Closed anrao19 closed 1 year ago
@anrao19 , please check in the debug rgw 20 logs the reason for access denied.
@viduship BZ upadted with rgw logs
@anrao19 , please check in the debug rgw 20 logs the reason for access denied.
RGW logs updated in BZ
@anrao19 , I found bucket policy in this log: http://magna002.ceph.redhat.com/ceph-qe-logs/get_object_and_its_version.console.log bucket_policy:{'Version': '2012-10-17', 'Statement': [{'Action': ['s3:GetObject', 's3:GetObjectVersion'], 'Principal': {'AWS': ['arn:aws:iam::tenant_f:user/josephk.901']}, 'Resource': ['arn:aws:s3:::danielt.3-bucky-3216-0'], 'Effect': 'Allow', 'Sid': 'statement'}]}
for getobject permission resouce should be like below I think 'Resource': ['arn:aws:s3:::danielt.3-bucky-3216-0/*'] please try with this also once
Hi @hmaheswa, we have tested list objects before this for that no need of /* after bucket name, so i dont think that is required. But to be sure will try this once
@anrao19 , I found bucket policy in this log: http://magna002.ceph.redhat.com/ceph-qe-logs/get_object_and_its_version.console.log bucket_policy:{'Version': '2012-10-17', 'Statement': [{'Action': ['s3:GetObject', 's3:GetObjectVersion'], 'Principal': {'AWS': ['arn:aws:iam::tenant_f:user/josephk.901']}, 'Resource': ['arn:aws:s3:::danielt.3-bucky-3216-0'], 'Effect': 'Allow', 'Sid': 'statement'}]} for getobject permission resouce should be like below I think 'Resource': ['arn:aws:s3:::danielt.3-bucky-3216-0/*'] please try with this also once
Hi @hmaheswa, we have tested list objects before this for that no need of /* after bucket name, so i dont think that is required. But to be sure will try this once
As expected with "/" after bucket name does not work from bucket owner itself: Failed to perform get object with: An error occurred (NoSuchBucket) when calling the GetObject operation: Unknown bucket_policy_generated :{"Version": "2012-10-17", "Statement": [{"Action": ["s3:GetObject", "s3:GetObjectVersion"], "Principal": {"AWS": ["arn:aws:iam::tenant_q:user/deniseh.861", "arn:aws:iam::tenant_q:user/tonyag.747", "arn:aws:iam::tenant_O:user/javierc.760", "arn:aws:iam::tenant_O:user/jenniferd.572", "arn:aws:iam::tenant_O:user/angelai.595"]}, "Resource": ["arn:aws:s3:::gwendolynb.432-bucky-2057-0/"], "Effect": "Allow", "Sid": "statement"}]}
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: anrao19, ckulal, hmaheswa
The full list of commands accepted by this bot can be found here.
log:http://magna002.ceph.redhat.com/ceph-qe-logs/Anuchaithra/get_object_and_its_versions_tenat_user.console.log Perform Get object and its version from all users f same and different tenants