您好,登錄后才能下訂單哦!
這篇文章主要講解了“怎么禁止S3用戶刪除Object”,文中的講解內容簡單清晰,易于學習與理解,下面請大家跟著小編的思路慢慢深入,一起來研究和學習“怎么禁止S3用戶刪除Object”吧!
需求描述:需要關閉某些S3賬號的刪除權限,但是默認DELETE操作是由bucket WIRTE權限進行控制的,無法單獨拆分DELETE操作。
解決思路:
1. 過濾前端HTTP請求的DELETE操作(需要寫點代碼)
2. 修改S3內置用戶的metadata信息,本文用的就是這個方法。
root@demo# radosgw-admin metadata get user:s3user { "key": "user:s3user", "ver": { "tag": "_HUtHU_6yBqHTSzDLb9y8tjX", "ver": 2 }, "mtime": 1493110079, "data": { "user_id": "s3user", "display_name": "s3user", "email": "", "suspended": 0, "max_buckets": 1000, "auid": 0, "subusers": [], "keys": [ { "user": "s3user", "access_key": "xxx", "secret_key": "xxx" } ], "swift_keys": [], "caps": [], "op_mask": "read, write,delete", #這里有delete權限 "default_placement": "", "placement_tags": [], "bucket_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "user_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "temp_url_keys": [] } }
root@demo# radosgw-admin metadata get user:s3user > s3user.json
修改生成的s3user.json文件,修改"op_mask",刪除“delete”字段
"op_mask": "read, write",
root@demo6# radosgw-admin metadata put user:s3user < s3user.json
root@demo# radosgw-admin metadata get user:s3user { "key": "user:s3user", "ver": { "tag": "_HUtHU_6yBqHTSzDLb9y8tjX", "ver": 2 }, "mtime": 1493110079, "data": { "user_id": "s3user", "display_name": "s3user", "email": "", "suspended": 0, "max_buckets": 1000, "auid": 0, "subusers": [], "keys": [ { "user": "s3user", "access_key": "xxx", "secret_key": "xxx" } ], "swift_keys": [], "caps": [], "op_mask": "read, write", #delete權限沒了 "default_placement": "", "placement_tags": [], "bucket_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "user_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "temp_url_keys": [] } }
from boto.s3.connection import S3Connectionimport boto endpoint = 's3.ceph.work'bucket_name = 'test1'access_key = 'xx'secret_key = 'xx'local_file = '/tmp/ct.shutdown'key_name = 'new_file'conn = boto.connect_s3( aws_access_key_id=access_key, aws_secret_access_key=secret_key, host=endpoint, is_secure=False, calling_format=boto.s3.connection.SubdomainCallingFormat(), validate_certs=True, ) bucket = conn.create_bucket(bucket_name) key_ = bucket.new_key(key_name) key_.set_contents_from_filename(local_file)#方法1bucket.delete_keys([key_name])#方法2# key_.delete()#方法3# bucket.delete_key(key_name)
上面3種方式都會提示403錯誤
Traceback (most recent call last): ..... boto.exception.S3ResponseError: S3ResponseError: 403 Forbidden <?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code></Error>
感謝各位的閱讀,以上就是“怎么禁止S3用戶刪除Object”的內容了,經過本文的學習后,相信大家對怎么禁止S3用戶刪除Object這一問題有了更深刻的體會,具體使用情況還需要大家實踐驗證。這里是億速云,小編將為大家推送更多相關知識點的文章,歡迎關注!
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。