-
Provide each client user with an S3 key pair for authenticating to the VAST Cluster S3 service. Key pairs can be created, removed, enabled and disabled via the VMS. A user can have up to two key pairs at any time.
-
Attach S3 user policies to users to best control their S3 permissions. This includes all permissions, including permission to create and delete buckets which cannot be controlled via ACLs.
-
Another way of granting special permissions to individual users is through specific permission settings per user. These can give permission to create buckets, permission to delete buckets and S3 super user permissions to override ACLs in a bucket.
Note
These permission settings are overridden by any conflicting statements in any S3 user policies that are attached to the user or to a group to which the user belongs.
You can grant these permissions through the VAST Web UI or through the VAST CLI:
-
In the Users tab of the User Management page, display the user for which you want to generate a key pair:
-
You can query VMS for an existing user. This can be either any user whose attributes were already retrieved from external authorization providers through NFS or SMB RPCs. It can also be an existing local user.
-
You can create a new user on the local provider.
-
-
In the Actions column, click the
button for the user and then select Edit.
-
In the Update User dialog, click Create new key.
An access key is displayed with its status (enabled by default).
The secret key is displayed below it with a Copy key button:
-
Click Copy key to copy the secret key to your clipboard.
Important
The secret key for this pair will not be shown again, so keep the key carefully to pass it onto the user.
-
Attach S3 user policies to control the user's S3 permissions:
-
From the S3 Policies dropdown, select a policy that you want to attach to the user.
The policy name is entered into the S3 Policies field.
Note
If the policy that you select covers permission to create and/or delete buckets, the policy will override the Allow Create Bucket and Allow Delete Bucket permission settings per user.
-
If you want to attach another policy to the user, open the dropdown again and select another policy. The first policy that you already attached appears checked in the dropdown list.
The second policy is also added to the S3 Policies field.
-
Repeat as needed to attach additional policies to the user. To remove policies, open the dropdown and deselect each policy that you want to remove.
-
-
Alternatively to the previous step, grant the user any of the special S3 permissions:
-
Click Update to update the user definition.
You can now provide the user with the access key and the secret key.
-
Display the user on the Users tab of the User Management page (see Querying Users).
-
In the Actions column, click the
button for the user and select Edit.
In the Update User dialog, the status of each of the user's key pairs is shown (enabled or disabled).
-
To enable a key pair, click
. To disable a key pair, click
.
-
Display the user on the Users tab of the User Management page (see Querying Users).
-
In the Actions column, click the
button for the user and select Edit.
In the Update User dialog, the access key of the key pair is listed.
-
Click the delete button (
) for the access key.
-
Click Yes to confirm the removal.
The key pair is removed.
To generate an S3 access key pair for a user, use the user generate-key command.
To attach or remove S3 user policies for a user on any provider, use user query.
To grant or remove from users specific permission to create buckets, permission to delete buckets, and permission to override ACLs (S3 superuser permission) use one of the following commands:
-
For a user that resides on an external provider, use user query.
-
For a user on the local provider, use user modify.
Note
These create bucket, delete bucket and S3 super user permissions are overridden by any conflicting permission statements in attached S3 user policies.
To enable or disable an S3 access key pair, use user modify-key.
To remove a user's S3 access key pair, use user remove-key.
Comments
0 comments
Article is closed for comments.