利用bucket policy控制bucket读写
许久不更新,非常抱歉!最近实在太忙,同时搞几个项目,还要出差上海、香港....后面有时间再和大家分享些项目经验。
从L版本开始RGW引入了bucket policy,但是在使用上部分功能并不能完全和AWS的S3功能看齐。我这里也是简单总结几个常用的场景。下面是python-boto3的代码用例。服务端用的ceph version 12.2.11 。
用例1
mybucket1属于用户test-1用户,设置允许user-2对该bucket下的所有object只读
import boto3from botocore.client import Configimport jsonendpoint = 'http://test.s3.local'bucket_name = 'mybucket1'access_key = ''secret_key = ''s3client = boto3.client('s3', region_name='cn-test-1',use_ssl=False,endpoint_url=endpoint,aws_access_key_id=access_key,aws_secret_access_key=secret_key,config=Config(signature_version='s3v4',s3={'addressing_style': 'path'})) # type: BaseClientp= { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Principal': {'AWS': ['arn:aws:iam:::user/test-2']}, 'Action': ['s3:ListBucket','s3:GetBucketAcl','s3:GetObject','s3:GetObjectAcl'], 'Resource': [ 'arn:aws:s3:::mybucket1', 'arn:aws:s3:::mybucket1/*' ] }]}bucket_policy = json.dumps(p)s3client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy) #设置policyresult = s3client.get_bucket_policy(Bucket=bucket_name)print(result['Policy']) #获取policy
用例2
mybucket1属于用户test-1用户,设置允许user-2对该bucket下的所有object可读写,但是不能删除object
import boto3from botocore.client import Configimport jsonendpoint = 'http://test.s3.local'bucket_name = 'mybucket1'access_key = ''secret_key = ''s3client = boto3.client('s3', region_name='cn-test-1',use_ssl=False,endpoint_url=endpoint,aws_access_key_id=access_key,aws_secret_access_key=secret_key,config=Config(signature_version='s3v4',s3={'addressing_style': 'path'})) # type: BaseClientp= { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Principal': {'AWS': ['arn:aws:iam:::user/test-2']}, 'Action': ['s3:ListBucket','s3:GetBucketAcl','s3:GetObject','s3:GetObjectAcl','s3:PutObject','s3:PutObjectAcl'], 'Resource': [ 'arn:aws:s3:::mybucket1', 'arn:aws:s3:::mybucket1/*' ] }]}bucket_policy = json.dumps(p)s3client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy) #设置policyresult = s3client.get_bucket_policy(Bucket=bucket_name)print(result['Policy']) #获取policy
用例3
mybucket1属于用户test-1用户,设置允许user-2对该bucket下的所有object可读写,同时也能删除object
import boto3from botocore.client import Configimport jsonendpoint = 'http://test.s3.local'bucket_name = 'mybucket1'access_key = ''secret_key = ''s3client = boto3.client('s3', region_name='cn-test-1',use_ssl=False,endpoint_url=endpoint,aws_access_key_id=access_key,aws_secret_access_key=secret_key,config=Config(signature_version='s3v4',s3={'addressing_style': 'path'})) # type: BaseClientp= { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Principal': {'AWS': ['arn:aws:iam:::user/test-2']}, 'Action': ['s3:ListBucket','s3:GetBucketAcl','s3:GetObject','s3:GetObjectAcl','s3:PutObject','s3:PutObjectAcl','s3:DeleteObject'], 'Resource': [ 'arn:aws:s3:::mybucket1', 'arn:aws:s3:::mybucket1/*' ] }]}bucket_policy = json.dumps(p)s3client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy) #设置policyresult = s3client.get_bucket_policy(Bucket=bucket_name)print(result['Policy']) #获取policy
参考文档1: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets
参考文档2: https://docs.ceph.com/docs/master/radosgw/bucketpolicy/