Entities and Resources

Describes HPE Ezmeral Data Fabric Object Store entities, including domain, accounts, and resources (buckets, users, and access policies).

An Object Store cluster has a domain, accounts, buckets, users, and access policies associated with it. Installing Object Store in a cluster provides a primary domain and a default account.

The following image shows the hierarchy of entities in an Object Store cluster.

The following sections describe the entities in an Object Store cluster and provide links to additional information.
Primary Domain
  • Management entity for accounts and users.
  • Tracks the number of users in the domain, the amount of disk space used by the domain, number of buckets in each of the accounts, total number of accounts in the domain, and the number of disabled accounts.
  • Currently, Object Store only supports the primary domain. You cannot create additional domains.
Related information:
Accounts
A unique administrative unit that owns buckets, policies, and users. Administrators control access to resources through access policies.
  • Default Account:
    • Exists by default when Object Store is installed.
    • Account for domain users and groups only.
    • You cannot create IAM users and groups in the default account.
    • You can add AD/LDAP users/groups (domain users) to the account.
    • Applications can access buckets in the default account if they are granted permission.
  • Account Creation:
    • Any user with FC permission can create accounts. The account administrator is configured at the time of account creation by indicating the LDAP username to be designated as the account root. Otherwise, defaults to the cluster administrator.
    • Account administrators can create resources in that account. Users in the non-default account are called as IAM users or service account. Applications can use these service accounts credentials to access objects in specific buckets.
      NOTE
      If you do not specify an account administrator, then the mapr user becomes the administrator for that account.
Related information:
Buckets
Buckets are cloud storage resources that store objects. Objects are unstructured data, such as video and audio files, web pages, and photos. Objects include metadata and a globally unique identifier used to quickly locate an object regardless of where the object is stored in Object Store.
To control access to buckets and objects, you apply an access policy on a bucket. The access policy defines who can access the bucket and the objects in it. Enable versioning on a bucket to provides the ability to restore buckets. If you enable the Object Lock feature for a bucket, versioning is automatically enabled. When the Object Lock feature is enabled, write operations that would normally overwrite an existing object result in the creation of a new version of that object in the same bucket. Enable Object Lock from the CLI or Object Store UI.
Related information:
Domain Users/Groups
  • Cluster security principals are authenticated through AD/LDAP. This authentication can be a corporate-wide AD/LDAP. No requirement exists for the co-location of AD/LDAP on Data Fabric servers. The only requirement is that the AD/LDAP service must be accessible from Data Fabric.
  • Add domain users to the domain AD/LDAP.
  • Only domain users can log in to the Object Store UI with their domain username and password​. Other users and applications (IAM users/groups) must have S3 access keys (accessKey and secretKey) to access the cluster from REST calls.
IAM Users/Groups
  • Identity and Access Management (IAM) users are entities that represent users and applications that interact with Object Store.
  • IAM groups are collections of IAM users. User groups let you specify permissions for multiple users, simplifying user management.
    • An IAM group can contain many IAM users.
    • An IAM user can belong to multiple IAM groups.
    • You cannot nest IAM groups. An IAM group can only contain users. IAM groups cannot contain other user groups.
    • No default IAM group that automatically includes all users in the Object Store account exists. You can create one and assign each new user to it.
  • Only account administrators can create IAM users/groups. Domain users and IAM users (local to an account) can create IAM users and groups if permitted to do so.
  • IAM users need access keys (accessKey and a secretKey) to make programmatic calls to Object Store.
Related information: