What exact error are you seeing after adding admin caps?
I tried the following steps on master and they worked fine: (TESTER1 is
adding a user policy to TESTER)
1. radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER
--secret test123 user create
2. radosgw-admin --uid TESTER1 --display-name "TestUser" --access_key
TESTER1 --secret test123 user create
3. radosgw-admin caps add --uid="TESTER1" --caps="user-policy=*"
4. s3curl.pl --debug --id admin -- -s -v -X POST "
http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument=\{\
"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"
.s3curl is as follows for me:
%awsSecretAccessKeys = (
# personal account
admin => {
id => 'TESTER1',
key => 'test123',
}
);
On Tue, Mar 12, 2019 at 11:09 AM myxingkong <ad...@xingkong.io> wrote:
> Hi Pritha:
> I added administrator quotas to users, but they didn't seem to work.
> radosgw-admin user create --uid=ADMIN --display-name=ADMIN --admin
> --system
> radosgw-admin caps add --uid="ADMIN"
> --caps="user-policy=*;roles=*;users=*;buckets=*;metadata=*;usage=*;zone=*"
> {
> "user_id": "ADMIN",
> "display_name": "ADMIN",
> "email": "",
> "suspended": 0,
> "max_buckets": 1000,
> "subusers": [],
> "keys": [
> {
> "user": "ADMIN",
> "access_key": "HTRJ1HIKR4FB9A24ZG9C",
> "secret_key": "Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE"
> }
> ],
> "swift_keys": [],
> "caps": [
> {
> "type": "buckets",
> "perm": "*"
> },
> {
> "type": "metadata",
> "perm": "*"
> },
> {
> "type": "roles",
> "perm": "*"
> },
> {
> "type": "usage",
> "perm": "*"
> },
> {
> "type": "user-policy",
> "perm": "*"
> },
> {
> "type": "users",
> "perm": "*"
> },
> {
> "type": "zone",
> "perm": "*"
> }
> ],
> "op_mask": "read, write, delete",
> "system": "true",
> "default_placement": "",
> "default_storage_class": "",
> "placement_tags": [],
> "bucket_quota": {
> "enabled": false,
> "check_on_raw": false,
> "max_size": -1,
> "max_size_kb": 0,
> "max_objects": -1
> },
> "user_quota": {
> "enabled": false,
> "check_on_raw": false,
> "max_size": -1,
> "max_size_kb": 0,
> "max_objects": -1
> },
> "temp_url_keys": [],
> "type": "rgw",
> "mfa_ids": []
> }
> Thanks,
> myxingkong
>
> *发件人:* Pritha Srivastava <prsri...@redhat.com>
> *发送时间:* 2019-03-12 12:23:24
> *收件人:* myxingkong <ad...@xingkong.io>
> *抄送:* ceph-users@lists.ceph.com
> *主题:* Re: [ceph-users] How to attach permission policy to user?
>
> Hi Myxingkong,
>
> Did you add admin caps to the user (with access key id
> 'HTRJ1HIKR4FB9A24ZG9C'), which is trying to attach a user policy. using the
> command below:
>
> radosgw-admin caps add --uid=<uid of user> --caps="user-policy=*"
>
> Thanks,
> Pritha
>
> On Tue, Mar 12, 2019 at 7:19 AM myxingkong <ad...@xingkong.io> wrote:
>
>> Hi Pritha:
>> I was unable to attach the permission policy through S3curl, which
>> returned an HTTP 403 error.
>>
>> ./s3curl.pl --id admin -- -s -v -X POST "
>> http://192.168.199.81:7480/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08
>> "
>> Request:
>> > POST
>> /?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER&PolicyDocument={"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"s3:*","Resource":["*"],"Condition":{"BoolIfExists":{"sts:authentication":"false"}}},{"Effect":"Allow","Action":"sts:GetSessionToken","Resource":"*","Condition":{"BoolIfExists":{"sts:authentication":"false"}}}]}&Version=2010-05-08
>> HTTP/1.1
>> > User-Agent: curl/7.29.0
>> > Host: 192.168.199.81:7480
>> > Accept: */*
>> > Date: Tue, 12 Mar 2019 01:39:55 GMT
>> > Authorization: AWS HTRJ1HIKR4FB9A24ZG9C:FTMBoc7+sJf0K+cx+nYD7Sdj2Xg=
>> Response:
>> < HTTP/1.1 403 Forbidden
>> < Content-Length: 187
>> < x-amz-request-id: tx000000000000000000144-005c870deb-4a92d-default
>> < Accept-Ranges: bytes
>> < Content-Type: application/xml
>> < Date: Tue, 12 Mar 2019 01:39:55 GMT
>> <
>> * Connection #0 to host 192.168.199.81 left intact
>> <?xml version="1.0"
>> encoding="UTF-8"?><Error><Code>AccessDenied</Code><RequestId>tx000000000000000000144-005c870deb-4a92d-default</RequestId><HostId>4a92d-default-default</HostId></Error>
>>
>> .s3curl
>> %awsSecretAccessKeys = (
>> admin => {
>> id => 'HTRJ1HIKR4FB9A24ZG9C',
>> key => 'Dfk7t5u4jvdyFMlEf8t4MTdBLEqVlru7tag1g8PE',
>> },
>> );
>> Can you tell me what went wrong?
>> Thanks,
>> myxingkong
>>
>>
>> *发件人:* myxingkong <ad...@xingkong.io>
>> *发送时间:* 2019-03-11 18:13:33
>> *收件人:* prsri...@redhat.com
>> *抄送:* ceph-users@lists.ceph.com
>> *主题:* Re: [ceph-users] How to attach permission policy to user?
>>
>> Hi Pritha:
>>
>> This is the documentation for configuring restful modules:
>> http://docs.ceph.com/docs/nautilus/mgr/restful/
>>
>> The command given according to the official documentation is to attach
>> the permission policy through the REST API.
>>
>> This is the documentation for STS lite:
>> http://docs.ceph.com/docs/nautilus/radosgw/STSLite/
>>
>> My version of ceph is: ceph version 14.1.0
>> (adfd524c32325562f61c055a81dba4cb1b117e84) nautilus (dev)
>>
>> Thanks,
>> myxingkong
>> On 3/11/2019 18:06,Pritha Srivastava<prsri...@redhat.com>
>> <prsri...@redhat.com> wrote:
>>
>> Hi Myxingkong,
>>
>> Can you explain what you mean by 'enabling restful modules', particularly
>> which document are you referring to?
>>
>> Right now there is no other way to attach a permission policy to a user.
>>
>> There is work in progress for adding functionality to RGW using which
>> such calls can be scripted using boto.
>>
>> Thanks,
>> Pritha
>>
>> On Mon, Mar 11, 2019 at 3:21 PM myxingkong <ad...@xingkong.io> wrote:
>>
>>> Hello:
>>>
>>> I want to use the GetSessionToken method to get the temporary
>>> credentials, but according to the answer given in the official
>>> documentation, I need to attach a permission policy to the user before I
>>> can use the GetSessionToken method.
>>>
>>> This is the command for the additional permission policy provided by the
>>> official documentation:
>>>
>>> s3curl.pl --debug --id admin -- -s -v -X POST "
>>> http://localhost:8000/?Action=PutUserPolicy&PolicyName=Policy1&UserName=TESTER1&PolicyDocument=\{\
>>> "Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\[\"*\"\],\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\},\{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":\{\"BoolIfExists\":\{\"sts:authentication\":\"false\"\}\}\}\]\}&Version=2010-05-08"
>>>
>>>
>>> This requires enabling restful modules to execute this command.
>>>
>>> I configured the restful module according to the documentation, but
>>> without success, I was unable to configure the SSL certificate.
>>>
>>> ceph config-key set mgr/restful/crt -i restful.crt
>>>
>>> WARNING: it looks like you might be trying to set a ceph-mgr module
>>> configuration key. Since Ceph 13.0.0 (Mimic), mgr module configuration is
>>> done with `config set`, and new values set using `config-key set` will be
>>> ignored.
>>> set mgr/restful/crt
>>>
>>> Can someone tell me if there is a way to configure a restful module's
>>> certificate, or if there is another way to attach permission policies to
>>> users?
>>>
>>> Thanks,
>>> myxingkong
>>> _______________________________________________
>>> ceph-users mailing list
>>> ceph-users@lists.ceph.com
>>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>>>
>>
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
