Table of ContentsView in Frames

Group and bucket access policies

The StorageGRID Webscale system implements a subset of the S3 API policy language that you can use to control access to buckets and objects within those buckets.

Overview

StorageGRID Webscale bucket and group policies contain statements. Statements contain the following elements, which you need to define:

The following example policy shows a complete bucket policy that allows the admin and finance groups s3:ListBucket and s3:GetObject permissions for the mybucket bucket:

{
"Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "SGWS": [
         "urn:sgws:identity::27233906934684427525:group/admin",
         "urn:sgws:identity::27233906934684427525:group/finance"]
    },
    "Action": ["s3:ListBucket","s3:GetObject"],
    "Resource": ["urn:sgws:s3:::mybucket", "urn:sgws:s3:::mybucket/*"]
  }
]
}

The bucket policy has a size limit of 20,480 bytes, and the group policy has a size limit off 5,120 bytes.

Due to caching, changes to group and bucket policies may take up to 15 minutes to take effect across all grid nodes.

Specify resources in a policy

You use the common uniform resource name (URN) format to identify any S3 resources or identity resources in the StorageGRID Webscale system:

urn:sgws:s3:::bucket_name
urn:sgws:s3:::bucket_name/key_name
urn:sgws:identity::27233906934684427525:root
urn:sgws:identity::27233906934684427525:user/Bob

Specify a principal in a policy

Account-based identities must be specified in one of the following formats:

You can specify an account using an ID. This example uses the ID 27233906934684427525, which includes the account root and all users in the account):

 "Principal": { "SGWS": "27233906934684427525" }

You can specify just the account root:

"Principal": { "SGWS": "urn:sgws:identity::27233906934684427525:root" }

You can specify a specific federated user ("Bob"):

"Principal": { "SGWS": "urn:sgws:identity::27233906934684427525:federated-user/Bob" }

You can specify a specific federated group ("Managers"):

"Principal": { "SGWS": "urn:sgws:identity::27233906934684427525:federated-group/Managers"  }

You can specify an anonymous principal:

"Principal": "*"

The Canonical User ID is not supported.

Specifying permissions in a policy

There are a set of permissions that you can specify in a policy. Each of these keywords maps to specific S3 Rest API operations.

Permissions applicable to buckets:

Permissions S3 Rest API operations
s3:CreateBucket PUT Bucket
s3:DeleteBucket DELETE Bucket
s3:DeleteBucketPolicy DELETE Bucket policy
s3:GetBucketAcl GET Bucket acl
s3:GetBucketPolicy GET Bucket policy
s3:GetBucketVersioning GET Bucket versioning
s3:ListAllMyBuckets GET Service, GET Storage Usage
s3:ListBucket GET Bucket (List Objects)
s3:ListBucketMultipartUploads List Multipart Uploads
s3:PutBucketPolicy PUT Bucket policy

Permissions applicable to objects:

Permissions S3 Rest API operations
s3:AbortMultipartUpload Abort Multipart Upload
s3:DeleteObject DELETE Object
s3:GetObject GET Object
s3:GetObjectAcl GET Object ACL
s3:ListMultipartUploadParts List Parts
s3:PutObject PUT Object

Policies requiring special handling

Sometimes a policy can grant permissions that are dangerous for security, or dangerous for continued operations. For example locking out the root user of the account. The StorageGRID Webscale S3 API implementation is less restrictive during policy validation than Amazon, but equally strict during policy evaluation.

Policy description Policy type Special handling
Deny self any permissions to the root account Bucket Valid and enforced, but root user account retains permission for all S3 bucket policy operations
Deny self any permissions to user/group User/Group Valid and enforced
Allow a foreign account group any permission Bucket Valid, but permissions for all S3 bucket policy operations return a 405 Method Not Allowed error when allowed by a policy
Allow a foreign account root or user any permission Bucket Valid, but permissions for all S3 bucket policy operations return a 405 Method Not Allowed error when allowed by a policy
Allow everyone permissions to all actions Bucket Valid, but permissions for all S3 bucket policy operations return a 405 Method Not Allowed error for the foreign account root and users
Deny everyone permissions to all actions Bucket Valid and enforced, but root user account retains permission for all S3 bucket policy operations
Principal is a non-existent user or group Bucket Valid

Differs from Amazon behavior, which is to treat this as an invalid principal

Resource is a non-existent S3 bucket User/Group Valid
Principal is a local group Bucket Valid

Differs from Amazon behavior, which is to treat this as an invalid principal