5 .. versionadded:: Luminous
7 The Ceph Object Gateway supports a subset of the Amazon S3 policy
8 language applied to buckets.
14 Bucket policies are managed through standard S3 operations rather than
17 For example, one may use s3cmd to set or delete a policy thus::
21 "Version": "2012-10-17",
24 "Principal": {"AWS": ["arn:aws:iam::usfolks:user/fred"]},
25 "Action": "s3PutObjectAcl",
27 "arn:aws:s3:::happybucket/*"
32 $ s3cmd setpolicy examplepol s3://happybucket
33 $ s3cmd delpolicy s3://happybucket
39 Currently, we support only the following actions:
41 - s3:AbortMultipartUpload
43 - s3:DeleteBucketPolicy
45 - s3:DeleteBucketWebsite
47 - s3:DeleteObjectVersion
48 - s3:DeleteReplicationConfiguration
49 - s3:GetAccelerateConfiguration
52 - s3:GetBucketLocation
54 - s3:GetBucketNotification
56 - s3:GetBucketRequestPayment
58 - s3:GetBucketVersioning
60 - s3:GetLifecycleConfiguration
64 - s3:GetObjectVersionAcl
66 - s3:GetObjectVersionTorrent
67 - s3:GetReplicationConfiguration
69 - s3:ListBucketMultiPartUploads
71 - s3:ListBucketVersions
72 - s3:ListMultipartUploadParts
73 - s3:PutAccelerateConfiguration
77 - s3:PutBucketNotification
79 - s3:PutBucketRequestPayment
81 - s3:PutBucketVersioning
83 - s3:PutLifecycleConfiguration
86 - s3:PutObjectVersionAcl
87 - s3:PutReplicationConfiguration
90 We do not yet support setting policies on users, groups, or roles.
92 We use the RGW ‘tenant’ identifier in place of the Amazon twelve-digit
93 account ID. In the future we may allow you to assign an account ID to
94 a tenant, but for now if you want to use policies between AWS S3 and
95 RGW S3 you will have to use the Amazon account ID as the tenant ID when
98 Under AWS, all tenants share a single namespace. RGW gives every
99 tenant its own namespace of buckets. There may be an option to enable
100 an AWS-like 'flat' bucket namespace in future versions. At present, to
101 access a bucket belonging to another tenant, address it as
102 "tenant:bucket" in the S3 request.
104 In AWS, a bucket policy can grant access to another account, and that
105 account owner can then grant access to individual users with user
106 permissions. Since we do not yet support user, role, and group
107 permissions, account owners will currently need to grant access
108 directly to individual users, and granting an entire account access to
109 a bucket grants access to all users in that account.
111 Bucket policies do not yet support string interpolation.
113 Currently, the only condition keys we support are:
118 - aws:SecureTransport
123 More may be supported soon as we integrate with the recently rewritten
124 Authentication/Authorization subsystem.
129 There is no way to set bucket policies under Swift, but bucket
130 policies that have been set govern Swift as well as S3 operations.
132 Swift credentials are matched against Principals specified in a policy
133 in a way specific to whatever backend is being used.