Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly Container Cloud). This means everything you need is in one place. Some legacy names may remain in the code and documentation and will be updated in future releases. The separate Container Cloud documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

Set a bucket policy for a Ceph Object Storage user¶

Warning

This procedure is valid for MOSK clusters that use the MiraCeph custom resource (CR), which is available since MOSK 25.2 to replace the deprecated KaaSCephCluster. For the equivalent procedure with the KaaSCephCluster CR, refer to the following section:

Set a bucket policy for a Ceph Object Storage user

Amazon S3 is an object storage service with different access policies. A bucket policy is a resource-based policy that grants permissions to a bucket and objects in it. For more details, see Amazon S3 documentation: Using bucket policies .

The following procedure illustrates the process of setting a bucket policy for a bucket (test01) stored in a Ceph Object Storage. The bucket policy requires at least two users: a bucket owner (user-a) and a bucket user (user-t). The bucket owner creates the bucket and sets the policy that regulates access for the bucket user.

Caution

For user name, apply the UUID format with no capital letters.

To configure an Amazon S3 bucket policy:

Note

The s3cmd is a free command-line tool and client for uploading, retrieving, and managing data in Amazon S3 and other cloud storage service providers that use the S3 protocol. You can download the s3cmd CLI tool from Amazon S3 tools: Download s3cmd.

Configure the s3cmd client with the user-a credentials:

s3cmd --configure --ca-certs=ca.crt

Specify the bucket access parameters as required:

Bucket access parameters¶
Parameter	Description	Comment
`Access Key`	Public part of access credentials.	Specify a user access key.
`Secret Key`	Secret part of access credentials.	Specify a user secret key.
`Default Region`	Region of AWS servers where requests are sent by default.	Use the default value.
`S3 Endpoint`	Connection point to the Ceph Object Storage.	Specify the Ceph Object Storage public endpoint.
`DNS-style bucket+hostname:port template for accessing a bucket`	Bucket location.	Specify the Ceph Object Storage public endpoint.
`Path to GPG program`	Path to the GNU Privacy Guard encryption suite.	Use the default value.
`Use HTTPS protocol`	HTTPS protocol switch.	Specify `Yes`.
`HTTP Proxy server name`	HTTP Proxy server name.	Skip this parameter.

When configured correctly, the s3cmd tool connects to the Ceph Object Storage. Save new settings when prompted by the system.

As user-a, create a new bucket test01:
```
s3cmd mb s3://test01
```
Example of a positive system response:
```
Bucket 's3://test01/' created
```

Upload an object to the bucket:

touch test.txt
s3cmd put test.txt s3://test01

Example of a positive system response:

upload: 'test.txt' -> 's3://test01/test.txt'  [1 of 1]
0 of 0     0% in    0s     0.00 B/s  done

Verify that the object is in the test01 bucket:

s3cmd ls s3://test01

Example of a positive system response:

2022-09-02 13:06            0  s3://test01/test.txt

Create the bucket policy file and add bucket CRUD permissions for user-t:

{
  "Version": "2012-10-17",
  "Id": "S3Policy1",
  "Statement": [
    {
     "Sid": "BucketAllow",
     "Effect": "Allow",
     "Principal": {
       "AWS": ["arn:aws:iam:::user/user-t"]
     },
     "Action": [
       "s3:ListBucket",
       "s3:PutObject",
       "s3:GetObject"
     ],
     "Resource": [
       "arn:aws:s3:::test01",
       "arn:aws:s3:::test01/*"
     ]
    }
  ]
}

Set the bucket policy for the test01 bucket:
```
s3cmd setpolicy policy.json s3://test01
```
Example of a positive system response:
```
s3://test01/: Policy updated
```
Verify that the user-t has access for the test01 bucket by reconfiguring the s3cmd client with the user-t credentials:
```
s3cmd  --ca-certs=ca.crt --configure
```
Specify the bucket access parameters in a similar to the step 1 manner.

When configured correctly, the s3cmd tool connects to the Ceph Object Storage. Save new settings when prompted by the system.

Verify that the user-t can read the bucket test01 content:
```
s3cmd ls s3://test01
```
Example of a positive system response:
```
2022-09-02 13:06            0  s3://test01/test.txt
```

Download the object from the test01 bucket:

s3cmd get s3://test01/test.txt check.txt

Example of a positive system response:

download: 's3://test01/test.txt' -> 'check.txt'  [1 of 1]
 0 of 0     0% in    0s     0.00 B/s  done

Upload a new object to the test01 bucket:

s3cmd put check.txt s3://test01

Example of a positive system response:

upload: 'check.txt' -> 's3://test01/check.txt'  [1 of 1]
 0 of 0     0% in    0s     0.00 B/s  done

Verify that the object is in the test01 bucket:

s3cmd ls s3://test01

Example of a positive system response:

2022-09-02 14:41            0  s3://test01/check.txt
2022-09-02 13:06            0  s3://test01/test.txt

Verify the new object by reconfiguring the s3cmd client with the user-a credentials:
```
s3cmd --configure --ca-certs=ca.crt
```

List test01 bucket objects:

s3cmd ls s3://test01

Example of a positive system response:

2022-09-02 14:41            0  s3://test01/check.txt
2022-09-02 13:06            0  s3://test01/test.txt