Adds special case for pad s3 policy.

60550818 · Pierre Ozoux · 45b94b3f · 60550818
Commit 60550818 authored 3 years ago by Pierre Ozoux
--- a/scripts/makeBucketsReadOnly.sh
+++ b/scripts/makeBucketsReadOnly.sh
@@ -33,7 +33,48 @@ do
  export MC_HOST_ceph=https://${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}@s3.standard.indie.host
  BUCKET=`echo $BUCKET_SECRET | rev | cut -d"-" -f2- | rev` # removes -s3 at the end of the secret name
  echo mc ls ${NS}/${BUCKET}
+  if echo $BUCKET | grep pad; then
+  cat  << EOF > /tmp/readonly.json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+  {
+    "Sid":"Readonly user for offsite backups.",
+    "Effect": "Allow",
+    "Principal": {"AWS": ["arn:aws:iam:::user/read-only"]},
+    "Action": [
+       "s3:ListBucket",
+       "s3:ListAllMyBuckets",
+       "s3:GetObject"
+     ],
+    "Resource": [
+      "arn:aws:s3:::$BUCKET",
+      "arn:aws:s3:::$BUCKET/*"
+    ]
+  }, {
+    "Sid":"PublicRead",
+    "Effect":"Allow",
+    "Principal": "*",
+    "Action":["s3:GetObject","s3:GetObjectVersion"],
+    "Resource":["arn:aws:s3:::$BUCKET/uploads/*"]
+  },{
+   "Sid":"PrivateReadOnlyBackup",
+   "Effect": "Allow",
+   "Principal": {"AWS": ["arn:aws:iam:::user/${NS}"]},
+   "Action": [
+      "s3:ListBucket",
+      "s3:ListAllMyBuckets",
+      "s3:GetObject"
+    ],
+   "Resource": [
+     "arn:aws:s3:::$BUCKET",
+     "arn:aws:s3:::$BUCKET/*"
+   ]
+ }]
+}
+EOF
+  else
 cat  << EOF > /tmp/readonly.json
 {
 "Version": "2012-10-17",
@@ -52,6 +93,7 @@ cat  << EOF > /tmp/readonly.json
 }]
 }
 EOF
+  fi
  mc policy set-json /tmp/readonly.json ceph/$BUCKET || true
 done