尝试删除 Ceph 存储桶中的多个文件时,通过 s3cmd cli 出现以下错误:
s3cmd rm --recursive --force s3://search-backup/
ERROR: S3 error: 403 (AccessDenied)
按预期删除单个文件,如下所示:
s3cmd rm s3://search-backup/tests-12-4O9i-QSKbAnNQARHCnA/data-gXYONdsDQ1-87v5vOqsL2g.dat
delete: 's3://search-backup/tests-12-4O9i-QSKbAnNQARHCnA/data-gXYONdsDQ1-87v5vOqsL2g.dat'
该存储桶具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/search_backup"
]
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold",
"s3:GetObjectTagging",
"s3:PutObject",
"s3:PutObjectRetention",
"s3:PutObjectAcl",
"s3:PutObjectLegalHold",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:DeleteObjectTagging",
"s3:PutObjectTagging",
"s3:RestoreObject",
"s3:PutBucketObjectLockConfiguration"
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::search-backup/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/search_backup"
]
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketNotification",
"s3:PutBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketVersioning",
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:PutBucketTagging",
"s3:PutBucketCORS",
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::search-backup"
]
}
]
}
使用
del
代替 rm
会产生相同的行为。
是否有遗漏的权限或设置?
您缺少对对象执行
GetObjectAttributes
所需的
HeadObject
操作,即
{
"Effect": "Allow",
"Action": [
"s3:GetObjectAttributes",
...
],
"Resource": ["arn:aws:s3:::search-backup/*"],
...
},
尝试以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/search_backup"
]
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionTagging",
"s3:GetObjectRetention",
"s3:GetObjectLegalHold",
"s3:GetObjectTagging",
"s3:GetObjectAttributes",
"s3:PutObject",
"s3:PutObjectRetention",
"s3:PutObjectAcl",
"s3:PutObjectLegalHold",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:DeleteObjectTagging",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::search-backup/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::user/search_backup"
]
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketVersioning",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:GetBucketTagging",
"s3:PutBucketNotification",
"s3:PutBucketTagging",
"s3:PutBucketCORS",
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::search-backup"
]
}
]
}
附注我还清理了一些无效操作,例如
ListAllMyBucket
或将 ListBucket
/PutBucketObjectLockConfiguration
应用于对象。