[ceph-users] bucket policies with Principal (arn) on a subuser-level

Thu, 21 Nov 2019 00:06:20 -0800 

Dear All
Is it possible to define s3 bucket policies with the Principal ("arn:aws:iam:::user/parentusera") on a subuser - level instead of user - level?
I did a test with Nautilus (14.2.4-373) with a user 'parentusera' and a subuser 'subusera'. 

radosgw-admin user info --uid=parentusera
{
    "user_id": "parentusera",
    "display_name": "parentusera",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "subusers": [
        {
            "id": "parentusera:subusera",
            "permissions": "full-control"
        }
    ],
    "keys": [
        {
            "user": "parentusera",
            "access_key": "0YXCC67E8A3Z7T3DIY1B",
            "secret_key": "LuqPjefT0WkyJQcb0v7d8LEs7cL6py8AJetQJPJZ"
        },
        {
            "user": "parentusera:subusera",
            "access_key": "UAQA3KPAMQ581PX22AMS",
            "secret_key": "zZiAX0SHFepGz552qVb2VqxLljNxjQ3jOAFy0iVB"
        }
    ],
...
}
The following bucket policy is applied on a bucket (owned by another user), in order to let 'subusera' access it: 
{
 "Version": "2012-10-17",
 "Id": "read-write",
 "Statement": [
   {
     "Sid": "project-read-write",
     "Effect": "Allow",
     "Principal": {
       "AWS": [
          "arn:aws:iam:::user/parentusera"
       ]
     },
     "Action": [
       "s3:ListBucket",
       "s3:PutObject",
       "s3:DeleteObject",
       "s3:GetObject"
     ],
     "Resource": [
       "arn:aws:s3:::*"
     ]
   }
 ]
}
The Principal "arn:aws:iam:::user/parentusera" is actually matching all subusers of 'parentusera' and 'parentusera' itself. 

Is it possible to match a single subuser?

I made some tries like:

 * "arn:aws:iam:::user/parentusera:subusera"
 * "arn:aws:iam:::user/parentusera\:subusera"
 * "arn:aws:iam:::user/parentusera%3Asubusera"

But no luck.
I think the problem comes from the regex which disallows ':' for the username:     ./src/rgw/rgw_iam_policy.cc:  static const char str_wild[] = "arn:([^:]*):([^:]*):([^:]*):([^:]*):([^:]*)";
Maybe a solution would be to use '/' as separator for subusers instead of ':' ? 
    "id": "parentusera/subusera"


Best Regards

Francois Scheurer


--


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: [email protected]
web: http://www.everyware.ch

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
ceph-users mailing list
[email protected]
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to