Articles in this section

Managing User S3 Permissions

Sara Levy
  • Updated
Follow

To enable S3 access:

  • Provide each client user with an S3 key pair for authenticating to the VAST Cluster S3 service. Key pairs can be created, removed, enabled and disabled via the VMS. A user can have up to two key pairs at any time.

  • Attach S3 user policies to users to best control their S3 permissions. This includes all permissions, including permission to create and delete buckets which cannot be controlled via ACLs.

  • Another way of granting special permissions to individual users is through specific permission settings per user. These can give permission to create buckets, permission to delete buckets and S3 super user permissions to override ACLs in a bucket.

    Note

    These permission settings are overridden by any conflicting statements in any S3 user policies that are attached to the user or to a group to which the user belongs.

You can grant these permissions through the VAST Web UI or through the VAST CLI:

Managing S3 User Access from the VAST Web UI

Granting Access and Permissions

  1. In the Users tab of the User Management page, display the user for which you want to generate a key pair:

    • You can query VMS for an existing user. This can be either any user whose attributes were already retrieved from external authorization providers through NFS or SMB RPCs. It can also be an existing local user.

    • You can create a new user on the local provider.

  2. In the Actions column, click the ActionsButtonGUI2.png button for the user and then select Edit.

  3. In the Update User dialog, click Create new key.

    An access key is displayed with its status (enabled by default).

    The secret key is displayed below it with a Copy key button: 

  4. Click Copy key to copy the secret key to your clipboard.

    Important

    The secret key for this pair will not be shown again, so keep the key carefully to pass it onto the user.

  5. Attach S3 user policies to control the user's S3 permissions:

    1. From the S3 Policies dropdown, select a policy that you want to attach to the user.

      The policy name is entered into the S3 Policies field.

      Note

      If the policy that you select covers permission to create and/or delete buckets, the policy will override the Allow Create Bucket and Allow Delete Bucket permission settings per user.

    2. If you want to attach another policy to the user, open the dropdown again and select another policy. The first policy that you already attached appears checked in the dropdown list.

      The second policy is also added to the S3 Policies field.

    3. Repeat as needed to attach additional policies to the user. To remove policies, open the dropdown and deselect each policy that you want to remove.

  6. Alternatively to the previous step, grant the user any of the special S3 permissions:

    • Allow create bucket. Allows the user to create S3 buckets.

    • Allow delete bucket. Allows the user to delete S3 buckets.

    • S3 Superuser. Allows the user full read and write access to data and metadata, overriding ACLs.

  7. Click Update to update the user definition.

    You can now provide the user with the access key and the secret key. 

Enabling and Disabling a Key Pair

  1. Display the user on the Users tab of the User Management page (see Querying Users).

  2. In the Actions column, click the ActionsButtonGUI2.png button for the user and select Edit.

    In the Update User dialog, the status of each of the user's key pairs is shown (enabled or disabled).

  3. To enable a key pair, click enable_key_button.png. To disable a key pair, click disable_button.png.

Removing a Key Pair

  1. Display the user on the Users tab of the User Management page (see Querying Users).

  2. In the Actions column, click the ActionsButtonGUI2.png button for the user and select Edit.

    In the Update User dialog, the access key of the key pair is listed.

  3. Click the delete button (delete_button.png) for the access key.

  4. Click Yes to confirm the removal.

    The key pair is removed.

Managing S3 Access from the VAST CLI

Generating an S3 Access Key Pair

To generate an S3 access key pair for a user, use the user generate-key command.

Granting S3 Permissions

To attach or remove S3 user policies for a user on any provider, use user query.

To grant or remove from users specific permission to create buckets, permission to delete buckets, and permission to override ACLs (S3 superuser permission) use one of the following commands:

  • For a user that resides on an external provider, use user query.

  • For a user on the local provider, use user modify.

Note

These create bucket, delete bucket and S3 super user permissions are overridden by any conflicting permission statements in attached S3 user policies.

Enabling and Disabling a Key Pair

To enable or disable an S3 access key pair, use user modify-key.

Removing a Key Pair

To remove a user's S3 access key pair, use user remove-key.

Related articles

Comments

0 comments

Article is closed for comments.