我有一个 ceph 集群并在其上运行几个 s3 存储桶,'gitlab-s3-api' 用户对所有内容拥有完全权限(用户=;桶=;元数据=;用法=;zone=* ) 但奇怪的是它无法删除其自身存储桶上的任何文件。
{
"user_id": "gitlab-s3-api",
"display_name": "Gitlab s3 bucket",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"subusers": [],
"keys": [
{
"user": "gitlab-s3-api",
"access_key": "xxxx",
"secret_key": "xxxx"
}
],
"swift_keys": [],
"caps": [
{
"type": "buckets",
"perm": "*"
},
{
"type": "metadata",
"perm": "*"
},
{
"type": "usage",
"perm": "*"
},
{
"type": "users",
"perm": "*"
},
{
"type": "zone",
"perm": "*"
}
],
"op_mask": "read, write, delete",
"default_placement": "",
"default_storage_class": "",
"placement_tags": [],
"bucket_quota": {
"enabled": true,
"check_on_raw": false,
"max_size": 32212254720,
"max_size_kb": 31457280,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"check_on_raw": false,
"max_size": -1,
"max_size_kb": 0,
"max_objects": -1
},
"temp_url_keys": [],
"type": "rgw",
"mfa_ids": []
}
我还向用户添加了 DeleteObject 策略,但它不起作用。
s3cmd info s3://gitlab
s3://gitlab/ (bucket):
Location: default
Payer: BucketOwner
Expiration Rule: none
Policy: {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam:::user/gitlab-s3-api"]},
"Action": "s3:DeleteObject",
"Resource": [
"arn:aws:s3:::gitlab/*"
]
}]
}
CORS: none
ACL: Gitlab s3 bucket: FULL_CONTROL
这里您可以看到我无法删除该对象。
s3cmd rm s3://gitlab/ansible.cfg
ERROR: Error parsing xml: Malformed error XML returned from remote server.. ErrorXML: <html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
ERROR: S3 error: 403 (Forbidden)
答案1
您是否启用了对象锁定 (WORM) 功能?这将阻止删除操作。