Hi,
I have the following tenant:
apiVersion: rustfs.com/v1alpha1
kind: Tenant
metadata:
name: test
namespace: rustfs
spec:
buckets:
- name: shared-files
credsSecret:
name: rustfs
env:
- name: RUSTFS_IDENTITY_OPENID_ENABLE
value: "true"
- name: RUSTFS_IDENTITY_OPENID_CONFIG_URL
value: https://keycloak.example.com/realms/example/.well-known/openid-configuration
- name: RUSTFS_IDENTITY_OPENID_SCOPES
value: openid,profile,email,groups
- name: RUSTFS_IDENTITY_OPENID_GROUPS_CLAIM
value: groups
- name: RUSTFS_IDENTITY_OPENID_USERNAME_CLAIM
value: preferred_username
- name: RUSTFS_IDENTITY_OPENID_ROLE_POLICY
value: consoleAdmin
- name: RUSTFS_IDENTITY_OPENID_DISPLAY_NAME
value: Keycloak
- name: RUSTFS_IDENTITY_OPENID_REDIRECT_URI
value: https://rustfs.example.com/rustfs/admin/v3/oidc/callback/keycloak
- name: RUSTFS_IDENTITY_OPENID_CLIENT_ID
valueFrom:
secretKeyRef:
key: client-id
name: rustfs-oidc
- name: RUSTFS_IDENTITY_OPENID_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client-secret
name: rustfs-oidc
image: REDACTED.dkr.ecr.eu-west-1.amazonaws.com/docker.io/rustfs/rustfs
imagePullSecret:
name: aws-ecr-pull-secrets
mountPath: /data
policies:
- document:
configMapKeyRef:
key: policy-administrators.json
name: rustfs-policies
name: administrators
- document:
configMapKeyRef:
key: policy-maintainers.json
name: rustfs-policies
name: maintainers
- document:
configMapKeyRef:
key: policy-developers.json
name: rustfs-policies
name: developers
- document:
configMapKeyRef:
key: policy-shared-readwrite.json
name: rustfs-policies
name: shared-readwrite
pools:
- name: primary
persistence:
volumeClaimTemplate:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 64Gi
storageClassName: nfs-client
volumesPerServer: 1
servers: 1
users:
- name: shared
policies:
- shared-readwrite
status:
provisioning:
users:
- desiredHash: sha256:cc76eeab87ad3727c40d72dfae3025939eeff56f470e6319db9cdde86c4b28b3
lastTransitionTime: "2026-07-10T20:13:58Z"
message: 'failed to apply RustFS policy ''maintainers'': upstream returned 400
Bad Request'
name: maintainers
reason: PolicyApplyFailed
state: Failed
This is my configmap:
apiVersion: v1
data:
policy-administrators.json: '{"Statement":[{"Action":["s3:*"],"Condition":{"ForAnyValue:StringEquals":{"jwt:groups":["administrators"]}},"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"}'
policy-developers.json: '{"Statement":[{"Action":["s3:GetBucketLocation","s3:ListBucket","s3:GetObject"[],"Condition":{"ForAnyValue:StringEquals":{"jwt:groups":["developers"]}},"Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"}'
policy-maintainers.json: '{"Statement":[{"Action":["s3:*"],"Condition":{"ForAnyValue:StringEquals":{"jwt:groups":["maintainers"[]}},"Effect":"Allow","Resource":"*"},{"Action":["s3:PutBucketPolicy","s3:PutBucketAcl","s3:PutObjectAcl","s3:DeleteObject","s3:DeleteObjectVersion","s3:DeleteBucket"[],"Condition":{"ForAnyValue:StringEquals":{"jwt:groups":["maintainers"]}},"Effect":"Deny","Resource":"*"}],"Version":"2012-10-17"}'
policy-shared-readwrite.json: '{"Statement":[{"Action":["s3:*"],"Effect":"Allow","Resource":["arn:aws:s3:::shared-files","arn:aws:s3:::shared-files/**"]}],"Version":"2012-10-17"}'
kind: ConfigMap
metadata:
labels:
rustfs.tenant: test
name: rustfs-policies
namespace: rustfs
Is the condition supported? Judging from the error it is not. Can I achieve the same result with a different approach supported by rustfs? I would like to avoid manually configuring it from web ui.
Thanks!
Hi,
I have the following tenant:
This is my configmap:
Is the condition supported? Judging from the error it is not. Can I achieve the same result with a different approach supported by rustfs? I would like to avoid manually configuring it from web ui.
Thanks!