Setting Read-Only Access On Ceph Rgw Bucket For Another User On Same Tenant Not Working

Question

Two users can't see to see each other's buckets on Ceph Reef.

First, I create the users on a ceph admin vm:

radosgw-admin user create --tenant=homelab --uid=user1 --display-name="First User" --email="user1@user1.com"
radosgw-admin user create --tenant=homelab --uid=user2 --display-name="Second User" --email="user2@user2.com"

Then, from my machine using minio's mc client (at RELEASE.2024-02-09T22-18-24Z, rgw ingress at 192.168.56.50:4443), I set each user's alias:

mc --insecure alias set ceph-test-user1 https://192.168.56.50:4443 <user1 access key> <user1 secret key>
mc --insecure alias set ceph-test-user2 https://192.168.56.50:4443 <user2 access key> <user2 secret key>

Then, I created a bucket for each user:

mc --insecure mb ceph-test-user1/user1-test
mc --insecure mb ceph-test-user2/user2-test

Each user could see their own bucket, no problem:

mc --insecure ls ceph-test-user1
mc --insecure ls ceph-test-user2

Then, I setup a policy to allow user2 to see user1's bucket like so:

mc --insecure anonymous set-json policy.json ceph-test-user1/user1-test

And I get a success message, but not matter how much I tweak the policy, user2 can't seem to see user1's bucket listed:

mc --insecure ls ceph-test-user2

My last iteration of the policy file looks like this (I tried putting every read permission I could find in the doc):

{
  "Version": "2012-10-17",
  "Id": "S3Policy1",
  "Statement": [
    {
     "Sid": "BucketAllow",
     "Effect": "Allow",
     "Principal": {
       "AWS": ["arn:aws:iam::homelab:user/user2"]
     },
     "Action": [
       "s3:ListBucket",
       "s3:ListBucketVersions",
       "s3:ListAllMyBuckets",
       "s3:ListBucketMultiPartUploads",
       "s3:ListMultipartUploadParts",
       "s3:GetBucketAcl",
       "s3:GetBucketCORS",
       "s3:GetBucketLocation",
       "s3:GetBucketLogging",
       "s3:GetBucketNotification",
       "s3:GetBucketPolicy",
       "s3:GetBucketRequestPayment",
       "s3:GetBucketTagging",
       "s3:GetBucketVersioning",
       "s3:GetBucketWebsite",
       "s3:GetLifecycleConfiguration",
       "s3:GetObjectAcl",
       "s3:GetObject",
       "s3:GetObjectTorrent",
       "s3:GetObjectVersionAcl",
       "s3:GetObjectVersion",
       "s3:GetObjectVersionTorrent",
       "s3:GetReplicationConfiguration"
     ],
     "Resource": [
       "arn:aws:s3:::user1-test",
       "arn:aws:s3:::user1-test/*"
     ]
    }
  ]
}

I also tried just putting the bucket in the policy without arn:aws:s3:::user1-test/* (and the reverse) and that didn't work.

Does anybody have any insight?

EDIT: Ok, actually, it almost works.

user2 can view user1's objects inside the shared bucket like so when the path to the bucket is explicitly passed:

mc --insecure ls ceph-test-user2/user1-test

However, user2 must know that the bucket already exist as it doesn't seem to be discoverable by doing a root listing. Not sure if I'm missing something in the permissions that for that or if it simply isn't supported.