diff --git a/konkong/rook-ceph/s3/README.md b/konkong/rook-ceph/s3/README.md new file mode 100644 index 000000000..448221be4 --- /dev/null +++ b/konkong/rook-ceph/s3/README.md @@ -0,0 +1,44 @@ +# This Policies need to be applied in the corresponding buckets for the users to grab permissions + +## Create the Users + +```bash +radosgw-admin user create --uid=latiss --display-name="latiss account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key= +radosgw-admin user create --uid=lsstcam --display-name="lsstcam account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key= +radosgw-admin user create --uid=butler --display-name="butler account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key= +radosgw-admin user create --uid=oods-latiss --display-name="oods latiss account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key= +radosgw-admin user create --uid=oods-lsstcam --display-name="oods lsstcam account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key= +``` + +## Create the Buckets and set the Quotas + +```bash +aws s3 --profile s3-bts-latiss mb s3://rubinobs-raw-latiss --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler +radosgw-admin quota set --bucket=rubinobs-raw-latiss --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --quota-scope=bucket --max-size=1T +radosgw-admin quota enable --bucket=rubinobs-raw-latiss --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler +radosgw-admin bucket stats --bucket=rubinobs-raw-latiss --rgw-realm=s3-butler + +aws s3 --profile s3-bts-latiss mb s3://rubinobs-butler-latiss --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler +radosgw-admin quota set --bucket=rubinobs-butler-latiss --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --quota-scope=bucket --max-size=1T +radosgw-admin quota enable --bucket=rubinobs-butler-latiss --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler +radosgw-admin bucket stats --bucket=rubinobs-butler-latiss --rgw-realm=s3-butler + +aws s3 --profile s3-bts-lsstcam mb s3://rubinobs-raw-lsstcam --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler +radosgw-admin quota set --bucket=rubinobs-raw-lsstcam --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --quota-scope=bucket --max-size=6T +radosgw-admin quota enable --bucket=rubinobs-raw-lsstcam --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler +radosgw-admin bucket stats --bucket=rubinobs-raw-lsstcam --rgw-realm=s3-butler + +aws s3 --profile s3-bts-lsstcam mb s3://rubinobs-butler-lsstcam --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler +radosgw-admin quota set --bucket=rubinobs-butler-lsstcam --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --quota-scope=bucket --max-size=34T +radosgw-admin quota enable --bucket=rubinobs-butler-lsstcam --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler +radosgw-admin bucket stats --bucket=rubinobs-butler-lsstcam --rgw-realm=s3-butler +``` + +## Apply these policies into the buckets + +```bash +aws s3api --profile s3-bts-latiss put-bucket-policy --bucket rubinobs-raw-latiss --policy file://users-rubinobs-raw-latiss-policy.json --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler +aws s3api --profile s3-bts-latiss put-bucket-policy --bucket rubinobs-butler-latiss --policy file://users-rubinobs-butler-latiss-policy.json --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler +aws s3api --profile s3-bts-lsstcam put-bucket-policy --bucket rubinobs-raw-lsstcam --policy file://users-rubinobs-raw-lsstcam-policy.json --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler +aws s3api --profile s3-bts-lsstcam put-bucket-policy --bucket rubinobs-butler-lsstcam --policy file://users-rubinobs-butler-lsstcam-policy.json --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler +``` diff --git a/konkong/rook-ceph/s3/users-rubinobs-butler-latiss-policy.json b/konkong/rook-ceph/s3/users-rubinobs-butler-latiss-policy.json new file mode 100644 index 000000000..80c62abaa --- /dev/null +++ b/konkong/rook-ceph/s3/users-rubinobs-butler-latiss-policy.json @@ -0,0 +1,40 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/butler" + }, + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::rubinobs-butler-latiss", + "arn:aws:s3:::rubinobs-butler-latiss/*" + ] + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/oods-latiss" + }, + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::rubinobs-butler-latiss", + "arn:aws:s3:::rubinobs-butler-latiss/*" + ] + } + ] +} + diff --git a/konkong/rook-ceph/s3/users-rubinobs-butler-lsstcam-policy.json b/konkong/rook-ceph/s3/users-rubinobs-butler-lsstcam-policy.json new file mode 100644 index 000000000..a4fbaf0ee --- /dev/null +++ b/konkong/rook-ceph/s3/users-rubinobs-butler-lsstcam-policy.json @@ -0,0 +1,40 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/butler" + }, + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::rubinobs-butler-lsstcam", + "arn:aws:s3:::rubinobs-butler-lsstcam/*" + ] + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/oods-lsstcam" + }, + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::rubinobs-butler-lsstcam", + "arn:aws:s3:::rubinobs-butler-lsstcam/*" + ] + } + ] +} + diff --git a/konkong/rook-ceph/s3/users-rubinobs-raw-latiss-policy.json b/konkong/rook-ceph/s3/users-rubinobs-raw-latiss-policy.json new file mode 100644 index 000000000..3ceeaa8fa --- /dev/null +++ b/konkong/rook-ceph/s3/users-rubinobs-raw-latiss-policy.json @@ -0,0 +1,38 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/butler" + }, + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::rubinobs-raw-latiss", + "arn:aws:s3:::rubinobs-raw-latiss/*" + ] + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/oods-latiss" + }, + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:DeleteObject", + "s3:GetBucketLocation", + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::rubinobs-raw-latiss", + "arn:aws:s3:::rubinobs-raw-latiss/*" + ] + } + ] +} + diff --git a/konkong/rook-ceph/s3/users-rubinobs-raw-lsstcam-policy.json b/konkong/rook-ceph/s3/users-rubinobs-raw-lsstcam-policy.json new file mode 100644 index 000000000..6042675be --- /dev/null +++ b/konkong/rook-ceph/s3/users-rubinobs-raw-lsstcam-policy.json @@ -0,0 +1,38 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/butler" + }, + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::rubinobs-raw-lsstcam", + "arn:aws:s3:::rubinobs-raw-lsstcam/*" + ] + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::user/oods-lsstcam" + }, + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::rubinobs-raw-lsstcam", + "arn:aws:s3:::rubinobs-raw-lsstcam/*" + ] + } + ] +} +