利用bucket policy控制bucket读写

从L版本开始RGW引入了bucket policy，但是在使用上部分功能并不能完全和AWS的S3功能看齐。我这里也是简单总结几个常用的场景。下面是python-boto3的代码用例。服务端用的ceph version 12.2.11 。

用例1

mybucket1属于用户test-1用户，设置允许user-2对该bucket下的所有object只读

import boto3
from botocore.client import Config
import json

endpoint = 'http://test.s3.local'
bucket_name = 'mybucket1'
access_key = ''
secret_key = ''


s3client = boto3.client('s3', region_name='cn-test-1',use_ssl=False,endpoint_url=endpoint,aws_access_key_id=access_key,aws_secret_access_key=secret_key,config=Config(signature_version='s3v4',s3={'addressing_style': 'path'}))  # type: BaseClient

p= {
  'Version': '2012-10-17',
  'Statement': [{
    'Effect': 'Allow',
    'Principal': {'AWS': ['arn:aws:iam:::user/test-2']},
    'Action': ['s3:ListBucket','s3:GetBucketAcl','s3:GetObject','s3:GetObjectAcl'],
    'Resource': [
      'arn:aws:s3:::mybucket1',
      'arn:aws:s3:::mybucket1/*'
    ]
  }]
}

bucket_policy = json.dumps(p)
s3client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy) #设置policy


result = s3client.get_bucket_policy(Bucket=bucket_name)
print(result['Policy']) #获取policy

　　

用例2

mybucket1属于用户test-1用户，设置允许user-2对该bucket下的所有object可读写，但是不能删除object

import boto3
from botocore.client import Config
import json

endpoint = 'http://test.s3.local'
bucket_name = 'mybucket1'
access_key = ''
secret_key = ''


s3client = boto3.client('s3', region_name='cn-test-1',use_ssl=False,endpoint_url=endpoint,aws_access_key_id=access_key,aws_secret_access_key=secret_key,config=Config(signature_version='s3v4',s3={'addressing_style': 'path'}))  # type: BaseClient

p= {
  'Version': '2012-10-17',
  'Statement': [{
    'Effect': 'Allow',
    'Principal': {'AWS': ['arn:aws:iam:::user/test-2']},
    'Action': ['s3:ListBucket','s3:GetBucketAcl','s3:GetObject','s3:GetObjectAcl','s3:PutObject','s3:PutObjectAcl'],
    'Resource': [
      'arn:aws:s3:::mybucket1',
      'arn:aws:s3:::mybucket1/*'
    ]
  }]
}

bucket_policy = json.dumps(p)
s3client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy) #设置policy


result = s3client.get_bucket_policy(Bucket=bucket_name)
print(result['Policy']) #获取policy

用例3

mybucket1属于用户test-1用户，设置允许user-2对该bucket下的所有object可读写，同时也能删除object

import boto3
from botocore.client import Config
import json

endpoint = 'http://test.s3.local'
bucket_name = 'mybucket1'
access_key = ''
secret_key = ''


s3client = boto3.client('s3', region_name='cn-test-1',use_ssl=False,endpoint_url=endpoint,aws_access_key_id=access_key,aws_secret_access_key=secret_key,config=Config(signature_version='s3v4',s3={'addressing_style': 'path'}))  # type: BaseClient

p= {
  'Version': '2012-10-17',
  'Statement': [{
    'Effect': 'Allow',
    'Principal': {'AWS': ['arn:aws:iam:::user/test-2']},
    'Action': ['s3:ListBucket','s3:GetBucketAcl','s3:GetObject','s3:GetObjectAcl','s3:PutObject','s3:PutObjectAcl','s3:DeleteObject'],
    'Resource': [
      'arn:aws:s3:::mybucket1',
      'arn:aws:s3:::mybucket1/*'
    ]
  }]
}

bucket_policy = json.dumps(p)
s3client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy) #设置policy


result = s3client.get_bucket_policy(Bucket=bucket_name)
print(result['Policy']) #获取policy

　　

• 参考文档1: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets

• 参考文档2: https://docs.ceph.com/docs/master/radosgw/bucketpolicy/