怎么禁止S3用户删除Object
这篇文章主要讲解了“怎么禁止S3用户删除Object”,文中的讲解内容简单清晰,易于学习与理解,下面请大家跟着小编的思路慢慢深入,一起来研究和学习“怎么禁止S3用户删除Object”吧!
成都创新互联公司专业为企业提供大化网站建设、大化做网站、大化网站设计、大化网站制作等企业网站建设、网页设计与制作、大化企业网站模板建站服务,10年大化做网站经验,不只是建网站,更提供有价值的思路和整体网络服务。
需求描述:需要关闭某些S3账号的删除权限,但是默认DELETE操作是由bucket WIRTE权限进行控制的,无法单独拆分DELETE操作。
解决思路:
1. 过滤前端HTTP请求的DELETE操作(需要写点代码)
2. 修改S3内置用户的metadata信息,本文用的就是这个方法。
1. 确认用户metadata信息
root@demo# radosgw-admin metadata get user:s3user { "key": "user:s3user", "ver": { "tag": "_HUtHU_6yBqHTSzDLb9y8tjX", "ver": 2 }, "mtime": 1493110079, "data": { "user_id": "s3user", "display_name": "s3user", "email": "", "suspended": 0, "max_buckets": 1000, "auid": 0, "subusers": [], "keys": [ { "user": "s3user", "access_key": "xxx", "secret_key": "xxx" } ], "swift_keys": [], "caps": [], "op_mask": "read, write,delete", #这里有delete权限 "default_placement": "", "placement_tags": [], "bucket_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "user_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "temp_url_keys": [] } }
2. 修改用户metadata信息
导出用户metadata
root@demo# radosgw-admin metadata get user:s3user > s3user.json
修改用户metadata
修改生成的s3user.json文件,修改"op_mask",删除“delete”字段
"op_mask": "read, write",
导入用户metadata
root@demo6# radosgw-admin metadata put user:s3user < s3user.json
确认配置是否生效
root@demo# radosgw-admin metadata get user:s3user { "key": "user:s3user", "ver": { "tag": "_HUtHU_6yBqHTSzDLb9y8tjX", "ver": 2 }, "mtime": 1493110079, "data": { "user_id": "s3user", "display_name": "s3user", "email": "", "suspended": 0, "max_buckets": 1000, "auid": 0, "subusers": [], "keys": [ { "user": "s3user", "access_key": "xxx", "secret_key": "xxx" } ], "swift_keys": [], "caps": [], "op_mask": "read, write", #delete权限没了 "default_placement": "", "placement_tags": [], "bucket_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "user_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "temp_url_keys": [] } }
3. 验证
from boto.s3.connection import S3Connectionimport boto endpoint = 's3.ceph.work'bucket_name = 'test1'access_key = 'xx'secret_key = 'xx'local_file = '/tmp/ct.shutdown'key_name = 'new_file'conn = boto.connect_s3( aws_access_key_id=access_key, aws_secret_access_key=secret_key, host=endpoint, is_secure=False, calling_format=boto.s3.connection.SubdomainCallingFormat(), validate_certs=True, ) bucket = conn.create_bucket(bucket_name) key_ = bucket.new_key(key_name) key_.set_contents_from_filename(local_file)#方法1bucket.delete_keys([key_name])#方法2# key_.delete()#方法3# bucket.delete_key(key_name)
上面3种方式都会提示403错误
Traceback (most recent call last): ..... boto.exception.S3ResponseError: S3ResponseError: 403 ForbiddenAccessDenied
感谢各位的阅读,以上就是“怎么禁止S3用户删除Object”的内容了,经过本文的学习后,相信大家对怎么禁止S3用户删除Object这一问题有了更深刻的体会,具体使用情况还需要大家实践验证。这里是创新互联,小编将为大家推送更多相关知识点的文章,欢迎关注!
本文标题:怎么禁止S3用户删除Object
文章源于:http://myzitong.com/article/jeigsp.html