Ceph S3 用户和子用户权限如何协同工作?

How do Ceph S3 user and subuser permissions work together?

我有以下用户配置:

namespace: s3test
user:      s3test
  subuser:   backup (set up with s3 credentials instead of swift)

我想定义一个存储桶策略,明确阻止备份用户将数据放入名为 hedgehogs 的存储桶,该存储桶由 s3test 用户创建:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "DenyPutToHedgehogsForBackup",
                "Effect": "Deny",
                "Principal": {
                    "CanonicalUser": "s3test:backup"
                },
                "Action": ["s3:PutObject"],
                "Resource": [
                    "arn:aws:s3:::hedgehogs/*"
                ]
            }
        ]
}

但是,这似乎阻止了 s3tests3test:backup 放入 hedgehogs

我的策略语法有问题吗?这是否意味着配置了 s3 凭据的子用户只是使用主用户权限访问 s3 的另一种方式?

您的存储桶策略应该是这样的:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Principal": {"AWS": ["arn:aws:iam:::user/s3test:backup"]},
    "Action": "s3:PutObject",
    "Resource": [
      "arn:aws:s3:::hedgehogs/*"
    ]
  }]
}