Grant access control to an object storage container¶
Make containers public or private¶
When you create a new storage container using the Rumble Cloud console, you have the option to keep the container private (access control to you only) or to make it public. Publicly available containers can be read by anyone with access to the location of the container, and can be edited by members of the project to which the container belongs.
To learn how to create a storage container, read Create a storage container.
Apply S3 policies to a container¶
Before you start¶
Amazon Simple Storage Service (S3) is a widely-used object storage service provided by AWS. S3 policies are JSON-based access control policies that define who can access what resources and what actions they can perform on those resources. These policies can be attached to S3 buckets (containers) or objects to control permissions.
Rumble Cloud Object Storage can be configured to support the S3 API, which means you can use S3-compatible clients and tools to interact with Object Storage. This compatibility allows you to leverage S3 policies for access control within an OpenStack environment
To work with S3 policies in Rumble Cloud, you'll need to generate application credentials and use a command line tool such as s3cmd or any other widely available tool used to interact with S3 buckets.
To get started, read Create S3 credentials to understand how generate credentials.
How Rumble Cloud works with object storage¶
Rumble Cloud uses a combination of OpenStack Swift service and Ceph to work with and manage object storage resources. Both Ceph and Swift operate seamlessly behind the scenes in Rumble Cloud.
Swift is native to OpenStack and provides most of the functionality exposed through the Rumble Cloud console, which includes the following capabilities:
- Create containers
- Set containers to be public or private
- Create folders for containers
- Upload files to containers
- Provide URL for access to public containers and files
Ceph provides additional capabilities when dealing with object storage resources. For a complete list of available commands, see Ceph bucket policies.
How S3 policies work¶
The S3 policy JSON file is a document that defines access permissions for S3 resources such as containers and files in Rumble Cloud. The file contains one or more statements, each specifying a particular permission rule.
By defining such policies, you can control who can perform what actions on which S3 resources, providing fine-grained access control to your storage.
A typical S3 policy JSON file includes the following components:
Version:
- This specifies the version of the policy language. The most commonly used version is
"2012-10-17". - Example:
ID
- Unique identifier for the policy.
- Example:
Statement:
- This is an array of individual statements, where each statement defines a specific permission.
- Example:
Components of a Statement¶
Each statement within the "Statement" array includes several key elements:
Effect:
- Specifies whether the statement allows or denies access. The value can be
"Allow"or"Deny". - Example:
Principal:
- Identifies the user, account, service, or other entity that is allowed or denied access to a resource. This is often an AWS account ID or a user ARN.
- Example:
Action:
- Lists the actions that are allowed or denied. For S3, this could include actions like
s3:GetObject,s3:PutObject,s3:ListBucket, etc. - Example:
Resource:
- Specifies the S3 resources (buckets and objects) to which the actions apply. This is typically the ARN (Amazon Resource Name) of the bucket or objects.
- Example:
Condition (Optional):
- Adds conditions under which the statement is in effect. Conditions can include aspects like IP address, date/time, or other attributes.
- Example:
Here's what to know when using S3 policies in Rumble Cloud:
- You'll see the terms
bucketsandobjectsreferenced in the S3 policies. These terms correspond tostorage containersanduploaded filesin Rumble Cloud. Bucket / containers are where you store objects / files in the S3 object storage model. - You'll see the term
ARN, which is a unique identified used by S3 resources. ARNs are typically numbers-based strings, whereas in Rumble Cloud theARNcorresponds to theproject name(also known as thetenant), which is defined by your admin and can be found listed in the Projects Menu in the Rumble Cloud console.
Here's an example S3 policy. This policy defines two sets of permissions for two different users on a specific S3 bucket and its objects.
The policy assigns one user with read / write access (UserRW) and another user with read only access (UserRO).
{
"Version": "2012-10-17",
"Id": "S3RWPolicy",
"Statement": [
{
"Sid": "UserRW",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::SomeTenant:user/SecondUser"]
},
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3::SomeTenant:mybucket",
"arn:aws:s3::SomeTenant:mybucket/*"
]
},
{
"Sid": "UserRO",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::SomeTenant:user/ThirdUser"]
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3::SomeTemant:mybucket",
"arn:aws:s3::SomeTenant:mybucket/*"
]
}
]
}
Here's a breakdown of the example.
Version
- This specifies the version of the policy language being used.
Policy ID
- This is an identifier for the policy.
Statement Array
The Statement array contains two statements.
Statement 1: UserRW
- Grants the user
arn:aws:iam::SomeTenant:user/SecondUserread and write permissions on themybucketbucket and its objects. -
This user can list, upload, retrieve, delete objects, manage multipart uploads, and access different versions of objects.
-
Sid:
"UserRW": This is a unique identifier for this statement. - Effect:
"Allow": Grants permissions. - Principal: Specifies the user
arn:aws:iam::SomeTenant:user/SecondUser. - Action: Lists the actions the user is allowed to perform:
s3:ListBucket: List objects in the bucket.s3:ListBucketMultipartUploads: List multipart uploads in progress.s3:ListBucketVersions: List all versions of objects in the bucket.s3:ListMultipartUploadParts: List parts of a multipart upload.s3:PutObject: Upload objects to the bucket.s3:GetObject: Retrieve objects from the bucket.s3:GetObjectVersion: Retrieve a specific version of an object.s3:AbortMultipartUpload: Abort a multipart upload.s3:DeleteObject: Delete objects from the bucket.- Resource: Specifies the resources to which the actions apply:
arn:aws:s3::SomeTenant:mybucket: The bucket itself.arn:aws:s3::SomeTenant:mybucket/*: All objects within the bucket.
Statement 2: UserRO
- Grants the user
arn:aws:iam::SomeTenant:user/ThirdUserread-only permissions on themybucketbucket and its objects. -
This user can list objects and versions, and retrieve objects and their versions, but cannot upload, delete, or modify objects.
-
Sid:
"UserRO": This is a unique identifier for this statement. - Effect:
"Allow": Grants permissions. - Principal: Specifies the user
arn:aws:iam::SomeTenant:user/ThirdUser. - Action: Lists the actions the user is allowed to perform:
s3:ListBucket: List objects in the bucket.s3:ListBucketVersions: List all versions of objects in the bucket.s3:GetObject: Retrieve objects from the bucket.s3:GetObjectVersion: Retrieve a specific version of an object.- Resource: Specifies the resources to which the actions apply:
arn:aws:s3::SomeTenant:mybucket: The bucket itself.arn:aws:s3::SomeTenant:mybucket/*: All objects within the bucket.
Apply the policy¶
Use a tool such as s3cmd to apply the policy. For example, use s3cmd setpolicy.