151
edits
Bucket policy: Difference between revisions
Jump to navigation
Jump to search
no edit summary
(Created page with "Bucket policies can be used to make buckets partially or completely public, they can also be used to limit access to public buckets. They can be used as some kind of firewall on your data. Our Object store S3 API is provided by Ceph's Rados Gateway. Its [https://docs.ceph.com/en/latest/radosgw/bucketpolicy/ supported policies] are a subset of the [https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html AWS bucket policies]. == Making a bucket public...") |
No edit summary |
||
| Line 41: | Line 41: | ||
Get the local IP, this is the floating IP of a VM I have deployed on my project, but it could be any public IP or range. | Get the local IP, this is the floating IP of a VM I have deployed on my project, but it could be any public IP or range. | ||
<syntaxhighlight | <syntaxhighlight> | ||
$curl -4 ifconfig.co | $curl -4 ifconfig.co | ||
198.168.189.175 | 198.168.189.175 | ||
| Line 47: | Line 47: | ||
Check that the bucket is private, it returns AccessDenied in a xml file. | Check that the bucket is private, it returns AccessDenied in a xml file. | ||
<syntaxhighlight | <syntaxhighlight> | ||
$curl https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite/ | $curl https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite/ | ||
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message></Message><BucketName>truite</BucketName><RequestId>tx00000a0656342bf1c6a6f-0069862e7e-122190171-default</RequestId><HostId>122190171-default-default</HostId></Error> | <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message></Message><BucketName>truite</BucketName><RequestId>tx00000a0656342bf1c6a6f-0069862e7e-122190171-default</RequestId><HostId>122190171-default-default</HostId></Error> | ||
| Line 54: | Line 54: | ||
The xml formal is a pain we all have to deal with from time to time. You can install the [https://github.com/kislyuk/yq/ yq] cli to you environement to make them readable. The cli comes with yq a yaml parser but also with xq, an xml parser. | The xml formal is a pain we all have to deal with from time to time. You can install the [https://github.com/kislyuk/yq/ yq] cli to you environement to make them readable. The cli comes with yq a yaml parser but also with xq, an xml parser. | ||
<syntaxhighlight | <syntaxhighlight> | ||
$pip install yq | $pip install yq | ||
$curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite | xq | $curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite | xq | ||
| Line 70: | Line 70: | ||
Now, lets apply the policy and see if we can list the bucket and get the data | Now, lets apply the policy and see if we can list the bucket and get the data | ||
<syntaxhighlight | <syntaxhighlight> | ||
$aws --profile po-test s3api put-bucket-policy --policy file://policy.json --bucket truite | $aws --profile po-test s3api put-bucket-policy --policy file://policy.json --bucket truite | ||
$curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite | xq .ListBucketResult.Contents.[].Key | $curl -s https://objets.juno.calculquebec.ca/ad99d6c3087041bcb6c0fe5f2da54df9:truite | xq .ListBucketResult.Contents.[].Key | ||
| Line 81: | Line 81: | ||
For good mesure we go on another machine to make sure that the data is not available form there: | For good mesure we go on another machine to make sure that the data is not available form there: | ||
<syntaxhighlight | <syntaxhighlight > | ||
$curl -4 ifconfig.co | $curl -4 ifconfig.co | ||
132.219.138.77 | 132.219.138.77 | ||