Bug #52379
closedcannot Delete objects on s3 ceph bucket
0%
Description
I have a ceph cluster and running a few s3 bucket on it, 'gitlab-s3-api' user has full permission on everything on ( users=;buckets=;metadata=;usage=;zone=* ) but very oddly it cannot delete any file on its own bucket.
{
"user_id": "gitlab-s3-api",
"display_name": "Gitlab s3 bucket",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"subusers": [],
"keys": [
{
"user": "gitlab-s3-api",
"access_key": "xxxx",
"secret_key": "xxxx"
}
],
"swift_keys": [],
"caps": [
{
"type": "buckets",
"perm": "*"
},
{
"type": "metadata",
"perm": "*"
},
{
"type": "usage",
"perm": "*"
},
{
"type": "users",
"perm": "*"
},
{
"type": "zone",
"perm": "*"
}
],
"op_mask": "read, write, delete",
"default_placement": "",
"default_storage_class": "",
"placement_tags": [],
"bucket_quota": {
"enabled": true,
"check_on_raw": false,
"max_size": 32212254720,
"max_size_kb": 31457280,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"temp_url_keys": [],
"type": "rgw",
"mfa_ids": []
I also added DeleteObject policy to the user but it does not work.
[root@cephcon01 ceph-ansible]# s3cmd info s3://elk
s3://elk/ (bucket):
Location: default
Payer: BucketOwner
Expiration Rule: none
Policy: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::USER_SID:user/elk"
},
"Action": [
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::elk/*",
"arn:aws:s3:::elk"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
CORS: none
ACL: *anon*: READ
ACL: elastic backup: FULL_CONTROL
URL: http://s3.vaslapp.com/elk/
Here you can see that I cannot delete the object.
s3cmd rm s3://elk/ansible.cfg
ERROR: Error parsing xml: Malformed error XML returned from remote server.. ErrorXML: <html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
ERROR: S3 error: 403 (Forbidden)
Updated by Neha Ojha over 2 years ago
- Project changed from Ceph to rgw
- Category deleted (
cephx)
Updated by Casey Bodley over 2 years ago
- Assignee set to Pritha Srivastava
- Tags set to policy
@Pritha can you please review the bucket policy?
Updated by AliReza Nasri over 2 years ago
Would you please close this issue, it was something with haproxy
Updated by Pritha Srivastava over 2 years ago
This looks like a bucket policy attached to bucket 'elk'. The Principal ARN needs to be that of the user gitlab-s3-api, which based on user info is arn:aws:iam:::user/gitlab-s3-api. The one in the policy looks incorrect. Also for the s3:ListAllMyBuckets section, a Principal needs to be added (although ListAllMyBuckets doesnt apply here).
Updated by AliReza Nasri over 2 years ago
The haproxy that was in used was blocking http DELETE request. nothing was wrong with ceph.