Page Comparison

CLUSTER

Define who can create tenants and non-tenanted domains

Analogous to the Swarm administrator except they are defined in an external identity management system. This user or group is specified in the policy.json root Policy configuration file.

This policy.json file defines and grants full permissions to the cluster administrators group called ClusterAdmins. The members of the ClusterAdmins group are the cluster administrators users and are often the same that maintaining the physical infrastructure.

{
  "Version": "2008-10-17",
  "Id": "ClusterAdminsPolicy",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "group": [
          "ClusterAdmins"
        ]
      },
      "Action": [
        "*"
      ],
      "Resource": "/*"
    }
  ]
}

TENANT

Define who can create domains for the tenant

Owner of the tenant object as specified by the X-Owner-Meta metadata header. It is common for the tenant administrator to create a Policy document for the tenant that grants permissions for a group of users to act on the same authority of the tenant administrator.

This tenant Policy document grants full access to a group called TenantAdmins whose members come from users within the acme tenant.

PUT /_admin/manage/tenants/acme/etc/policy.json
{
  "Version": "2008-10-17",
  "Id": "TenantAdminsPolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Sid": "1",
      "Principal": {
        "group": [
          "TenantAdmins"
        ]
      },
      "Action": [
        ""
      ],
      "Resource": "/"
    }
  ]
}

DOMAIN

Define who can create buckets and unnamed objects

Owner of the storage domain as specified by the X-OwnerMeta metadata header. It is common for the domain administrator, owner of the storage domain, to create a Policy document for the domain that grants permissions for a group of users to act on the same authority of the domain administrator.

This domain Policy document grants full access to a group called DomainAdmins whose members come from users within the domain.

PUT http://DOMAIN/?policy
{
  "Version": "2008-10-17",
  "Id": "DomainAdminsPolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Sid": "1",
      "Principal": {
        "group": [
          "DomainAdmins"
        ]
      },
      "Action": [
        ""
      ],
      "Resource": "/"
    }
  ]
}

BUCKET

Define who can create named objects within the bucket

Owner of the bucket as specified by the X-Owner-Meta header. The bucket administrator, owner of the bucket, can attach a Policy document to the bucket that defines the access control policy for the bucket and its contents.

This bucket policy grants any authenticated user full access under http://DOMAIN/mybucket/incoming/* and grants users in the Finance group full access under http://DOMAIN/mybucket/reports/* .

PUT http://DOMAIN/mybucket?policy
{
  "Version": "2008-10-17",
  "Id": "MyBucketPolicy",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "user": [
          "*"
        ]
      },
      "Action": [
        "*"
      ],
      "Resource": "/mybucket/incoming"
    },
    {
      "Sid": "2",
      "Effect": "Allow",
      "Principal": {
        "group": [
          "Finance"
        ]
      },
      "Action": [
        "*"
      ],
      "Resource": "/mybucket/reports"
    }
  ]
}

Here, all of the All objects are contained with the bucket context mybucket . The access control policy matches named objects with the prefixes incoming/ and reports/ within that bucket.