search

red-hat-storage / ceph-qe-scripts

Various QE scripts written by QE for Ceph Testing
MIT License
10 stars 29 forks source link

Perform Get object and its version from all users f same and different tenants #500

Closed anrao19 closed 1 year ago

anrao19 commented 1 year ago

log:http://magna002.ceph.redhat.com/ceph-qe-logs/Anuchaithra/get_object_and_its_versions_tenat_user.console.log Perform Get object and its version from all users f same and different tenants

anrao19 commented 1 year ago

@anrao19 , please check in the debug rgw 20 logs the reason for access denied.

@viduship BZ upadted with rgw logs

@anrao19 , please check in the debug rgw 20 logs the reason for access denied.

RGW logs updated in BZ

anrao19 commented 1 year ago

@anrao19 , I found bucket policy in this log: http://magna002.ceph.redhat.com/ceph-qe-logs/get_object_and_its_version.console.log bucket_policy:{'Version': '2012-10-17', 'Statement': [{'Action': ['s3:GetObject', 's3:GetObjectVersion'], 'Principal': {'AWS': ['arn:aws:iam::tenant_f:user/josephk.901']}, 'Resource': ['arn:aws:s3:::danielt.3-bucky-3216-0'], 'Effect': 'Allow', 'Sid': 'statement'}]}

for getobject permission resouce should be like below I think 'Resource': ['arn:aws:s3:::danielt.3-bucky-3216-0/*'] please try with this also once

Hi @hmaheswa, we have tested list objects before this for that no need of /* after bucket name, so i dont think that is required. But to be sure will try this once

anrao19 commented 1 year ago

@anrao19 , I found bucket policy in this log: http://magna002.ceph.redhat.com/ceph-qe-logs/get_object_and_its_version.console.log bucket_policy:{'Version': '2012-10-17', 'Statement': [{'Action': ['s3:GetObject', 's3:GetObjectVersion'], 'Principal': {'AWS': ['arn:aws:iam::tenant_f:user/josephk.901']}, 'Resource': ['arn:aws:s3:::danielt.3-bucky-3216-0'], 'Effect': 'Allow', 'Sid': 'statement'}]} for getobject permission resouce should be like below I think 'Resource': ['arn:aws:s3:::danielt.3-bucky-3216-0/*'] please try with this also once

Hi @hmaheswa, we have tested list objects before this for that no need of /* after bucket name, so i dont think that is required. But to be sure will try this once

As expected with "/" after bucket name does not work from bucket owner itself: Failed to perform get object with: An error occurred (NoSuchBucket) when calling the GetObject operation: Unknown bucket_policy_generated :{"Version": "2012-10-17", "Statement": [{"Action": ["s3:GetObject", "s3:GetObjectVersion"], "Principal": {"AWS": ["arn:aws:iam::tenant_q:user/deniseh.861", "arn:aws:iam::tenant_q:user/tonyag.747", "arn:aws:iam::tenant_O:user/javierc.760", "arn:aws:iam::tenant_O:user/jenniferd.572", "arn:aws:iam::tenant_O:user/angelai.595"]}, "Resource": ["arn:aws:s3:::gwendolynb.432-bucky-2057-0/"], "Effect": "Allow", "Sid": "statement"}]}

openshift-ci[bot] commented 1 year ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: anrao19, ckulal, hmaheswa

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/red-hat-storage/ceph-qe-scripts/blob/master/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment