appear in the user's bucket listing.当您通过对用户的存储桶策略访问存储桶时,它不会出现在用户的存储桶列表中。 If you want it to be you can create a subuser with
none
permission and again give access to it using bucket policy.如果你想要它,你可以创建一个
none
权限的子用户,并再次使用存储桶策略授予对它的访问权限。 Now when the subuser lists buckets it will see the bucket and because of none
permission, it has only access to the bucket you specified.现在,当子用户列出存储桶时,它将看到该存储桶,并且由于
none
权限,它只能访问您指定的存储桶。 The principal for the subuser would be like this:子用户的主体是这样的:
"Principal": {"AWS": ["arn:aws:iam:::user/MAIN_USER:SUBUSER"]},
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.