Access Policies
Describes access policies and provides example policies. Also describes how Object Store evaluates access requests based on settings in access policies.
About Access Policies
Access policies stipulate which Object Store resources users can access. You can create access policies and apply them to accounts, buckets, and users.
- Bucket Policy
- You can specify bucket policies when you create a bucket or you can update the
bucket policy using the mc policy set command, for
example:
/opt/mapr/bin/mc policy set-json bucketpolicy.json alias/bucket
- User Policy
-
When you create or modify a user, you can apply a user policy. A user policy specifies which operations users can perform on buckets. You can create a user policy in a JSON file and attach the file to IAM users/groups or domain users. You can attach multiple policies to users and groups. You cannot grant anonymous permissions in a user policy.
The following example user policy allows the associated user to perform six different Object Store operations on a bucket with the objects in it.{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserActions", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::awsesales/*", "arn:aws:s3:::awssales" ] }, { "Sid": "AllowListingBuckets", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] }
- IAM Policy
Identity and Access Management (IAM) securely controls access to Object Store resources. IAM controls who is authenticated (signed-in) and authorized (has permissions) to use resources through policies.
Create policies using the mc admin policy add command. To attach policies, use either the mc admin policy set command, or attach the policy from the UI.
The following IAM policy allows users to get, put, and delete objects from bucket bk1, as well as list the contents of bk1.The following IAM policy allows users to get, put, and delete objects from any bucket in the account where this policy exists.{ "Version": "2012-10-17", "Id": "PolicyContent1", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"], "Resource": "arn:aws:s3:::bk1" }, { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::bk1/*" } ] }
The following IAM policy allows users to create, delete, and list any bucket in the account where this policy exists.{ "Version": "2012-10-17", "Id": "PolicyContent1", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"], "Resource": "arn:aws:s3:::*/*" }, { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::*" } ] }
{ "Version": "2012-10-17", "Id": "PolicyContent1", "Statement": [ { "Effect": "Allow", "Action": ["s3:CreateBucket", "s3:DeleteBucket", "s3:ListAllMyBuckets"], "Resource": "arn:aws:s3:::*" } ] }
How Object Store Evaluates Access Requests
When Object Store receives a request, it evaluates all the access policies to determine whether to authorize or deny the request. When HPE Ezmeral Object Store receives a request for a bucket or an object operation, it first verifies that the requester is permitted to perform the operation. Object Store evaluates all the relevant access policies, user policies, and resource-based policies during authorization.
Authorization includes:
- Converting all the relevant access policies (at runtime) into a set of policies for evaluation.
- Evaluating the resulting set of policies in the following order:
- User context – In the user context, the parent account to which the user belongs is
the context authority.
Object Store evaluates a subset of policies owned by the parent account. This subset includes the user policy that the parent attaches to the user. If the parent also owns the resource in the request (bucket/object), Object Store also evaluates the corresponding resource policies at the same time.
A user must have permission from the parent account to perform the operation.
- Bucket context – In the bucket context, Object Store evaluates policies owned by the
Object Store account that owns the bucket.
If the request is for a bucket operation, the requester must have permission from the bucket owner. If the request is for an object, Object Store evaluates all the policies owned by the bucket owner to check if the bucket owner has not explicitly denied access to the object. If there is an explicit deny set, Object Store does not authorize the request.
- Object context – If the request is for an object, HPE Ezmeral Object Store evaluates the subset of policies owned by the object owner.
- User context – In the user context, the parent account to which the user belongs is
the context authority.