Bucket Policy 开启S3数据分享这扇大门。该配置通过S3接口设置到Bucket上,使bucket可对某些用户开放一些访问权限;或拒绝某些用户的一些访问权限。
环境
- Ceph集群版本mimic
- RGW版本nautilus
- 一个Realm中一个master zonegroup
- master zonegroup中包含两个zone,exter(master zone)和backup
- master zongrroup中包含两个placement,default-placement 和 cold-placement
default-placement 将数据存储于 exter.rgw.buckets.{data, index, non-ec}
cold-placement 将数据存储于 exter.rgw.cold.{data, index, non-ec}
- zone exter中创建了4个用户分别属于ours tenant和 默认tenant
默认tenant包括用户,colder 和 admin
ours tenant包括用户,ourone 和 ourtwo
- colder 用户使用的 cold-placement,其它用户均使用default-placement
使用
Policy 配置Json Example:
1
2
3
4
5
6
7
8
9
10
11
12
| {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["*"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-cold-bucket",
"arn:aws:s3:::my-cold-bucket/*"
]
}]
}
|
** 配置说明:**
Version可以选择2008-10-17或者2012-10-17 AWS就是这样的,没道理讲的。Effect有Allow和Deny两个选项Principal操作主体。eg: “arn:aws:iam:::user/“ 该示例有待验证。Action是Allow或Deny得动作Resource被操作得对象Condition使用条件
更多配置得内容参见ceph源码src/rgw/rgw_iam_policy_keywords.gperf
测试
目的
调研同tenant访问配置使用方法和跨tenant访问配置使用方法
测试方法
用户ours$ourone创建一个叫ouronebucket的bucket,并配置其policy
1
2
3
4
5
6
7
8
9
10
11
12
| {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::ours:user/ourtwo", "arn:aws:iam:::user/admin"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ouronebucket",
"arn:aws:s3:::ouronebucket/*"
]
}]
}
|
使用s3cmd工具将policy写入bucket
1
| s3cmd setpolicy policy.json s3://ouronebucket
|
用户colder创建一个叫my-cold-bucket的bucket,并配置其policy
1
2
3
4
5
6
7
8
9
10
11
12
| {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["*"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-cold-bucket",
"arn:aws:s3:::my-cold-bucket/*"
]
}]
}
|
使用s3cmd工具将policy写入bucket
1
| s3cmd setpolicy policy.json s3://my-cold-bucket
|
** 使用admin用户访问my-cold-bucket **
1
2
3
| $ s3cmd -c ./admin.cfg ls s3://my-cold-bucket
2019-10-17 09:06 207 s3://my-cold-bucket/admin.cfg
2019-10-16 08:40 8478720 s3://my-cold-bucket/tgt.tar
|
同tenant内正常访问
** 使用admin用户访问ouronebucket **
1
2
3
4
5
| $ s3cmd -c ./admin.cfg ls s3://ouronebucket
ERROR: Bucket 'ouronebucket' does not exist
ERROR: S3 error: 404 (NoSuchBucket)
$ s3cmd -c ./admin.cfg ls s3://ours:ouronebucket 12 ↵
ERROR: S3 error: 403 (SignatureDoesNotMatch)
|
** 使用ourtwo用户访问my-cold-bucket **
1
2
3
4
5
| $ s3cmd -c ./ours_two.cfg ls s3://my-cold-bucket 77 ↵
ERROR: Bucket 'my-cold-bucket' does not exist
ERROR: S3 error: 404 (NoSuchBucket)
$ s3cmd -c ./ours_two.cfg ls s3://:my-cold-bucket 12 ↵
ERROR: S3 error: 403 (SignatureDoesNotMatch)
|
** 使用ourtwo用户访问ouronebucket **
1
2
3
4
5
| $ s3cmd -c ./ours_two.cfg ls s3://ouronebucket 77 ↵
ERROR: Access to bucket 'ouronebucket' was denied
ERROR: S3 error: 403 (AccessDenied)
$ s3cmd -c ./ours_two.cfg ls s3://ours:ouronebucket 77 ↵
ERROR: S3 error: 403 (SignatureDoesNotMatch)
|
** 修改 **
将ouronebucket的policy中的Principal改为{"AWS": ["*"]},。再试一次
1
2
3
4
5
6
| $ s3cmd -c ./ours_two.cfg put ./ours_two.cfg s3://ouronebucket
WARNING: Module python-magic is not available. Guessing MIME types based on file extensions.
upload: './ours_two.cfg' -> 's3://ouronebucket/ours_two.cfg' [1 of 1]
207 of 207 100% in 0s 356.83 B/s done
$ s3cmd -c ./ours_two.cfg ls s3://ouronebucket
2019-10-17 12:01 207 s3://ouronebucket/ours_two.cfg
|
在网上看到“Rgw bucket policy权限设置”这篇文章,里面提到boto3对tenant不支持,于是猜想是不是s3cmd也不支持tenant,遂自己写一个python验证一下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
import boto
import boto.s3.connection
access_list = ["1CXO01UCDSR1182IUYPL","8I4K2USDV5SK3UFLQUB0"]
secret_list = ["Ww0Io3b6fF7dXHQiO9gLo99DZbZAKqfvNO2N7g48","A4JuvB468tmnDpmkZMfwesb2zmGZeSiCJlzJMALc"]
bucket_list = [":my-cold-bucket","ours:ouronebucket"]
for i in range(0,len(access_list)):
access = access_list[i]
secret = secret_list[i]
bucket = bucket_list[i]
conn = boto.connect_s3(aws_access_key_id=access,
aws_secret_access_key = secret,
host='172.30.12.137',
port=7480,
is_secure=False,
calling_format = boto.s3.connection.OrdinaryCallingFormat())
bkt = conn.get_bucket(bucket)
print(bkt.get_all_keys())
|
执行下
1
2
3
| # python bkt-policy.py
[<Key: :my-cold-bucket,admin.cfg>, <Key: :my-cold-bucket,tgt.tar>]
[<Key: ours:ouronebucket,ours_two.cfg>]
|
发现跨tenant可以正常访问。
修改ouronebucket policy 中的Principal为{"AWS": ["arn:aws:iam::ours:user/two","arn:aws:iam:::user/admin"]},只允许ours$two和admin这两个用户访问。
再次执行上面的python脚本
1
2
3
| # python bkt-policy.py
[<Key: :my-cold-bucket,admin.cfg>, <Key: :my-cold-bucket,tgt.tar>]
[<Key: ours:ouronebucket,ours_two.cfg>]
|
再在上面的脚本中增加colder的access、secret key。并执行脚本
1
2
3
4
5
6
7
8
9
10
11
| # python bkt-policy.py
[<Key: :my-cold-bucket,admin.cfg>, <Key: :my-cold-bucket,tgt.tar>]
[<Key: ours:ouronebucket,ours_two.cfg>]
Traceback (most recent call last):
File "bkt-policy.py", line 22, in <module>
bkt = conn.get_bucket(bucket)
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 509, in get_bucket
return self.head_bucket(bucket_name, headers=headers)
File "/usr/local/lib/python2.7/site-packages/boto/s3/connection.py", line 542, in head_bucket
raise err
boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden
|
由于Principal中没有给colder用户授权,所以colder访问ouronebucket时报403错误。
参考&鸣谢