Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(rook-ceph/konkong) add s3 policy for s3-butler and README.md #627

Merged
merged 1 commit into from
Oct 9, 2024
Merged

(rook-ceph/konkong) add s3 policy for s3-butler and README.md #627

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions konkong/rook-ceph/s3/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# This Policies need to be applied in the corresponding buckets for the users to grab permissions

## Create the Users

```bash
radosgw-admin user create --uid=latiss --display-name="latiss account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key=
radosgw-admin user create --uid=lsstcam --display-name="lsstcam account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key=
radosgw-admin user create --uid=butler --display-name="butler account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key=
radosgw-admin user create --uid=oods-latiss --display-name="oods latiss account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key=
radosgw-admin user create --uid=oods-lsstcam --display-name="oods lsstcam account" --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --access-key= --secret-key=
```

## Create the Buckets and set the Quotas

```bash
aws s3 --profile s3-bts-latiss mb s3://rubinobs-raw-latiss --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler
radosgw-admin quota set --bucket=rubinobs-raw-latiss --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --quota-scope=bucket --max-size=1T
radosgw-admin quota enable --bucket=rubinobs-raw-latiss --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler
radosgw-admin bucket stats --bucket=rubinobs-raw-latiss --rgw-realm=s3-butler

aws s3 --profile s3-bts-latiss mb s3://rubinobs-butler-latiss --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler
radosgw-admin quota set --bucket=rubinobs-butler-latiss --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --quota-scope=bucket --max-size=1T
radosgw-admin quota enable --bucket=rubinobs-butler-latiss --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler
radosgw-admin bucket stats --bucket=rubinobs-butler-latiss --rgw-realm=s3-butler

aws s3 --profile s3-bts-lsstcam mb s3://rubinobs-raw-lsstcam --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler
radosgw-admin quota set --bucket=rubinobs-raw-lsstcam --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --quota-scope=bucket --max-size=6T
radosgw-admin quota enable --bucket=rubinobs-raw-lsstcam --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler
radosgw-admin bucket stats --bucket=rubinobs-raw-lsstcam --rgw-realm=s3-butler

aws s3 --profile s3-bts-lsstcam mb s3://rubinobs-butler-lsstcam --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler
radosgw-admin quota set --bucket=rubinobs-butler-lsstcam --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler --quota-scope=bucket --max-size=34T
radosgw-admin quota enable --bucket=rubinobs-butler-lsstcam --rgw-zone=s3-butler --rgw-zonegroup=s3-butler --rgw-realm=s3-butler
radosgw-admin bucket stats --bucket=rubinobs-butler-lsstcam --rgw-realm=s3-butler
```

## Apply these policies into the buckets

```bash
aws s3api --profile s3-bts-latiss put-bucket-policy --bucket rubinobs-raw-latiss --policy file://users-rubinobs-raw-latiss-policy.json --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler
aws s3api --profile s3-bts-latiss put-bucket-policy --bucket rubinobs-butler-latiss --policy file://users-rubinobs-butler-latiss-policy.json --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler
aws s3api --profile s3-bts-lsstcam put-bucket-policy --bucket rubinobs-raw-lsstcam --policy file://users-rubinobs-raw-lsstcam-policy.json --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler
aws s3api --profile s3-bts-lsstcam put-bucket-policy --bucket rubinobs-butler-lsstcam --policy file://users-rubinobs-butler-lsstcam-policy.json --endpoint-url https://s3-butler.ls.lsst.org --region s3-butler
```
40 changes: 40 additions & 0 deletions konkong/rook-ceph/s3/users-rubinobs-butler-latiss-policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/butler"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::rubinobs-butler-latiss",
"arn:aws:s3:::rubinobs-butler-latiss/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/oods-latiss"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::rubinobs-butler-latiss",
"arn:aws:s3:::rubinobs-butler-latiss/*"
]
}
]
}

40 changes: 40 additions & 0 deletions konkong/rook-ceph/s3/users-rubinobs-butler-lsstcam-policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/butler"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::rubinobs-butler-lsstcam",
"arn:aws:s3:::rubinobs-butler-lsstcam/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/oods-lsstcam"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::rubinobs-butler-lsstcam",
"arn:aws:s3:::rubinobs-butler-lsstcam/*"
]
}
]
}

38 changes: 38 additions & 0 deletions konkong/rook-ceph/s3/users-rubinobs-raw-latiss-policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/butler"
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::rubinobs-raw-latiss",
"arn:aws:s3:::rubinobs-raw-latiss/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/oods-latiss"
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::rubinobs-raw-latiss",
"arn:aws:s3:::rubinobs-raw-latiss/*"
]
}
]
}

38 changes: 38 additions & 0 deletions konkong/rook-ceph/s3/users-rubinobs-raw-lsstcam-policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/butler"
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::rubinobs-raw-lsstcam",
"arn:aws:s3:::rubinobs-raw-lsstcam/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/oods-lsstcam"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::rubinobs-raw-lsstcam",
"arn:aws:s3:::rubinobs-raw-lsstcam/*"
]
}
]
}

Loading