To grant client users S3 access:
-
Provide each client user with an S3 key pair for authenticating to the VAST Cluster S3 service. Key pairs can be created, removed, enabled and disabled via the VMS. A user can have up to two key pairs at any time.
Alternatively, you can enable AD/LDAP users to create and manage their own S3 access key pairs.
-
Attach identity policies to users to best control their S3 permissions. This includes all permissions, including permission to create and delete buckets which cannot be controlled via ACLs.
-
Another way of granting special permissions to individual users is through specific permission settings per user. These can give permission to create buckets, permission to delete buckets and S3 super user permissions to override ACLs in a bucket.
Note
These permission settings are overridden by any conflicting statements in any S3 user policies that are attached to the user or to a group to which the user belongs.
To grant these permissions through the VAST Web UI , see Managing S3 User Access from the VAST Web UI.
To grant these permission through the VAST CLI, see Managing S3 Access from the VAST CLI.
-
In the Users tab of the User Management page, display the user for which you want to generate a key pair:
-
You can query VMS for an existing user. This can be either any user whose attributes were already retrieved from external authorization providers through NFS or SMB RPCs. It can also be an existing local user.
-
You can create a new user on the local provider.
-
-
In the Actions column, click the
button for the user and then select Edit.
-
In the Update User dialog, click Create new key.
An access key is displayed with its status (enabled by default).
The secret key is displayed below it with a Copy key button:
-
Click Copy key to copy the secret key to your clipboard.
Important
The secret key for this pair will not be shown again, so keep the key carefully to pass it onto the user.
-
Attach identity policies to control the user's S3 permissions:
-
From the S3 Policies dropdown, select an identity policy that you want to attach to the user.
The policy name is entered into the S3 Policies field.
Note
If the policy that you select covers permission to create and/or delete buckets, the policy will override the Allow Create Bucket and Allow Delete Bucket permission settings per user.
-
If you want to attach another policy to the user, open the dropdown again and select another policy. The first policy that you already attached appears checked in the dropdown list.
The second policy is also added to the S3 Policies field.
-
Repeat as needed to attach additional policies to the user. To remove policies, open the dropdown and deselect each policy that you want to remove.
-
-
Alternatively to the previous step, grant the user any of the special S3 permissions:
-
Click Update to update the user definition.
You can now provide the user with the access key and the secret key.
Note
Access key pairs that are replicated to the cluster from an async replication peer are disabled by default.
-
Display the user on the Users tab of the User Management page (see Querying Users).
-
In the Actions column, click the
In the Update User dialog, the status of each of the user's key pairs is shown (enabled or disabled).
-
To enable a key pair, click
. To disable a key pair, click
.
-
Display the user on the Users tab of the User Management page (see Querying Users).
-
In the Actions column, click the
In the Update User dialog, the access key of the key pair is listed.
-
Click the delete button (
) for the access key.
-
Click Yes to confirm the removal.
The key pair is removed.
To generate an S3 access key pair for a user, use the user generate-key command.
To attach or remove S3 user policies for a user on any provider, use user query.
To grant or remove from users specific permission to create buckets, permission to delete buckets, and permission to override ACLs (S3 superuser permission) use one of the following commands:
-
For a user that resides on an external provider, use user query.
-
For a user on the local provider, use user modify.
Note
These create bucket, delete bucket and S3 super user permissions are overridden by any conflicting permission statements in attached S3 user policies.
The VMS REST API provides an endpoint that creates and deletes S3 access key pairs for the requesting user. This endpoint is accessible to users on an AD/LDAP server that is connected to the cluster. Users can also retrieve the access key of a given access key pair and the status of the key pair.
-
Ensure that the relevant users belong to an AD or other LDAP-based directory server that is connected to the VAST Cluster.
This enables valid login to the S3 keys API endpoint for client users on the AD/LDAP server.
A user may now authenticate to the VMS REST API using their AD/LDAP credentials and send POST, GET and DELETE requests to the <vms_vip>/api/s3keys/ endpoint to create, and delete their own s3 access key pair(s) and view the enabled/disabled status of such a key pair.
-
You can optionally provide the same users with broader VMS access by mapping AD/LDAP group(s) to VMS RBAC roles (see VMS manager role ).
To create an access key pair, send a POST request to the https://<VMS_VIP>/api/s3keys/ endpoint. In this example, the user sends their AD or LDAP username and password for basic authentication:
Note
This feature supports AD users on the joined domain only.
vastdata@v112lg1:/home/vastdata $ curl -u "vms_ad_user:vastdata" -X POST https://10.71.200.112/api/s3keys/ -k
A new pair is created. The access key and secret key are returned in the response:
{"access_key":"4XACULB2SLCZ80ZQPVMX","secret_key":"KgZYAI4E66+CWhYiUM5dvyICBjXzfwg/HWoxL9Et"}
Note
The operation requires basic authentication. You can either authenticate each request as done in the examples, or you can use secure authentication by JSON Web Tokens (JWTs) over HTTPS. For information about how to authenticate with JWTs, see Authenticating to the VMS REST API in the VMS REST API documentation, which is available on your cluster's management network at https://<VMS_VIP>/docs/index.html.
Sending a GET request to the https://<VMS_VIP>/api/s3keys endpoint returns details of previously created key pairs:
6vastdata@v112lg1:/home/vastdata $ curl -u "vms_ad_user:vastdata" -X GET https://10.71.200.112/api/s3keys/ -k
The response includes the access key, and the status of the key (whether enabled or not):
{"4XACULB2SLCZ80ZQPVMX":{"enabled":true,"identifier":"sid"}}
Note
It also includes an identifier, which indicates whether the key was associated with the user's SID or UID, if both are present on the AD/LDAP server. This can be relevant in case of later administrative changes where a UID can be associated with a different user, in which case the S3 access remains linked to the original identifier.
To delete an S3 access key pair, send a DELETE request to the same endpoint, providing the access key only as the access_key property in the body parameter. For example:
vastdata@v112lg1:/home/vastdata $ curl -u "vms_ad_user:vastdata" -X DELETE https://10.71.200.112/api/s3keys/ -d '{"access_key":"4XACULB2SLCZ80ZQPVMX"}'
-k -H "accept: application/json" -H "Content-Type: application/json"
Comments
0 comments
Article is closed for comments.