mirror of
https://github.com/ceph/ceph
synced 2025-03-11 02:39:05 +00:00
rgw: Write documentation for bucket policies
Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
This commit is contained in:
parent
b7d0b740c0
commit
80b285d329
133
doc/radosgw/bucketpolicy.rst
Normal file
133
doc/radosgw/bucketpolicy.rst
Normal file
@ -0,0 +1,133 @@
|
||||
===============
|
||||
Bucket Policies
|
||||
===============
|
||||
|
||||
.. versionadded:: Luminous
|
||||
|
||||
The Ceph Object Gateway supports a subset of the Amazon S3 policy
|
||||
language applied to buckets.
|
||||
|
||||
|
||||
Creation and Removal
|
||||
====================
|
||||
|
||||
Bucket policies are managed through standard S3 operations rather than
|
||||
radosgw-admin.
|
||||
|
||||
For example, one may use s3cmd to set or delete a policy thus::
|
||||
|
||||
$ cat > examplepol
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [{
|
||||
"Effect": "Allow",
|
||||
"Principal": {"AWS": ["arn:aws:iam::usfolks:user/fred"]},
|
||||
"Action": "s3PutObjectAcl",
|
||||
"Resource": [
|
||||
"arn:aws:s3:::happybucket/*"
|
||||
]
|
||||
}]
|
||||
}
|
||||
|
||||
$ s3cmd setpolicy examplepol s3://happybucket
|
||||
$ s3cmd delpolicy s3://happybucket
|
||||
|
||||
|
||||
Limitations
|
||||
===========
|
||||
|
||||
Currently, we support only the following actions:
|
||||
|
||||
- s3:AbortMultipartUpload
|
||||
- s3:CreateBucket
|
||||
- s3:DeleteBucketPolicy
|
||||
- s3:DeleteBucket
|
||||
- s3:DeleteBucketWebsite
|
||||
- s3:DeleteObject
|
||||
- s3:DeleteObjectVersion
|
||||
- s3:DeleteReplicationConfiguration
|
||||
- s3:GetAccelerateConfiguration
|
||||
- s3:GetBucketAcl
|
||||
- s3:GetBucketCORS
|
||||
- s3:GetBucketLocation
|
||||
- s3:GetBucketLogging
|
||||
- s3:GetBucketNotification
|
||||
- s3:GetBucketPolicy
|
||||
- s3:GetBucketRequestPayment
|
||||
- s3:GetBucketTagging
|
||||
- s3:GetBucketVersioning
|
||||
- s3:GetBucketWebsite
|
||||
- s3:GetLifecycleConfiguration
|
||||
- s3:GetObjectAcl
|
||||
- s3:GetObject
|
||||
- s3:GetObjectTorrent
|
||||
- s3:GetObjectVersionAcl
|
||||
- s3:GetObjectVersion
|
||||
- s3:GetObjectVersionTorrent
|
||||
- s3:GetReplicationConfiguration
|
||||
- s3:ListAllMyBuckets
|
||||
- s3:ListBucketMultiPartUploads
|
||||
- s3:ListBucket
|
||||
- s3:ListBucketVersions
|
||||
- s3:ListMultipartUploadParts
|
||||
- s3:PutAccelerateConfiguration
|
||||
- s3:PutBucketAcl
|
||||
- s3:PutBucketCORS
|
||||
- s3:PutBucketLogging
|
||||
- s3:PutBucketNotification
|
||||
- s3:PutBucketPolicy
|
||||
- s3:PutBucketRequestPayment
|
||||
- s3:PutBucketTagging
|
||||
- s3:PutBucketVersioning
|
||||
- s3:PutBucketWebsite
|
||||
- s3:PutLifecycleConfiguration
|
||||
- s3:PutObjectAcl
|
||||
- s3:PutObject
|
||||
- s3:PutObjectVersionAcl
|
||||
- s3:PutReplicationConfiguration
|
||||
- s3:RestoreObject
|
||||
|
||||
We do not yet support setting policies on users, groups, or roles.
|
||||
|
||||
We use the RGW ‘tenant’ identifier in place of the Amazon twelve-digit
|
||||
account ID. In the future we may allow you to assign an account ID to
|
||||
a tenant, but for now if you want to use policies between AWS S3 and
|
||||
RGW S3 you will have to use the Amazon account ID as the tenant ID when
|
||||
creating users.
|
||||
|
||||
Under AWS, all tenants share a single namespace. RGW gives every
|
||||
tenant its own namespace of buckets. There may be an option to enable
|
||||
an AWS-like 'flat' bucket namespace in future versions. At present, to
|
||||
access a bucket belonging to another tenant, address it as
|
||||
"tenant:bucket" in the S3 request.
|
||||
|
||||
In AWS, a bucket policy can grant access to another account, and that
|
||||
account owner can then grant access to individual users with user
|
||||
permissions. Since we do not yet support user, role, and group
|
||||
permissions, account owners will currently need to grant access
|
||||
directly to individual users, and granting an entire account access to
|
||||
a bucket grants access to all users in that account.
|
||||
|
||||
Bucket policies do not yet support string interpolation.
|
||||
|
||||
Currently, the only condition keys we support are:
|
||||
- aws:CurrentTime
|
||||
- aws:EpochTime
|
||||
- aws:PrincipalType
|
||||
- aws:Referer
|
||||
- aws:SecureTransport
|
||||
- aws:SourceIp
|
||||
- aws:UserAgent
|
||||
- aws:username
|
||||
|
||||
More may be supported soon as we integrate with the recently rewritten
|
||||
Authentication/Authorization subsystem.
|
||||
|
||||
Swift
|
||||
=====
|
||||
|
||||
There is no way to set bucket policies under Swift, but bucket
|
||||
policies that have been set govern Swift as well as S3 operations.
|
||||
|
||||
Swift credentials are matched against Principals specified in a policy
|
||||
in a way specific to whatever backend is being used.
|
@ -51,6 +51,7 @@ you may write data with one API and retrieve it with the other.
|
||||
Multi-tenancy <multitenancy>
|
||||
Compression <compression>
|
||||
Server-Side Encryption <encryption>
|
||||
Bucket Policy <bucketpolicy>
|
||||
Data Layout in RADOS <layout>
|
||||
Upgrade to Older Versions of Jewel <upgrade_to_jewel>
|
||||
troubleshooting
|
||||
|
Loading…
Reference in New Issue
Block a user