Entities and Resources
Describes HPE Ezmeral Data Fabric Object Store entities, including domain, accounts, and resources (buckets, users, and access policies).
An Object Store cluster has a domain, accounts, buckets, users, and access policies associated with it. Installing Object Store in a cluster provides a primary domain and a default account.
The following image shows the hierarchy of entities in an Object Store cluster.
The following sections describe the entities in an Object Store cluster and provide links
to additional information.
- Primary Domain
-
- Management entity for accounts and users.
- Tracks the number of users in the domain, the amount of disk space used by the domain, number of buckets in each of the accounts, total number of accounts in the domain, and the number of disabled accounts.
- Currently, Object Store only supports the primary domain. You cannot create additional domains.
- Accounts
- A unique administrative unit that owns buckets, policies, and users. Administrators
control access to resources through access policies.
- Default Account:
- Exists by default when Object Store is installed.
- Account for domain users and groups only.
- You cannot create IAM users and groups in the default account.
- You can add AD/LDAP users/groups (domain users) to the account.
- Applications can access buckets in the default account if they are granted permission.
- Account Creation:
- Any user with FC permission can create accounts. The account administrator
is configured at the time of account creation by indicating the LDAP username
to be designated as the account
root
. Otherwise, defaults to the cluster administrator. - Account administrators can create resources in that account. Users in the
non-default account are called as IAM users or service account. Applications
can use these service accounts credentials to access objects in specific
buckets.NOTEIf you do not specify an account administrator, then the
mapr
user becomes the administrator for that account.
- Any user with FC permission can create accounts. The account administrator
is configured at the time of account creation by indicating the LDAP username
to be designated as the account
- Default Account:
- Buckets
- Buckets are cloud storage resources that store objects. Objects are unstructured data, such as video and audio files, web pages, and photos. Objects include metadata and a globally unique identifier used to quickly locate an object regardless of where the object is stored in Object Store.
- Domain Users/Groups
-
- Cluster security principals are authenticated through AD/LDAP. This authentication can be a corporate-wide AD/LDAP. No requirement exists for the co-location of AD/LDAP on Data Fabric servers. The only requirement is that the AD/LDAP service must be accessible from Data Fabric.
- Add domain users to the domain AD/LDAP.
- Only domain users can log in to the Object Store UI with their domain username and password. Other users and applications (IAM users/groups) must have S3 access keys (accessKey and secretKey) to access the cluster from REST calls.
- IAM Users/Groups
-
- Identity and Access Management (IAM) users are entities that represent users and applications that interact with Object Store.
- IAM groups are collections of IAM users. User groups let you specify permissions
for multiple users, simplifying user management.
- An IAM group can contain many IAM users.
- An IAM user can belong to multiple IAM groups.
- You cannot nest IAM groups. An IAM group can only contain users. IAM groups cannot contain other user groups.
- No default IAM group that automatically includes all users in the Object Store account exists. You can create one and assign each new user to it.
- Only account administrators can create IAM users/groups. Domain users and IAM users (local to an account) can create IAM users and groups if permitted to do so.
- IAM users need access keys (accessKey and a secretKey) to make programmatic calls to Object Store.