Hi Myxingkong, Did you add admin caps to the user (with access key id 'HTRJ1HIKR4FB9A24ZG9C'), which is trying to attach a user policy. using the command below:
radosgw-admin caps add --uid=<uid of user> --caps="user-policy=*" Thanks, Pritha On Tue, Mar 12, 2019 at 7:19 AM myxingkong <ad...@xingkong.io> wrote: > Hi Pritha: > I was unable to attach the permission policy through S3curl, which > returned an HTTP 403 error. > > ./s3curl.pl --id admin -- -s -v -X POST " > http://192.168.199.81:7480/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"; > > Request: > > POST > /?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument={"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"s3:*","Resource":["*"],"Condition":{"BoolIfExists":{"sts:authentication":"false"}}},{"Effect":"Allow","Action":"sts:GetSessionToken","Resource":"*","Condition":{"BoolIfExists":{"sts:authentication":"false"}}}]}&Version=2010-05-08 > HTTP/1.1 > > User-Agent: curl/7.29.0 > > Host: 192.168.199.81:7480 > > Accept: */* > > Date: Tue, 12 Mar 2019 01:39:55 GMT > > Authorization: AWS HTRJ1HIKR4FB9A24ZG9C:FTMBoc7+sJf0K+cx+nYD7Sdj2Xg= > Response: > < HTTP/1.1 403 Forbidden > < Content-Length: 187 > < x-amz-request-id: tx000000000000000000144-005c870deb-4a92d-default > < Accept-Ranges: bytes > < Content-Type: application/xml > < Date: Tue, 12 Mar 2019 01:39:55 GMT > < > * Connection #0 to host 192.168.199.81 left intact > <?xml version="1.0" > encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000144-005c870deb-4a92d-default</RequestId><HostId>4a92d-default-default</HostId></Error> > > > .s3curl > %awsSecretAccessKeys = ( > admin => { > id => 'HTRJ1HIKR4FB9A24ZG9C', > key => 'Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE', > }, > ); > Can you tell me what went wrong? > Thanks, > myxingkong > > > *发件人:* myxingkong <ad...@xingkong.io> > *发送时间:* 2019-03-11 18:13:33 > *收件人:* prsri...@redhat.com > *抄送:* ceph-users@lists.ceph.com > *主题:* Re: [ceph-users] How to attach permission policy to user? > > Hi Pritha: > > This is the documentation for configuring restful modules: > http://docs.ceph.com/docs/nautilus/mgr/restful/ > > The command given according to the official documentation is to attach the > permission policy through the REST API. > > This is the documentation for STS lite: > http://docs.ceph.com/docs/nautilus/radosgw/STSLite/ > > My version of ceph is: ceph version 14.1.0 > (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev) > > Thanks, > myxingkong > On 3/11/2019 18:06,Pritha Srivastava<prsri...@redhat.com> > <prsri...@redhat.com> wrote: > > Hi Myxingkong, > > Can you explain what you mean by 'enabling restful modules', particularly > which document are you referring to? > > Right now there is no other way to attach a permission policy to a user. > > There is work in progress for adding functionality to RGW using which such > calls can be scripted using boto. > > Thanks, > Pritha > > On Mon, Mar 11, 2019 at 3:21 PM myxingkong <ad...@xingkong.io> wrote: > >> Hello: >> >> I want to use the GetSessionToken method to get the temporary >> credentials, but according to the answer given in the official >> documentation, I need to attach a permission policy to the user before I >> can use the GetSessionToken method. >> >> This is the command for the additional permission policy provided by the >> official documentation: >> >> s3curl.pl --debug --id admin -- -s -v -X POST " >> http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER1&PolicyDocument=\{\ >> "Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08" >> >> >> This requires enabling restful modules to execute this command. >> >> I configured the restful module according to the documentation, but >> without success, I was unable to configure the SSL certificate. >> >> ceph config-key set mgr/restful/crt -i restful.crt >> >> WARNING: it looks like you might be trying to set a ceph-mgr module >> configuration key. Since Ceph 13.0.0 (Mimic), mgr module configuration is >> done with `config set`, and new values set using `config-key set` will be >> ignored. >> set mgr/restful/crt >> >> Can someone tell me if there is a way to configure a restful module's >> certificate, or if there is another way to attach permission policies to >> users? >> >> Thanks, >> myxingkong >> _______________________________________________ >> ceph-users mailing list >> ceph-users@lists.ceph.com >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> >
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
