ECS bucket access from another namespace

ECS access from another namespaceIn that short post we will check how to get access to an S3 bucket from using access key and secret of the object user which belongs to another namespace.

  • Check if the objectuser1 belongs to the namespace ns1
# curl -ks https://10.0.0.1:4443/object/users/ns1 -b cookiefile |xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users>
  <blobuser>
    <namespace>ns1</namespace>
    <userid>objectuser1</userid>
  </blobuser>
</users> 
  • Create bucket1 in another namespace ns2
  • Assign objectuser1 as the owner of the bucket1
# curl -ks -b cookiefile https://10.0.0.1:4443/object/bucket?namespace=ns2&name=bucket* |xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<object_buckets>
  <Filter>namespace=ns2&amp;name=bucket*</Filter>
  <object_bucket>
    <name>bucket1</name>
    <api_type>S3</api_type>
    <block_size>-1</block_size>
    <owner>objectuser1</owner>
…
  </object_bucket>
</object_buckets>
  •  s3curl ecsid is configured for the objectuser1
  • We can NOT access bucket1 with objectuser1 because he belongs to the namespace ns1.
#  ./s3curl.pl --id=ecsid --  -s http://10.0.0.1:9020/bucket1
<Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist.</Message><Resource>bucket1</Resource><RequestId>0a91c714:15a3baee15c:39dc6:b9</RequestId></Error>
  • Let’s specify a namespace ns2 with x-emc-namespace header.
  • Now we can get access to the bucket and write files there.
#  ./s3curl.pl --id=ecsid --  -H "x-emc-namespace: ns2" -s http://10.0.0.1:9020/bucket1 | xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  <Name>bucket1</Name>
  <Prefix/>
  <Marker/>
  <MaxKeys>1000</MaxKeys>
  <IsTruncated>false</IsTruncated>
  <ServerSideEncryptionEnabled>false</ServerSideEncryptionEnabled>
</ListBucketResult>

# ./s3curl.pl --id=ecsid --  -H "x-emc-namespace: ns2" -s -X PUT -T file http://10.0.0.1:9020/bucket1/file

# ./s3curl.pl --id=ecsid --  -H "x-emc-namespace: ns2" -s http://10.0.0.1:9020/bucket1 | xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  <Name>bucket1</Name>
  <Prefix/>
  <Marker/>
  <MaxKeys>1000</MaxKeys>
  <IsTruncated>false</IsTruncated>
  <ServerSideEncryptionEnabled>false</ServerSideEncryptionEnabled>
  <Contents>
    <Key>file</Key>
    <LastModified>2017-04-06T13:28:11Z</LastModified>
    <ETag>"d36f8f9425c4a8000ad9c4a97185aca5"</ETag>
    <Size>3</Size>
    <StorageClass>STANDARD</StorageClass>
    <Owner>
      <ID>objectuser1</ID>
      <DisplayName>objectuser1</DisplayName>
    </Owner>
  </Contents>
</ListBucketResult>

Important! That method to access buckets in another namespace doesn’t work for many of existing applications. Most of modern apps just don’t support custom HTTP headers (x-emc-namespace in our case).

So you can access the bucket from CLI, as I did with s3curl, but can’t do that from S3 browser or CloudPool. Please be careful with that feature.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s