Bucket Policy 开启了 S3 数据分享的大门。通过设置 bucket policy,可以使 bucket 对某些用户开放一些访问权限;或拒绝某些用户的一些访问权限。
Ceph rgw 的 bucket policy 是通过标准的 S3 来操作管理的,而不是通过 radosgw-admin,我们以 s3cmd 为例来进行设置。
- 创建两个 os user,如下所示:
🍺 /root/go/src/smd ☞ git:(main) ✗radosgw-admin user list
[
"zl-rw",
"zl-ro"
]
- 在
zl-rw用户下创建几个桶
➜ /root/go/src/smd ☞ git:(main) ✗ s3cmd ls
2022-11-18 04:01 s3://bucket3
2022-11-18 04:01 s3://simulation-platform-dev
2022-11-18 04:01 s3://simulation-platform-prod
2022-11-18 04:13 s3://simulation-platform-staging
- 可以通过设置 bucket policy 让
zl-ro用户可以有相应的桶访问权限。注意:如果是设置多个写用户,需要将每个写用户也设置上,否则会出现一个用户写入的对象,另一个用户无法访问的情况。
➜ /root/go/src/smd ☞ git:(main) ✗ cat policy_ro.json
{
"Version": "2012-10-17",
"Id": "policy-read-any",
"Statement": [
{
"Sid": "read-any",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/zl-ro"
]
},
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::simulation-platform-prod",
"arn:aws:s3:::simulation-platform-prod/*"
]
},
{
"Sid": "readwrite-any",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/zl-rw"
]
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::simulation-platform-prod",
"arn:aws:s3:::simulation-platform-prod/*"
]
}
]
}
配置说明
-
Version固定为"2012-10-07" -
Id为随意的 policy name -
Statement, Sid为 statement name -
Statement, Effect为Allow或Deny -
Statement, Principal格式为:"Principal":{"AWS":"arn:aws:iam::<tenant>:user/<username>"} -
Statement, Action支持的操作,目前可以设置的操作列表可以参考 ceph 官方文档 -
Statement, Resource限定的资源,一般就是指 bucket-
"arn:aws:s3:::*"- the bucket and its all objects -
"arn:aws:s3:::mybucket/*"- all objects ofmybucket -
"arn:aws:s3:::mybucket/myfolder/*"- all objects which are subkeys tomyfolderinmybucket
-
设置 bucket policy
➜ /root/go/src/smd ☞ git:(main) ✗ s3cmd setpolicy policy_ro.json s3://simulation-platform-prod
s3://simulation-platform-prod/: Policy updated
- 切换到
zl-ro用户
➜ /root/go/src/smd ☞ git:(main) ✗ s3cmd ls
🍺 /root/go/src/smd ☞ git:(main) ✗ s3cmd ls s3://simulation-platform-staging/
ERROR: Access to bucket 'simulation-platform-staging' was denied
ERROR: S3 error: 403 (AccessDenied)
➜ /root/go/src/smd ☞ git:(main) ✗ s3cmd ls s3://simulation-platform-dev
ERROR: Access to bucket 'simulation-platform-dev' was denied
ERROR: S3 error: 403 (AccessDenied)
➜ /root/go/src/smd ☞ git:(main) ✗ s3cmd ls s3://simulation-platform-prod
DIR s3://simulation-platform-prod/batch-2tj29/
DIR s3://simulation-platform-prod/batch-j7vzw/
DIR s3://simulation-platform-prod/batch-j9k5f/
DIR s3://simulation-platform-prod/batch-mwk4q/
DIR s3://simulation-platform-prod/batch-mxgvq/
DIR s3://simulation-platform-prod/batch-qg7v8/
DIR s3://simulation-platform-prod/batch-tn6ng/
写操作会被拒绝
🍺 /root/go/src/smd ☞ git:(main) ✗ s3cmd put policy_ro.json s3://simulation-platform-prod
upload: 'policy_ro.json' -> 's3://simulation-platform-prod/policy_ro.json' [1 of 1]
426 of 426 100% in 0s 126.56 KB/s done
ERROR: S3 error: 403 (AccessDenied)
网友评论