...
...
...
| Table of Contents | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Cluster administrators inevitably need to cut off some or all access to the hosted domains within their clustera cluster when a managed service provider deploys Gateway. This could can be due to non-payment or if a customer client uses too much storage and is required to must clean - up space before writing new content.
All access Access to a domain can be is controlled from the root Policy configuration file and from the domain's policy attribute. Updating the policy attribute is often desirable because, unlike an update to the root Policy file, it does not require a Gateway server restart. These examples will use the policy attribute of a domain for controlling access. Recall that the statements in an access Policy have that has an optional Sid field that can be used in whatever way an application wants. When injecting statements into an existing Policy, administrators can . Administrators use the Sid field to keep track of the statements they added and to identify them for future removal when injecting statements into an existing Policy.
| Table of Contents |
|---|
No Access
In this example, a domain that had allowed access to has “Allow” access for the domain administrator (one of the end-users) now completely cuts off access to all end-users by adding the deny statements. The new statements use the Sid field to identify them for easy removal in the future. Notice that the
Note
The statement denies authenticated users as well as anonymous users.
| Code Block | ||
|---|---|---|
| ||
{
"Statement": [
{
"Resource": "/*",
"Action": [
"*"
],
"Principal": {
"user": [
"domainadmin"
]
},
"Effect": "Allow"
},
{
"Resource": "/*",
"Action": [
"*"
],
"Principal": {
"user": [
""
],
"anonymous": [
""
]
},
"Effect": "Deny",
"Sid": "temp-cutoff-noaccess"
}
]
} |
...
In this example, a domain is changed to read-only mode in order to prevent writing, updating, or deleting content by from the end-end users. The new policy statement makes use of uses the Sid field to identify it for future removal. This example also makes use of NotAction uses “NotAction” to specify that if the deny pertains to any action not listed thus allowing the ones actions that are listed.
| Code Block | ||
|---|---|---|
| ||
{
"Statement": [
{
"Resource": "/*",
"Action": [
"*"
],
"Principal": {
"user": [
"domainadmin"
]
},
"Effect": "Allow"
},
{
"Resource": "/*",
"NotAction": [
"GetObject",
"GetBucket",
"GetDomain",
"ListBucket",
"ListDomain",
"GetDomainPolicy",
"GetPolicy",
"PutPolicy"
],
"Principal": {
"user": [
""
],
"anonymous": [
""
]
},
"Effect": "Deny",
"Sid": "temp-cutoff-ro"
}
]
} |
Read-Only and Delete-Only Access
A cluster administrator could can set the access control policy on a domain for to read and delete only if a tenant exceeds their the quota. By letting the end-users continue to read and delete their content, they can use a cluster administrator uses the content they have already written and cleancleans-up content in order to reduce their storage usage. As with the previous example, NotAction is used to specify that the if deny pertains to any action not listed.
...