Bug #22984
closedRGWs crash when I try to set a policy
0%
Description
I am trying to set a policy to a bucket in order to have users that can only read (for debugging purposes). I do it in the following way:
s3cmd --host=ceph-rgw setpolicy policy s3://bucket
The policy is:
{ "Version": "2012-10-17", "Id": "01", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "d.ruiz" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket/*", ] } ] }
At the moment I run the setpolicy command, the gateway crashes and logs the following error:
2018-02-12 13:40:43.979192 I | rgw: radosgw: /usr/include/boost/optional/optional.hpp:878: boost::optional<T>::pointer_type boost::optional<T>::operator->() [with T = rgw::IAM::ARN; boost::optional<T>::pointer_type = rgw::IAM::ARN*]: Assertion `this->is_initialized()' failed. failed to run rgw. failed to start rgw: Failed to complete rgw: signal: aborted (core dumped)
This makes the service unavailable for some seconds until the service is restarted. Can anybody provide insights on this? I am running:
ceph version af31b0aa0 (5af31b0aa028c6a69306c890f8d91fb9463a28f7) luminous (stable)
Thank you!
Updated by David González Ruiz about 6 years ago
The way AWS identifier is specified does not seem to be the source of issues; switching to this notation does not work either:
"Principal": {"AWS": ["arn:aws:iam::d.ruiz"]},
The uid does exist.
Updated by David González Ruiz about 6 years ago
It seems that using the following user arn made the setpolicy operation work, but the policy is still not functional.
arn:aws:iam::${RGW DNS SETTING HERE}:user/d.ruiz
Updated by Matt Benjamin about 6 years ago
- Status changed from New to In Progress
- Assignee set to Adam Emerson
@Adam DC949, could you have a look at this?
Matt
Updated by Adam Emerson about 6 years ago
Could you try against master or upstream luminous? I believe this bug is fixed in both and simply hadn't percolated its way into the last stable luminous release yet.
(We have another luminous coming out soon so the fix should be in that.)
Updated by Adam Emerson about 6 years ago
It shouldn't be an RGW DNS setting. The thing to put there should be the tenant name, or nothing if you're using the default tenant.
Updated by Adam Emerson almost 6 years ago
- Status changed from In Progress to Duplicate