Ceph S3 用户和子用户权限如何协同工作?
How do Ceph S3 user and subuser permissions work together?
我有以下用户配置:
namespace: s3test
user: s3test
subuser: backup (set up with s3 credentials instead of swift)
我想定义一个存储桶策略,明确阻止备份用户将数据放入名为 hedgehogs
的存储桶,该存储桶由 s3test
用户创建:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPutToHedgehogsForBackup",
"Effect": "Deny",
"Principal": {
"CanonicalUser": "s3test:backup"
},
"Action": ["s3:PutObject"],
"Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}
]
}
但是,这似乎阻止了 s3test
和 s3test:backup
放入 hedgehogs
。
我的策略语法有问题吗?这是否意味着配置了 s3 凭据的子用户只是使用主用户权限访问 s3 的另一种方式?
您的存储桶策略应该是这样的:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": {"AWS": ["arn:aws:iam:::user/s3test:backup"]},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}]
}
我有以下用户配置:
namespace: s3test
user: s3test
subuser: backup (set up with s3 credentials instead of swift)
我想定义一个存储桶策略,明确阻止备份用户将数据放入名为 hedgehogs
的存储桶,该存储桶由 s3test
用户创建:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPutToHedgehogsForBackup",
"Effect": "Deny",
"Principal": {
"CanonicalUser": "s3test:backup"
},
"Action": ["s3:PutObject"],
"Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}
]
}
但是,这似乎阻止了 s3test
和 s3test:backup
放入 hedgehogs
。
我的策略语法有问题吗?这是否意味着配置了 s3 凭据的子用户只是使用主用户权限访问 s3 的另一种方式?
您的存储桶策略应该是这样的:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": {"AWS": ["arn:aws:iam:::user/s3test:backup"]},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::hedgehogs/*"
]
}]
}