Project

General

Profile

Bug #48926

rgw: apparent failure to honor glob actions in bucket policy

Added by Matt Benjamin about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

Policy with Action of 's3:*' parse, but Kyle Bader found he had to expand the full list to get correct behavior:

'Principal': '*',
'Action': ['s3:*'],
#'Action': ['s3:*', 's3:GetObject', 's3:PutObject', 's3:PutObjectAcl', 's3:ListBucket', 's3:DeleteObject'],
'Resource': f'arn:aws:s3:::{bucket_name}/*'

History

#1 Updated by Kyle Bader about 1 month ago

Upon further investigation, this policy seems to be the ticket for me:

bucket_policy = {
    'Version': '2012-10-17',
    'Statement': [{
        'Sid': 'AllAccess',
        'Effect': 'Allow',
        'Principal': '*',
        'Action': ['s3:*'],
        #'Action': ['s3:*', 's3:GetObject', 's3:PutObject', 's3:PutObjectAcl', 's3:ListBucket', 's3:DeleteObject'],
        #'Resource': f'arn:aws:s3:::{bucket_name}/*'
        'Resource': '*'
    }]
}

Also available in: Atom PDF