Set a bucket policy for a Ceph Object Storage user¶
Available since 2.23.1 (Cluster release 12.7.0)
Amazon S3 is an object storage service with different access policies. A bucket policy is a resource-based policy that grants permissions to a bucket and objects in it. For more details, see Amazon S3 documentation: Using bucket policies .
The following procedure illustrates the process of setting a bucket policy for
a bucket (test01
) stored in a Ceph Object Storage. The bucket policy
requires at least two users: a bucket owner (user-a
) and a bucket user
(user-t
). The bucket owner creates the bucket and sets the policy that
regulates access for the bucket user.
Caution
For user name
, apply the UUID format with no capital letters.
To configure an Amazon S3 bucket policy:
Note
The s3cmd is a free command-line tool and client for uploading, retrieving, and managing data in Amazon S3 and other cloud storage service providers that use the S3 protocol. You can download the s3cmd CLI tool from Amazon S3 tools: Download s3cmd.
Configure the s3cmd client with the
user-a
credentials:s3cmd --configure --ca-certs=ca.crt
Specify the bucket access parameters as required:
¶ Parameter
Description
Comment
Access Key
Public part of access credentials.
Specify a user access key.
Secret Key
Secret part of access credentials.
Specify a user secret key.
Default Region
Region of AWS servers where requests are sent by default.
Use the default value.
S3 Endpoint
Connection point to the Ceph Object Storage.
Specify the Ceph Object Storage public endpoint.
DNS-style bucket+hostname:port template for accessing a bucket
Bucket location.
Specify the Ceph Object Storage public endpoint.
Path to GPG program
Path to the GNU Privacy Guard encryption suite.
Use the default value.
Use HTTPS protocol
HTTPS protocol switch.
Specify
Yes
.HTTP Proxy server name
HTTP Proxy server name.
Skip this parameter.
When configured correctly, the s3cmd tool connects to the Ceph Object Storage. Save new settings when prompted by the system.
As
user-a
, create a new buckettest01
:s3cmd mb s3://test01
Example of a positive system response:
Bucket 's3://test01/' created
Upload an object to the bucket:
touch test.txt s3cmd put test.txt s3://test01
Example of a positive system response:
upload: 'test.txt' -> 's3://test01/test.txt' [1 of 1] 0 of 0 0% in 0s 0.00 B/s done
Verify that the object is in the
test01
bucket:s3cmd ls s3://test01
Example of a positive system response:
2022-09-02 13:06 0 s3://test01/test.txt
Create the bucket policy file and add bucket CRUD permissions for
user-t
:{ "Version": "2012-10-17", "Id": "S3Policy1", "Statement": [ { "Sid": "BucketAllow", "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam:::user/user-t"] }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::test01", "arn:aws:s3:::test01/*" ] } ] }
Set the bucket policy for the
test01
bucket:s3cmd setpolicy policy.json s3://test01
Example of a positive system response:
s3://test01/: Policy updated
Verify that the
user-t
has access for thetest01
bucket by reconfiguring the s3cmd client with theuser-t
credentials:s3cmd --ca-certs=ca.crt --configure
Specify the bucket access parameters in a similar to the step 1 manner.
When configured correctly, the s3cmd tool connects to the Ceph Object Storage. Save new settings when prompted by the system.
Verify that the
user-t
can read the buckettest01
content:s3cmd ls s3://test01
Example of a positive system response:
2022-09-02 13:06 0 s3://test01/test.txt
Download the object from the
test01
bucket:s3cmd get s3://test01/test.txt check.txt
Example of a positive system response:
download: 's3://test01/test.txt' -> 'check.txt' [1 of 1] 0 of 0 0% in 0s 0.00 B/s done
Upload a new object to the
test01
bucket:s3cmd put check.txt s3://test01
Example of a positive system response:
upload: 'check.txt' -> 's3://test01/check.txt' [1 of 1] 0 of 0 0% in 0s 0.00 B/s done
Verify that the object is in the
test01
bucket:s3cmd ls s3://test01
Example of a positive system response:
2022-09-02 14:41 0 s3://test01/check.txt 2022-09-02 13:06 0 s3://test01/test.txt
Verify the new object by reconfiguring the s3cmd client with the
user-a
credentials:s3cmd --configure --ca-certs=ca.crt
List
test01
bucket objects:s3cmd ls s3://test01
Example of a positive system response:
2022-09-02 14:41 0 s3://test01/check.txt 2022-09-02 13:06 0 s3://test01/test.txt