Re: [ceph-users] Tr : RadosGW - Bucket link and ACLs

Mon, 09 Mar 2015 17:30:30 -0700 

Yeah, I was thinking about that and will be the alternative for me too...  

Regards.

Italo Santos
http://italosantos.com.br/


On Friday, March 6, 2015 at 18:20, ghislain.cheval...@orange.com wrote:

>  
>  
>  
> -------- Message d'origine --------
> De : CHEVALIER Ghislain IMT/OLPS <ghislain.cheval...@orange.com 
> (mailto:ghislain.cheval...@orange.com)>  
> Date :06/03/2015 21:56 (GMT+01:00)  
> À : Italo Santos <okd...@gmail.com (mailto:okd...@gmail.com)>  
> Cc :  
> Objet : RE : [ceph-users] RadosGW - Bucket link and ACLs  
>  
> Hi
> We encountered this behavior when developing the rgw admin module in inkscope 
> and we fixed it as foĺlowed:
> As you created the user access key and secret key with the admin user it 
> seems better to create the bucket with these credentials
>  
> Best regards
>  
> Envoyé de mon Galaxy Ace4 Orange
>  
>  
> -------- Message d'origine --------
> De : Italo Santos <okd...@gmail.com (mailto:okd...@gmail.com)>  
> Date :06/03/2015 20:52 (GMT+01:00)  
> À : ceph-users@lists.ceph.com (mailto:ceph-users@lists.ceph.com)  
> Cc :  
> Objet : [ceph-users] RadosGW - Bucket link and ACLs  
>  
> Hello,  
>  
> I’m building a object storage environment and I’m in trouble with some 
> administration ops, to manage the entire environment I decided create an 
> admin user and use that to manage the client users which I’ll create further. 
>  
>  
> Using the admin (called “italux") I created a new user (called "cliente”) and 
> after that I created a new bucket with the admin user (called 
> cliente-bucket). After that, still using the admin, I change the permissions 
> of the "cliente-bucket” (which is owned by admin) granting FULL_CONTROL to 
> the “cliente” user.  
>  
> So, using the admin API I unlink the “cliente-bucket” from the admin user and 
> link to the “cliente” user, changing the ownership of the bucket:  
>  
> In [86]: url = 
> 'http://radosgw.example.com/admin/bucket?format=json&bucket=cliente-bucket'  
> In [87]: r = requests.get(url, auth=S3Auth(access_key, secret_key, server))
> In [88]: r.content
> Out[88]: 
> '{"bucket":"cliente-bucket","pool":".rgw.buckets","index_pool":".rgw.buckets.index","id":"default.4361528.1","marker":"default.4361528.1","owner":"cliente","ver":1,"master_ver":0,"mtime":1425670280,"max_marker":"","usage":{},"bucket_quota":{"enabled":false,"max_size_kb":-1,"max_objects":-1}}’
>  
>  
> After that, when I try change the permissions/acls of the bucket using the 
> “cliente” user and I’m getting AccessDenied. Looking to the raw debug logs it 
> seems that the owner of the bucket wasn’t change. Anyone knows why?  
>  
> RadosGW debug logs:  
>  
> 2015-03-06 16:32:55.943167 7fd32bf57700  1 ====== starting new request 
> req=0x3cf78a0 =====  
> 2015-03-06 16:32:55.943183 7fd32bf57700  2 req 2:0.000016::PUT /::initializing
> 2015-03-06 16:32:55.943189 7fd32bf57700 10 
> host=cliente-bucket.radosgw.example.com 
> rgw_dns_name=object-storage.locaweb.com.br (http://web.com.br)
> 2015-03-06 16:32:55.943220 7fd32bf57700 10 s->object=<NULL> 
> s->bucket=cliente-bucket
> 2015-03-06 16:32:55.943225 7fd32bf57700  2 req 2:0.000057:s3:PUT /::getting op
> 2015-03-06 16:32:55.943230 7fd32bf57700  2 req 2:0.000062:s3:PUT 
> /:put_acls:authorizing
> 2015-03-06 16:32:55.943269 7fd32bf57700 10 get_canon_resource(): 
> dest=/cliente-bucket/?acl
> 2015-03-06 16:32:55.943272 7fd32bf57700 10 auth_hdr:
> PUT
>  
>  
> Fri, 06 Mar 2015 19:32:55 GMT  
> /cliente-bucket/?acl
> 2015-03-06 16:32:55.943370 7fd32bf57700 15 calculated 
> digest=xtSrQR+GsHyqjqGLdiPmjoP62x4=
> 2015-03-06 16:32:55.943375 7fd32bf57700 15 
> auth_sign=xtSrQR+GsHyqjqGLdiPmjoP62x4=
> 2015-03-06 16:32:55.943377 7fd32bf57700 15 compare=0
> 2015-03-06 16:32:55.943384 7fd32bf57700  2 req 2:0.000216:s3:PUT 
> /:put_acls:reading permissions
> 2015-03-06 16:32:55.943425 7fd32bf57700 15 Read 
> AccessControlPolicy<AccessControlPolicy 
> xmlns="http://s3.amazonaws.com/doc/2006-03-01/";><Owner><ID>italux</ID><DisplayName>Italo
>  Santos</DisplayName></Owner><AccessControlList><Grant><Grantee 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:type="CanonicalUser"><ID>cliente</ID><DisplayName>Cliente</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
> 2015-03-06 16:32:55.943441 7fd32bf57700  2 req 2:0.000273:s3:PUT 
> /:put_acls:init op
> 2015-03-06 16:32:55.943447 7fd32bf57700  2 req 2:0.000280:s3:PUT 
> /:put_acls:verifying op mask
> 2015-03-06 16:32:55.943451 7fd32bf57700 20 required_mask= 2 user.op_mask=7
> 2015-03-06 16:32:55.943453 7fd32bf57700  2 req 2:0.000286:s3:PUT 
> /:put_acls:verifying op permissions
> 2015-03-06 16:32:55.943457 7fd32bf57700  5 Searching permissions for 
> uid=cliente mask=56
> 2015-03-06 16:32:55.943461 7fd32bf57700  5 Found permission: 15
> 2015-03-06 16:32:55.943462 7fd32bf57700  5 Searching permissions for group=1 
> mask=56
> 2015-03-06 16:32:55.943464 7fd32bf57700  5 Permissions for group not found
> 2015-03-06 16:32:55.943466 7fd32bf57700  5 Searching permissions for group=2 
> mask=56
> 2015-03-06 16:32:55.943468 7fd32bf57700  5 Permissions for group not found
> 2015-03-06 16:32:55.943469 7fd32bf57700  5 Getting permissions id=cliente 
> owner=italux perm=8
> 2015-03-06 16:32:55.943471 7fd32bf57700 10  uid=cliente requested perm 
> (type)=8, policy perm=8, user_perm_mask=8, acl perm=8
> 2015-03-06 16:32:55.943475 7fd32bf57700  2 req 2:0.000308:s3:PUT 
> /:put_acls:verifying op params
> 2015-03-06 16:32:55.943480 7fd32bf57700  2 req 2:0.000313:s3:PUT 
> /:put_acls:executing
> 2015-03-06 16:32:55.943547 7fd32bf57700 15 read len=831 data=<?xml 
> version="1.0" encoding="UTF-8"?><AccessControlPolicy 
> xmlns="http://s3.amazonaws.com/doc/2006-03-01/";><Owner><ID>italux</ID><DisplayName>Italo
>  Santos</DisplayName></Owner><AccessControlList><Grant><Grantee 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo 
> Santos</DisplayName></Grantee><Permission>READ</Permission></Grant><Grant><Grantee
>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo 
> Santos</DisplayName></Grantee><Permission>WRITE</Permission></Grant><Grant><Grantee
>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:type="CanonicalUser"><ID>cliente</ID><DisplayName>Cliente</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
>  
> 2015-03-06 16:32:55.943750 7fd32bf57700 15 Old 
> AccessControlPolicy<AccessControlPolicy 
> xmlns="http://s3.amazonaws.com/doc/2006-03-01/";><Owner><ID>italux</ID><DisplayName>Italo
>  Santos</DisplayName></Owner><AccessControlList><Grant><Grantee 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:type="CanonicalUser"><ID>cliente</ID><DisplayName>Cliente</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant><Grant><Grantee
>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo 
> Santos</DisplayName></Grantee><Permission>READ</Permission></Grant><Grant><Grantee
>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo 
> Santos</DisplayName></Grantee><Permission>WRITE</Permission></Grant></AccessControlList></AccessControlPolicy>
>   
> 2015-03-06 16:32:55.943977 7fd32bf57700  2 req 2:0.000809:s3:PUT 
> /:put_acls:http status=403
> 2015-03-06 16:32:55.943986 7fd32bf57700  1 ====== req done req=0x3cf78a0 
> http_status=403 ======
>  
>  
> At.  
>  
> Italo Santos  
> http://italosantos.com.br/
>  
> _________________________________________________________________________________________________________________________
>  Ce message et ses pieces jointes peuvent contenir des informations 
> confidentielles ou privilegiees et ne doivent donc pas etre diffuses, 
> exploites ou copies sans autorisation. Si vous avez recu ce message par 
> erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les 
> pieces jointes. Les messages electroniques etant susceptibles d'alteration, 
> Orange decline toute responsabilite si ce message a ete altere, deforme ou 
> falsifie. Merci. This message and its attachments may contain confidential or 
> privileged information that may be protected by law; they should not be 
> distributed, used or copied without authorisation. If you have received this 
> email in error, please notify the sender and delete this message and its 
> attachments. As emails may be altered, Orange is not liable for messages that 
> have been modified, changed or falsified. Thank you.  
> _______________________________________________
> ceph-users mailing list
> ceph-users@lists.ceph.com (mailto:ceph-users@lists.ceph.com)
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>  
>  



_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to