Set a bucket policy for OpenStack users¶
The following procedure illustrates the process of setting a bucket policy for a bucket between two OpenStack users.
Due to specifics of the Ceph integration with OpenStack projects, you should configure the bucket policy for OpenStack users indirectly through setting permissions for corresponding OpenStack projects.
For illustration purposes, we use the following names in the procedure:
test01
for the bucketuser-a
,user-t
for the OpenStack usersproject-a
,project-t
for the OpenStack projects
To configure an Amazon S3 bucket policy for OpenStack users:
Specify the
rookConfig
parameter in thecephClusterSpec
section of theKaaSCephCluster
custom resource:spec: cephClusterSpec: rookConfig: rgw keystone implicit tenants: "swift"
Prepare the Ceph Object Storage similarly to the procedure described in Create Ceph Object Storage users.
Create two OpenStack projects:
openstack project create project-a openstack project create project-t
Example of system response:
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | enabled | True | | id | faf957b776874a2e80384cb882ebf6ab | | is_domain | False | | name | project-a | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+
You can also use existing projects. Save the ID of each project for the bucket policy specification.
Note
For details how to access OpenStack CLI, refer Access your OpenStack environment.
Create an OpenStack user for each project:
openstack user create user-a --project project-a openstack user create user-t --project project-t
Example of system response:
+---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | default_project_id | faf957b776874a2e80384cb882ebf6ab | | domain_id | default | | enabled | True | | id | cc2607dc383e4494948d68eeb556f03b | | name | user-a | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
You can also use existing project users.
Assign the
member
role to the OpenStack users:openstack role add member --user user-a --project project-a openstack role add member --user user-t --project project-t
Verify that the OpenStack users have obtained the
member
roles paying attention to the role IDs:openstack role show member
Example of system response:
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | domain_id | None | | id | 8f0ce4f6cd61499c809d6169b2b5bd93 | | name | member | | options | {'immutable': True} | +-------------+----------------------------------+
List the role assignments for the
user-a
anduser-t
:openstack role assignment list --user user-a --project project-a openstack role assignment list --user user-t --project project-t
Example of system response:
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+ | 8f0ce4f6cd61499c809d6169b2b5bd93 | cc2607dc383e4494948d68eeb556f03b | | faf957b776874a2e80384cb882ebf6ab | | | False | +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
Create Amazon EC2 credentials for
user-a
anduser-t
:openstack ec2 credentials create --user user-a --project project-a openstack ec2 credentials create --user user-t --project project-t
Example of system response:
+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+ | access | d03971aedc2442dd9a79b3b409c32046 | | links | {'self': 'http://keystone-api.openstack.svc.cluster.local:5000/v3/users/cc2607dc383e4494948d68eeb556f03b/credentials/OS-EC2/d03971aedc2442dd9a79b3b409c32046'} | | project_id | faf957b776874a2e80384cb882ebf6ab | | secret | 0a9fd8d9e0d24aecacd6e75951154d0f | | trust_id | None | | user_id | cc2607dc383e4494948d68eeb556f03b | +------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+
Obtain the values from the
access
andsecret
fields to connect with Ceph Object Storage trough the s3cmd tool.Note
The s3cmd is a free command-line tool for uploading, retrieving, and managing data in Amazon S3 and other cloud storage service providers that use the S3 protocol. You can download the s3cmd tool from Amazon S3 tools: Download s3cmd.
Create bucket users and configure a bucket policy for the
project-t
OpenStack project similarly to the procedure described in Set a bucket policy for a Ceph Object Storage user. Ceph integration does not allow providing permissions for OpenStack users directly. Therefore, you need to set permissions for the project that corresponds to the user:{ "Version": "2012-10-17", "Id": "S3Policy1", "Statement": [ { "Sid": "BucketAllow", "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::<PROJECT-T_ID>:root"] }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::test01", "arn:aws:s3:::test01/*" ] } ] }
Ceph Object Storage bucket policy examples¶
You can configure different bucket policies for various situations. See examples below.
Provide access to a bucket from one OpenStack project to another
{
"Version": "2012-10-17",
"Id": "S3Policy1",
"Statement": [
{
"Sid": "BucketAllow",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::<osProjectId>:root"]
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<bucketName>",
"arn:aws:s3:::<bucketName>/*"
]
}
]
}
Substitute the following parameters:
<osProjectId>
- the target OpenStack project ID<bucketName>
- the target bucket name where the policy will be set
Provide access to a bucket from a Ceph Object Storage user to an OpenStack project
{
"Version": "2012-10-17",
"Id": "S3Policy1",
"Statement": [
{
"Sid": "BucketAllow",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::<osProjectId>:root"]
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<bucketName>",
"arn:aws:s3:::<bucketName>/*"
]
}
]
}
Substitute the following parameters:
<osProjectId>
- the target OpenStack project ID<bucketName>
- the target bucket name where policy will be set
Provide access to a bucket from an OpenStack user to a Ceph Object Storage user
{
"Version": "2012-10-17",
"Id": "S3Policy1",
"Statement": [
{
"Sid": "BucketAllow",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam:::user/<userName>"]
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<bucketName>",
"arn:aws:s3:::<bucketName>/*"
]
}
]
}
Substitute the following parameters:
<userName>
- the target Ceph Object Storage user name<bucketName>
- the target bucket name where policy will be set
Provide access to a bucket from one Ceph Object Storage user to another
{
"Version": "2012-10-17",
"Id": "S3Policy1",
"Statement": [
{
"Sid": "BucketAllow",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam:::user/<userName>"]
},
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<bucketName>",
"arn:aws:s3:::<bucketName>/*"
]
}
]
}
Substitute the following parameters:
<userName>
- the target Ceph Object Storage user name<bucketName>
- the target bucket name where policy will be set