Versions Compared

Old Version 7

changes.mady.by.user Milton Suen

Saved on

compared with

New Version 8

changes.mady.by.user Milton Suen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Cluster administrators inevitably need to cut off some or all access to the hosted domains within a cluster when Gateway is deployed by a managed service provider. This can be due to non-payment or if a client uses too much storage and is required to clean-up space before writing new content.

All access to a domain can be controlled from the root Policy configuration file and from the domain's policy attribute. Updating the policy attribute is often desirable because, unlike an update to the root Policy file, it does not require a Gateway server restart. These examples use the policy attribute of a domain for controlling access. Recall the statements in an access Policy have an optional Sid field that can be used in whatever way an application wants. Administrators can use the Sid field to keep track of the statements they added and to identify them for future removal when injecting statements into an existing Policy.

...

In this example, a domain that had allowed access to the domain administrator (one of the end-users) now completely cuts off access to all end-users by adding the deny statements. The new statements use the Sid field to identify them for easy removal in the future. Notice the statement denies authenticated users as well as anonymous users.

...

In this example, a domain is changed to read-only mode to prevent writing, updating, or deleting content by the end-users. The new policy statement makes use of the Sid field to identify it for future removal. This example also makes use of NotAction to specify the deny pertains to any action not listed thus allowing the ones that are listed.

Code Block
languagexml
{
   "Statement": [
      {
         "Resource": "/*",
         "Action": [
            "*"
         ],
         "Principal": {
            "user": [
               "domainadmin"
            ]
         },
         "Effect": "Allow"
      },
      {
         "Resource": "/*",
         "NotAction": [
            "GetObject",
            "GetBucket",
            "GetDomain",
            "ListBucket",
            "ListDomain",
            "GetDomainPolicy",
            "GetPolicy",
            "PutPolicy"
         ],
         "Principal": {
            "user": [
               ""
            ],
            "anonymous": [
               ""
            ]
         },
         "Effect": "Deny",
         "Sid": "temp-cutoff-ro"
      }
   ]
}

Read-Only and Delete-Only Access

A cluster administrator can set the access control policy on a domain for read and delete only if a tenant exceeds the quota. By letting the end-users continue to read and delete content, they can use the content they have already written and clean-up content to reduce storage usage. As with the previous example, NotAction is used to specify the deny pertains to any action not listed.

...