Read only users - list all the buckets I have read rights to

Question

We are using ceph and have several buckets.

We are using one read-only user to make backups of these buckets.

If I know the list, I can backup all my bucket.

I don't understand why, but I can't list all buckets.

Is it at all possible in ceph radosgw? I suspect not.

The policy looks like this:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam:::user/read-only"]},
    "Action": [
       "s3:ListBucket",
       "s3:ListAllMyBuckets",
       "s3:GetObject"
     ],
    "Resource": [
      "arn:aws:s3:::bucket",
      "arn:aws:s3:::bucket/*"
    ]
  }]
}

And I don't have anything special at the user level.

But when I try to list, I get the following:

export AWS_SECRET_ACCESS_KEY=xx
export AWS_ACCESS_KEY_ID=
export MC_HOST_ceph=https://${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}@radosgwdns
mc ls ceph
mc ls ceph/
mc ls ceph/bucket

Only the last command is listing things.

In this link it is said that it is basically not possible: https://help.switch.ch/engines/documentation/s3-like-object-storage/s3_policy/

Only S3 bucket policy is available, S3 user policy is not implemented in Ceph S3.

On this release page, they maybe speak about it: https://ceph.io/releases/v16-2-0-pacific-released/

RGW: Improved configuration of S3 tenanted users.

Thanks for your help!

Answer 1

When you get access to a bucket with a bucket policy to a user it will not appear in the user's bucket listing. If you want it to be you can create a subuser with none permission and again give access to it using bucket policy. Now when the subuser lists buckets it will see the bucket and because of none permission, it has only access to the bucket you specified. The principal for the subuser would be like this:

"Principal": {"AWS": ["arn:aws:iam:::user/MAIN_USER:SUBUSER"]},