Hello,

We are using ceph version 10.2.0 (3a9fba20ec743699b69bd0181dd6c54dc01c64b9) and 
radosgw for our object storage.
Everything is in production and running fine, but now i got a request from a 
customer that they need a new s3 user, but with full_control access to some of 
the existing buckets owned by the current user.
I've been playing with this for 2 days but without any success. Is there a way 
to implement this kind of setup?

I have tried setting acls on a bucket, also without success…

Current user:
{
    "user_id": "xxx",
    "display_name": "xxx",
    "email": "",
    "suspended": 0,
    "max_buckets": 10000000,
    "auid": 0,
    "subusers": [],
    "keys": [
        {
            "user": "xxx",
            "access_key": "xxxx",
            "secret_key": "xxxx"
        }
    ],
    "swift_keys": [],
    "caps": [],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "max_size_kb": -1,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "max_size_kb": -1,
        "max_objects": -1
    },
    "temp_url_keys": []
}

New user:
{
    "user_id": "yyy",
    "display_name": "yyy",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "auid": 0,
    "subusers": [],
    "keys": [
        {
            "user": "yyy",
            "access_key": "yyy",
            "secret_key": "yyy"
        }
    ],
    "swift_keys": [],
    "caps": [],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "max_size_kb": -1,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "max_size_kb": -1,
        "max_objects": -1
    },
    "temp_url_keys": []
}

Bucket policy that I'm testing on:
{
    "acl": {
        "acl_user_map": [
            {
                "user": "xxx",
                "acl": 15
            }
        ],
        "acl_group_map": [],
        "grant_map": [
            {
                "id": "xxx",
                "grant": {
                    "type": {
                        "type": 0
                    },
                    "id": "xxx",
                    "email": "",
                    "permission": {
                        "flags": 15
                    },
                    "name": "xxx",
                    "group": 0
                }
            }
        ]
    },
    "owner": {
        "id": "xxx",
        "display_name": "xxx"
    }
}

Bucket stats:
{
    "bucket": "test ",
    "pool": "default.rgw.buckets.data",
    "index_pool": "default.rgw.buckets.index",
    "id": "ef4069bf-70fb-4414-a9d9-6bf5b32608fb.34127.35",
    "marker": "ef4069bf-70fb-4414-a9d9-6bf5b32608fb.34127.35",
    "owner": "xxx",
    "ver": "0#273",
    "master_ver": "0#0",
    "mtime": "2016-10-20 11:35:33.164214",
    "max_marker": "0#",
    "usage": {
        "rgw.main": {
            "size_kb": 1,
            "size_kb_actual": 4,
            "num_objects": 1
        },
        "rgw.multimeta": {
            "size_kb": 0,
            "size_kb_actual": 0,
            "num_objects": 0
        }
    },
    "bucket_quota": {
        "enabled": false,
        "max_size_kb": -1,
        "max_objects": -1
    }
}

I have tried setting ACL on that bucket:
s3cmd setacl --acl-grant=full_control:yyy --recursive s3://test/
ERROR: S3 error: 400 (InvalidArgument)

Relevant part from the log:
2016-11-11 09:15:31.924714 7fb09b7fe700 10 cache get: 
name=default.rgw.users.uid+yyy : type miss (requested=6, cached=0)
2016-11-11 09:15:31.926125 7fb09b7fe700 10 cache put: 
name=default.rgw.users.uid+yyy info.flags=0
2016-11-11 09:15:31.926133 7fb09b7fe700 10 moving default.rgw.users.uid+yyy to 
cache LRU end
2016-11-11 09:15:31.926138 7fb09b7fe700 10 grant user does not exist:yyy
2016-11-11 09:15:31.926152 7fb09b7fe700  2 req 19927701:0.002407:s3:PUT 
/test/test.txt:put_acls:completing
2016-11-11 09:15:31.926204 7fb09b7fe700  2 req 19927701:0.002460:s3:PUT 
/test/test.txt:put_acls:op status=-22
2016-11-11 09:15:31.926207 7fb09b7fe700  2 req 19927701:0.002463:s3:PUT 
/test/test.txt:put_acls:http status=400
2016-11-11 09:15:31.926210 7fb09b7fe700  1 ====== req done req=0x7fb09b7f8690 
op status=-22 http_status=400 ======
2016-11-11 09:15:31.926223 7fb09b7fe700 20 process_request() returned -22

Could this be a bug? Let's say my user is called userTest, and i'm executing 
„s3cmd setacl --acl-grant=full_control:userTest –recursive s3://test“, but the 
log says it can't find usertest (without capital T)…
Anyway, I have tried the exact same thing with user usertest without the 
capital letters:
s3cmd setacl --acl-grant=read:"yyy" --recursive s3://test
s3://test/test.txt: ACL updated
s3://test/test2.txt: ACL updated

with yyy user:
s3cmd -c .s3cfg_TEST ls s3://
returns nothing…

Although, I can access the object with:
s3cmd -c .s3cfg_TEST get s3://test/test.txt
download: 's3://test/test.txt' -> './test.txt'  [1 of 1]
17 of 17   100% in    0s     3.49 kB/s  done

Even with acl set to full_control for new user, same thing happens, the user 
can't read the bucket content, but can access the objects in that bucket 
(assuming he knows the exact object name)…

Could someone point me to a direction i should look at? TIA

Best regards


_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to