Access Policies

Describes access policies and provides example policies. Also describes how Object Store evaluates access requests based on settings in access policies.

About Access Policies

Access policies stipulate which Object Store resources users can access. You can create access policies and apply them to accounts, buckets, and users.

Policies applied to accounts and buckets are referred to as resource-based policies. Those applied policies applied to users are referred to as user policies. Object Store accepts access policies in JSON format. Typically, an account administrator applies policies; however, given the proper permissions, domain and IAM users can also apply policies.
Bucket Policy
You can specify bucket policies when you create a bucket or you can update the bucket policy using the mc policy set command, for example:
/opt/mapr/bin/mc policy set-json bucketpolicy.json alias/bucket

When you create or modify a bucket, you can apply a bucket policy. A bucket policy specifies domain users and the operations they can perform on buckets. Bucket policies override the default policy inherited from the account. You create a bucket policy in a JSON file and then associate the file with a bucket.

The following example bucket policy grants anonymous read permission on all objects in a bucket. The bucket policy has one statement, which allows the s3:GetObject action (read permission) on objects in a bucket named sales. By specifying the principal with a wild card (*), the policy grants anonymous access, and should be used carefully. For example, the following bucket policy would make objects publicly accessible.
{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid":"GrantAnonymousReadPermissions",
            "Effect":"Allow",
            "Principal": "*",
            "Action":["s3:GetObject"],
            "Resource":["arn:aws:s3:::awssales/*"]
        }
    ]
}

The following policy allows all users in group1 to get, put, and delete objects, and list the bucket contents. The ${bucket} keyword is a placeholder that the system automatically replaces with the bucket name.

{

    "Version": "2012-10-17",
    "Id": "PolicyContent1",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "arn:primary:default:group:group1",
            "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
            "Resource": "arn:aws:s3:::${bucket}/*"
        },
        {
            "Effect": "Allow",
            "Principal": "arn:primary:default:group:group1",
            "Action": ["s3:ListBucket"],
            "Resource": "arn:aws:s3:::${bucket}"
        }
    ]
}
The following policy allows all users in group1 to get, put, and delete objects, and list the bucket contents while also denying user1 and user2 in qagroup1 permission to perform get, put, and delete operations.
{

    "Version": "2012-10-17",
    "Id": "PolicyContent1",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "arn:primary:default:group:group1",
            "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
            "Resource": "arn:aws:s3:::${bucket}/*"
        },
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": [
                    "arn:primary:default:user:user1",
                    "arn:primary:default:user:user2"
                ]
            },
            "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
            "Resource": "arn:aws:s3:::${bucket}/*"
        },
        {
            "Effect": "Allow",
            "Principal": "arn:primary:default:group:group1",
            "Action": ["s3:ListBucket"],
            "Resource": "arn:aws:s3:::${bucket}"
        }
    ]
}
The following policy allows user1 to perform all the specified operations:
{

  "ID": "PolicyContent1",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "arn:primary:default:user:user1",
      "Action": [
        "s3:GetObjectRetention",
        "s3:GetObjectTagging",
        "s3:DeleteObjectTagging",
        "s3:DeleteObjectVersionTagging",
        "s3:GetObject",
        "s3:GetObjectLegalHold",
        "s3:PutObject",
        "s3:PutObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:PutObjectTagging",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::${bucket}/*"
    },
    {
      "Effect": "Allow",
      "Principal": "arn:primary:default:user:user1",
      "Action": [
        "s3:DeleteBucket",
        "s3:DeleteBucketPolicy",
        "s3:GetBucketPolicy",
        "s3:GetBucketTagging",
        "s3:ListBucket",
        "s3:PutBucketPolicy",
        "s3:PutBucketTagging"      ],
        "Resource": "arn:aws:s3:::${bucket}"
    }
  ]
}
User Policy

When you create or modify a user, you can apply a user policy. A user policy specifies which operations users can perform on buckets. You can create a user policy in a JSON file and attach the file to IAM users/groups or domain users. You can attach multiple policies to users and groups. You cannot grant anonymous permissions in a user policy.

The following example user policy allows the associated user to perform six different Object Store operations on a bucket with the objects in it.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserActions",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                 "arn:aws:s3:::awsesales/*",
                 "arn:aws:s3:::awssales"
            ]
        },
        {
            "Sid": "AllowListingBuckets",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}
IAM Policy

Identity and Access Management (IAM) securely controls access to Object Store resources. IAM controls who is authenticated (signed-in) and authorized (has permissions) to use resources through policies.

Create policies using the mc admin policy add command. To attach policies, use either the mc admin policy set command, or attach the policy from the UI.

The following IAM policy allows users to get, put, and delete objects from bucket bk1, as well as list the contents of bk1.
{

  "Version": "2012-10-17",
  "Id": "PolicyContent1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
          "Resource": "arn:aws:s3:::bk1"
      },
      {
          "Effect": "Allow",
          "Action": ["s3:ListBucket"],
          "Resource": "arn:aws:s3:::bk1/*"
      }
  ]
}
The following IAM policy allows users to get, put, and delete objects from any bucket in the account where this policy exists.
{

  "Version": "2012-10-17",
  "Id": "PolicyContent1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
          "Resource": "arn:aws:s3:::*/*"
      },
      {
          "Effect": "Allow",
          "Action": ["s3:ListBucket"],
          "Resource": "arn:aws:s3:::*"
      }
  ]
}
The following IAM policy allows users to create, delete, and list any bucket in the account where this policy exists.
{

  "Version": "2012-10-17",
  "Id": "PolicyContent1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": ["s3:CreateBucket", "s3:DeleteBucket", "s3:ListAllMyBuckets"],
          "Resource": "arn:aws:s3:::*"
      }
  ]
}

How Object Store Evaluates Access Requests

When Object Store receives a request, it evaluates all the access policies to determine whether to authorize or deny the request. When HPE Ezmeral Object Store receives a request for a bucket or an object operation, it first verifies that the requester is permitted to perform the operation. Object Store evaluates all the relevant access policies, user policies, and resource-based policies during authorization.

Authorization includes:

  1. Converting all the relevant access policies (at runtime) into a set of policies for evaluation.
  2. Evaluating the resulting set of policies in the following order:
    1. User context – In the user context, the parent account to which the user belongs is the context authority.

      Object Store evaluates a subset of policies owned by the parent account. This subset includes the user policy that the parent attaches to the user. If the parent also owns the resource in the request (bucket/object), Object Store also evaluates the corresponding resource policies at the same time.

      A user must have permission from the parent account to perform the operation.

    2. Bucket context – In the bucket context, Object Store evaluates policies owned by the Object Store account that owns the bucket.

      If the request is for a bucket operation, the requester must have permission from the bucket owner. If the request is for an object, Object Store evaluates all the policies owned by the bucket owner to check if the bucket owner has not explicitly denied access to the object. If there is an explicit deny set, Object Store does not authorize the request.

    3. Object context – If the request is for an object, HPE Ezmeral Object Store evaluates the subset of policies owned by the object owner.

Related Information