I have a ceph cluster and running a few s3 bucket on it, 'gitlab-s3-api' user has full permission on everything on ( users=;buckets=;metadata=;usage=;zone=* ) but very oddly it cannot delete any file on its own bucket.
{
"user_id": "gitlab-s3-api",
"display_name": "Gitlab s3 bucket",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"subusers": [],
"keys": [
{
"user": "gitlab-s3-api",
"access_key": "xxxx",
"secret_key": "xxxx"
}
],
"swift_keys": [],
"caps": [
{
"type": "buckets",
"perm": "*"
},
{
"type": "metadata",
"perm": "*"
},
{
"type": "usage",
"perm": "*"
},
{
"type": "users",
"perm": "*"
},
{
"type": "zone",
"perm": "*"
}
],
"op_mask": "read, write, delete",
"default_placement": "",
"default_storage_class": "",
"placement_tags": [],
"bucket_quota": {
"enabled": true,
"check_on_raw": false,
"max_size": 32212254720,
"max_size_kb": 31457280,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"temp_url_keys": [],
"type": "rgw",
"mfa_ids": []
}
I also added DeleteObject policy to the user but it does not work.
s3cmd info s3://gitlab
s3://gitlab/ (bucket):
Location: default
Payer: BucketOwner
Expiration Rule: none
Policy: {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam:::user/gitlab-s3-api"]},
"Action": "s3:DeleteObject",
"Resource": [
"arn:aws:s3:::gitlab/*"
]
}]
}
CORS: none
ACL: Gitlab s3 bucket: FULL_CONTROL
Here you can see that I cannot delete the object.
s3cmd rm s3://gitlab/ansible.cfg
ERROR: Error parsing xml: Malformed error XML returned from remote server.. ErrorXML: <html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
ERROR: S3 error: 403 (Forbidden)
