Ceph对象网关支持应用于桶的Amazon S3策略语言的子集。
创建和删除
桶策略是通过标准S3操作而不是radosgw-admin管理的。
例如,可以使用s3cmd设置或删除策略,因此:
$ cat > examplepol
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::usfolks:user/fred:subuser"]},
"Action": "s3:PutObjectAcl",
"Resource": [
"arn:aws:s3:::happybucket/*"
]
}]
}
$ s3cmd setpolicy examplepol s3://happybucket
$ s3cmd delpolicy s3://happybucket
限制
目前,我们仅支持以下操作:
- s3:AbortMultipartUpload
- s3:CreateBucket
- s3:DeleteBucketPolicy
- s3:DeleteBucket
- s3:DeleteBucketWebsite
- s3:DeleteObject
- s3:DeleteObjectVersion
- s3:DeleteReplicationConfiguration
- s3:GetAccelerateConfiguration
- s3:GetBucketAcl
- s3:GetBucketCORS
- s3:GetBucketLocation
- s3:GetBucketLogging
- s3:GetBucketNotification
- s3:GetBucketPolicy
- s3:GetBucketRequestPayment
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetBucketWebsite
- s3:GetLifecycleConfiguration
- s3:GetObjectAcl
- s3:GetObject
- s3:GetObjectTorrent
- s3:GetObjectVersionAcl
- s3:GetObjectVersion
- s3:GetObjectVersionTorrent
- s3:GetReplicationConfiguration
- s3:ListAllMyBuckets
- s3:ListBucketMultipartUploads
- s3:ListBucket
- s3:ListBucketVersions
- s3:ListMultipartUploadParts
- s3:PutAccelerateConfiguration
- s3:PutBucketAcl
- s3:PutBucketCORS
- s3:PutBucketLogging
- s3:PutBucketNotification
- s3:PutBucketPolicy
- s3:PutBucketRequestPayment
- s3:PutBucketTagging
- s3:PutBucketVersioning
- s3:PutBucketWebsite
- s3:PutLifecycleConfiguration
- s3:PutObjectAcl
- s3:PutObject
- s3:PutObjectVersionAcl
- s3:PutReplicationConfiguration
- s3:RestoreObject
我们尚不支持在用户,组或角色上设置策略。
我们使用RGW的“租户”标识符代替亚马逊的十二位数帐户ID。 将来,我们可能会允许您为租户分配账户ID,但是现在,如果您想在AWS S3和RGW S3之间使用策略,则在创建用户时必须使用Amazon账户ID作为租户ID。
在AWS下,所有租户共享一个名称空间。 RGW为每个租户提供其自己的桶命名空间。 在将来的版本中,可能会有一个选项来启用类似AWS的“扁平”桶命名空间。 目前,要访问属于另一个租户的桶,请在S3请求中将其命名为“ tenant:bucket”。
在AWS中,桶策略可以将访问权限授予另一个帐户,然后该帐户所有者可以将访问权限授予具有用户权限的单个用户。由于我们还不支持用户、角色和组权限,因此帐户所有者当前需要直接向单个用户授予访问权限,而授予整个帐户对桶的访问权限将授予该帐户中的所有用户访问权限。
桶策略尚不支持字符串插值。
对于所有请求,我们支持的条件键为:-aws:CurrentTime-aws:EpochTime-aws:PrincipalType-aws:Referer-aws:SecureTransport-aws:SourceIp-aws:UserAgent-aws:username
对于桶和对象请求,我们支持某些S3条件键。
桶相关操作
权限 | 条件键 | 注释 |
---|---|---|
s3:createBucket | s3:x-amz-acl s3:x-amz-grant- 其中,PERM是read/write/read-acp write-acp/ full-control之一 | |
s3:ListBucket &s3:ListBucketVersions | s3:prefix s3:delimiter s3:max-keys | |
s3:PutBucketAcl | s3:x-amz-acl s3:x-amz-grant- |
对象相关操作
权限 | 条件键 | 注释 |
---|---|---|
s3:PutObject | s3:x-amz-acl & s3:x-amz-grant- s3:x-amz-copy-source s3:x-amz-server-side-encryption s3:x-amz-server-side-encryption-aws-kms-key-id s3:x-amz-metadata-directive s3:RequestObjectTag/ | PUT&COPY会覆盖/保留COPY请求中的元数据 |
s3:PutObjectAcl s3:PutObjectVersionAcl | s3:x-amz-acl & s3-amz-grant- s3:ExistingObjectTag/ | |
s3:PutObjectTagging & s3:PutObjectVersionTagging | s3:RequestObjectTag/ s3:ExistingObjectTag/ | |
s3:GetObject & s3:GetObjectVersion | s3:ExistingObjectTag/ | |
s3:GetObjectAcl & s3:GetObjectVersionAcl | s3:ExistingObjectTag/ | |
s3:GetObjectTagging & s3:GetObjectVersionTagging | s3:ExistingObjectTag/ | |
s3:DeleteObjectTagging & s3:DeleteObjectVersionTagging | s3:ExistingOBjectTag/ |
一旦我们与最近重写的身份验证/授权子系统集成,可能很快就会支持更多功能。
实践
桶策略的存储形式是存储池XXX.rgw.meta中名为user.rgw.iam-policy的rados对象,该rados对象的内容即是桶策略的内容。
桶策略的文本格式为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/user2"
]
},
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::bucket01"
]
}
]
}
- Version : policy版本,目前测试只能设定为”2012-10-17”
- Effect : 允许或者禁止 , 可选值 1. Allow 2. Deny
- Principal: 指定规则生效的对象 ;格式为 “Principal”:{“AWS”:“arn:aws:iam::[tenant]:user/[username]“}
- Action : 操作, 目前可以设定的操作可参考限制。
- Resource : 限定的资源,一般就是指bucket
假设存在user1、user2,创建bucket01,拥有者为user1。
设置一个如示例中的桶策略。
查看桶的详情,记录桶的id。
# radosgw-admin bucket stats --bucket=bucket01
{
"bucket": "bucket01",
"num_shards": 0,
"tenant": "",
"zonegroup": "6c60018f-7d68-4633-a76d-1d323f21ddae",
"placement_rule": "default-placement",
"explicit_placement": {
"data_pool": "",
"data_extra_pool": "",
"index_pool": ""
},
"id": "63b9264a-b4f8-47db-9efa-a3d570b82308.811240.1",
"marker": "63b9264a-b4f8-47db-9efa-a3d570b82308.811240.1",
"index_type": "Normal",
"owner": "user1",
"ver": "0#8",
"master_ver": "0#0",
"mtime": "2020-10-07 03:31:15.565362Z",
"max_marker": "0#",
"usage": {
"rgw.main": {
"size": 12535710,
"size_actual": 12537856,
"size_utilized": 12535710,
"size_kb": 12242,
"size_kb_actual": 12244,
"size_kb_utilized": 12242,
"num_objects": 3
},
"rgw.multimeta": {
"size": 0,
"size_actual": 0,
"size_utilized": 0,
"size_kb": 0,
"size_kb_actual": 0,
"size_kb_utilized": 0,
"num_objects": 0
}
},
"bucket_quota": {
"enabled": true,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
}
}
查看bucket 元数据对象的属性
# rados -p datacenter.rgw.meta --namespace root listxattr .bucket.meta.bucket01:63b9264a-b4f8-47db-9efa-a3d570b82308.811240.1
ceph.objclass.version
user.rgw.acl
user.rgw.iam-policy
查看user.rgw.iam-policy 属性的值
# rados -p datacenter.rgw.meta --namespace root getxattr .bucket.meta.bucket01:63b9264a-b4f8-47db-9efa-a3d570b82308.811240.1 user.rgw.iam-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/user2"
]
},
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::bucket01"
]
}
]
}