anything we can do to narrow down the policy issue here? any of the
Principal, Action, Resource, or Condition matches could be failing
here. you might try replacing each with a wildcard, one at a time,
until you see the policy take effect
On Wed, Dec 13, 2023 at 5:04 AM Marc Singer wrote:
>
> Hi
Hi
As my attachment is very messy, I cleaned it up and provide a much
simpler version for your tests bellow.
These policies seem to get ignored when the URL is presigned.
{
"Version":"2012-10-17",
"Id":"userbucket%%%policy",
"Statement":[
{
"Sid":"username%%%read",
Hi
First, all requests with presigned URLs should be restricted.
This is how the request is blocked with the nginx sidecar (it's just a
simple parameter in the URL that is forbidden):
if ($arg_Signature) { return 403 'Signature parameter forbidden';
}
Our bucket policies are created
On Fri, Dec 08, 2023 at 10:41:59AM +0100, marc@singer.services wrote:
> Hi Ceph users
>
> We are using Ceph Pacific (16) in this specific deployment.
>
> In our use case we do not want our users to be able to generate signature v4
> URLs because they bypass the policies that we set on buckets