Multiple-Tiered Authorization Example
The example shows a multi-tiered configuration where a bucket policy and MapR ACEs are both used for authorization.
NOTICE The S3 gateway is included in EEP 6.0.0 -
EEP 8.0.0 repositories.
Tenant A creates bucket B1. The system applies on the bucket, the default bucket policy of
read/write/execute
permission to only the owner and no access to other
tenants. These permissions are UNIX permissions: 0700
.
Tenant A calls the REST API for bucket policy resulting in the following policy on bucket B1:
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "B"
},
"Action": [
"s3:GetObject",
],
"Resource": [
"arn:aws:s3:::B1/*",
]
}
]
}
This policy is processed by the S3 gateway and
allows access to tenant B. The policy indicates that the Access Control Expression (ACE) is set up for the objects, as
-readdir u:B | u:A
and is applied to the bucket directory, while the
ACE expression
-readfile u:B | u:A
is applied to all existing files. In mixed mode, tenant
B has access.