Policy Document
Best Practice
Each Action domain administrators are allowed to perform can be listed to create a policy for them having broad permissions. It is easier and less error-prone to list the few actions they cannot perform (such as DeleteDomain and CopyDomain) by replacing the entire Action statement with the NotAction statement:
{
"Version": "2016-10-17",
"Statement": [
{
"Sid": "Grant all except excluded domain operations to admins2",
"Resource": "/*",
"Effect": "Allow",
"Principal": {
"group": [
"admins2"
]
},
"NotAction": [
"CopyDomain",
"DeleteDomain"
]
}
]
}
Policy Document Fields
Policy documents are JSON-formatted objects.
Field | Sub-field | Description |
---|---|---|
Version | optional; if used must be "2012-10-17" or "2008-10-17" to match S3 | |
Id | optional name to describe the policy | |
Statement | a list of rules | |
Sid | unique identifier for each statement | |
Effect | whether the rule allows or denies an operation | |
Principals | defines users and groups to which the rule applies | |
Action | content operation (request) | |
NotAction | logical inverse of Action; supports all Action values | |
Resource | path for which the rule applies; "/" prefix is optional | |
Condition | conditional requirements for the request |
Policy Example
{
"Version": "2008-10-17",
"Id": "Comics-and-Superheros",
"Statement": [
{
"Effect": "Allow",
"Sid": "1",
"Principal": {
"group": [
"Development",
"QA",
"testers@partner.net"
],
"user": [
"jdoe",
"gcarlin@funny.com",
"tony+starkindustries"
]
},
"Action": [
"GetObject"
],
"Resource": "/*",
"Condition": {
"StringLike": {
"Referer": [
"*example.com"
]
}
}
}
]
}
Policy Format
The format of Gateway's Policy document is modeled after Amazon S3 bucket policies. There is one policy document per tenant, per storage domain, and per bucket. Updating a policy document completely replaces any existing document. The root Policy plus the relevant tenant, storage domain, and bucket policies are all first merged together when evaluating a request.
The policy is a set of rules specifying the conditions under which a request is allowed or denied within the storage API or the management API (such as create a domain, bucket, or object). Each statement in a policy specifies the principals allowed or denied the ability to perform an action on a resource. These are examples of each of these elements of a policy specification.
Principals: user "jdoe", group "Development"
Action: GetObject, DeleteObject
NotAction: CopyDomain, DeleteDomain
Resource: "mybucket/private/*", "mybucket/photos/picture01.jpg"
Condition: "StringLike" : { "Referer" : ["*example.com"]} }
Effect: "Allow", "Deny"
Best Practice
Make the Policy documents as small as reasonable for best performance. Performance is affected because the statements need to be evaluated for each request to check if the resource matches. Choose the most efficient definitions; NotAction lists may be shorter than Action lists.
The Id
field is provided for end-user use only and is ignored by the policy evaluation. The Version
field is optional and the sole valid value is "2008-10-17" if defined.
Caution
Do not prefix resources with "arn:aws:s3:::
" and actions with "s3:
" strings. These are ignored by the policy evaluation and negatively impact performance.
Principals
Principals are users or groups to whom the access control statement applies. This includes the specification of an anonymous user that has not authenticated. The format is:
Specifying Authenticated Users
"{user|group}":[{list- of- principals}]
These notation formats are recognized for anonymous principals:
Anonymous Principals
This is an example that includes users and groups from other storage domains and tenants.
Including Users and Groups
See Cross-tenant Access Control below for the meaning of the @domain
and +tenant
suffixes for users and groups.
The following table explains the meaning of the different forms of the principal specifications.
Principal | Description |
---|---|
"anonymous":["*"] | An anonymous, unauthenticated user |
"user":["*"] | Any authenticated user from the context’s IDSYS scope |
"user":["*@austin"] | Any authenticated user in the ‘austin’ domain’s idsys (or inherited IDSYS if applicable). |
"user":["*+texas"] | Any authenticated user in the ‘texas’ tenant’s idsys (or inherited IDSYS if applicable). |
"user":["gcarlin"] | A user named 'gcarlin' from this scope's IDSYS (or inherited IDSYS if applicable). This is a non-qualified user name since no domain, tenant, or root scope is specified. |
"user":["gcarlin@cars"] | A user named 'gcarlin' from the 'cars' storage domain's IDSYS (or its inherited IDSYS if applicable) |
"user":["gcarlin+movies"] | A user named 'gcarlin' from the 'movies' tenant's IDSYS (or its inherited IDSYS if applicable) |
"user":["gcarlin@"] | A user named 'gcarlin' only from the root IDSYS |
"group":["admins"] | Any member of the group named 'admins' from this scope's IDSYS (or inherited IDSYS if applicable). This is a non-qualified group name since no domain, tenant, or root scope is specified. |
"group":["admins@hockey"] | Any member of the group named 'admins' from the 'hockey' storage domain's IDSYS (or its inherited IDSYS if applicable) |
"group":["admins+sports"] | Any member of the group named 'admins' from the 'sports' tenant's IDSYS (or its inherited IDSYS if applicable) |
"group":["admins@"] | Any member of the group named 'admins' only from the root IDSYS |
In many cases it is unnecessary to explicitly grant permissions to the user named by the X-Owner-Meta
header, of a tenant, storage domain, or bucket because they are granted permission for all operations by default. This default permission means that careful consideration should be given when assigning ownership to another user — especially for tenants or storage domains.
User and group principals can be written as fully-qualified or non-qualified within Policy documents. A fully-qualified principal is one that defines the domain, tenant, or root scope (example: "gcarlin@cars"). A non-qualified principal does not include the scope for the principal (example: "gcarlin"). The scope of a principal defined the starting point for looking for the first available IDSYS definition with which to look for the principal. The starting point for the IDSYS search starts from the point of the resource being requested if the principal is non-qualified.
The IDSYS precedence model allows the root scope to be overridden by the tenant and the domain scopes. The search order when looking for the first available IDSYS is to search backwards from domain to tenant to root. The Gateway looks for the first IDSYS that is defined at the domain, then the tenant, then at the root if a group is specified as "admins@hockey" for requests within the "hockey" storage domain. The group "admins" from only that IDSYS are used upon finding the first IDSYS definition.
Request Actions
Policy documents are used to control actions with both the Management API and the Storage API. The policy actions that apply to a given request depends upon the API being used, management or storage. The list of Policy documents that are merged together for policy evaluation is determined by the path in the API hierarchy being accessed.
Request actions are included in the Effect field result when listed within an Action field. The listed actions are explicitly denied if the effect is "Deny". Request actions are excluded from the Effect field results when listed within a NotAction
field. All actions other than those listed are explicitly denied if the effect is "Deny".
Policy Actions for Administration (Management API)
These are the Management API actions that can be controlled within a Policy document and the applicable scope where the actions are used. If an action is granted or denied within a scope where not applicable, it has no effect.
Scope indicates where the policy action is applicable: (R) root, (T) tenant, (D) domain, (B) bucket.
Manage | Action | Scope | Description |
---|---|---|---|
Global | * | R,T,D,B | all actions |
Tenants | ListTenants | R | List all tenants |
CreateTenant | R | Create a new or change an existing tenant | |
GetTenant | R,T | Retrieve tenant properties | |
DeleteTenant | R,T | Permanently remove tenant properties | |
ListEtc | R,T | List documents associated with a tenant | |
Domains | ListDomains | R,T | List the domains owned by the _system tenant |
CreateDomain | R,T | Create a domain for the _system tenant | |
GetDomain | R,T,D | GET a domain | |
DeleteDomain | R,T,D | Delete a domain | |
Policies | ListEtc | R,T,D | List documents associated with a tenant or a storage domain |
PutPolicy | R,T,D | Create or update an access control policy JSON document | |
GetPolicy | R,T,D | Read an access control policy JSON document | |
DeletePolicy | R,T,D | Permanently remove an access control policy JSON document | |
Authentication | TokenAdmin | R,T,D | Create and list authorization tokens for other users in the same scope |
CreateToken | R,T,D | Create an authentication token | |
ListTokens | R,T,D | List user authentication tokens | |
ValidateToken | R,T,D | Read an authentication token | |
DeleteToken | R,T,D | Delete an authentication token |
Policy Actions for Content (Storage API)
This table defines the Storage SCSP API actions that can be controlled within a Policy document and the applicable scope where the actions are used. An action has no effect if granted or denied within a scope where not applicable.
See How Amazon S3 works with IAM - Amazon Simple Storage Service in the AWS documentation for Amazon S3 operation permissions.
Scope indicates where the policy action is applicable: (R) root, (T) tenant, (D) domain, (B) bucket.
Storage | Action | Scope | Description |
---|---|---|---|
Global | * | R,T,D,B | all actions |
Quotas | PutQuota | R,T,D,B | Create or update quota configuration settings on a tenant, domain, or bucket. This is not granted by "*"; it must be granted explicitly. |
GetQuota | R,T,D,B | Retrieve quota configuration settings on a tenant, domain, or bucket. This is not granted by "*"; it must be granted explicitly. | |
Objects | GetObject | R,T,D,B | Retrieve an object and its metadata |
GetObjectAcl | R,T,D,B | Retrieve the Access Control List (ACL) settings on an object | |
CreateObject | R,T,D,B | Add a new object and metadata to a domain (unnamed) or bucket (named). There is no S3 equivalent, and it is permissioned separately here because Swarm distinguishes POST and PUT. | |
AppendObject | R,T,D,B | Append to an object | |
CopyObject | R,T,D,B | Update metadata on an object while keeping the same object name | |
PutObject | R,T,D,B | Update an object PutObject, unlike S3, is for overwriting an existing object, not creating new one (CreateObject). | |
PutObjectAcl | R,T,D,B | Set an object's access control list | |
DeleteObject | R,T,D,B | Permanently remove an object and its metadata | |
Buckets | CreateBucket | R,T,D | Create a bucket |
PutBucket | R,T,D | Synonym for CreateBucket | |
PutBucketAcl | R,T,D | Set bucket access control list | |
PutBucketCORS | R,T,D,B | Set CORS configuration on a bucket | |
GetBucket | R,T,D,B | GET or HEAD a bucket | |
GetBucketAcl | R,T,D,B | Get bucket access control list | |
GetBucketCORS | R,T,D,B | Get CORS configuration on a bucket | |
CopyBucket | R,T,D,B | Update the metadata on a bucket while keeping the same bucket name | |
DeleteBucket | R,T,D,B | Delete a bucket | |
ListBucket | R,T,D,B | List and search the objects contained in a bucket | |
Bucket | PutPolicy | R,T,D,B | Create or update a policy, xform, sub-resource for a bucket. While an owner of bucket can always overwrite the policy, this allows a group to be granted this permission. |
GetPolicy | R,T,D,B | GET or HEAD the policy, xform, sub-resource for a bucket | |
DeletePolicy | R,T,D,B | Permanently remove a policy, xform, sub-resource for a bucket | |
Domains | CreateDomain | R * | Create a domain |
GetDomain | R,T,D | GET or HEAD a domain | |
CopyDomain | R,T,D | Update the metadata on a domain while keeping the same domain name | |
DeleteDomain | R,T,D | Permanently remove a domain | |
ListDomain | R,T,D | List and search all objects (buckets and unnamed objects) within the domain | |
ListDomains | R * | List all domains that exist in the cluster | |
Domain | PutPolicy | R,T,D | Create or update a policy, xform, idsys, sub-resource for a domain |
GetPolicy | R,T,D | GET or HEAD policy, xform, idsys, sub-resource for a domain | |
DeletePolicy | R,T,D | Permanently remove a policy, xform, idsys, sub-resource from a domain | |
Authentication | CreateToken | R,T,D | Add a new authentication token |
ListTokens | R,T,D | Search for and list authentication tokens | |
ValidateToken | R,T,D | Read and verify an authentication token | |
DeleteToken | R,T,D | Permanently remove an authentication token |
Policy Conditions
The Condition field of the Policy document allows for conditions other than user and action to be placed upon the request.
Conditionals in a Policy document allow for the value matching functions:
StringEqualsIgnoreCase
matching is an exact match ignoring letter case.StringLike
matching allows for glob-style pattern matching for the values and ignores letter case.
All matching conditionals are evaluated on each request similar to the way paths are matched to resources.
Referral Condition
Gateway supports conditional requirements on the value of the HTTP/1.1 Referer
header.
The Referer
header is commonly provided by web browsers when retrieving content referenced by an HTML document. While the browser, or HTTP client library, is free to provide any value they wish for this header, it is commonly used to detect the source reference for a resource request. The following logical evaluation takes place for the referral matching condition:
Policy statements without
Referer
conditions are considered for authorization if there is noReferer
header in the request.Policy statements without
Referer
conditions are considered for authorization if there is aReferer
header in the request.The policy statement is considered for authorization if the values match if there is a
Referer
header in the request and there are policy statements withReferer
conditions. Values are matched as follows:The condition matches if any value matches for the condition-key if there are multiple values in a conditional value list. It is a logical OR match.
All conditions must match if there are multiple condition-types in a condition-block. It is a logical AND match.
Rules that match a request are chosen from available rules according to Resource, Action, referral Conditions as described. Among those rules, further filtering is performed by Principal and lastly according to deny/apply semantics. Note: referral conditions are processed in all actions.
This example shows a conditional restriction that the Referer
value must be example.com
or another.com.
This example shows a conditional restriction that uses the StringLike
match to restrict the Referer
value to any subdomain within a parent domain.
While Referer
header restrictions are commonly used to prevent bandwidth stealing due to cross-linking by unaffiliated web sites, the requesting client is being trusted to accurately populate this header. Referer
header restrictions work well to prevent unauthorized cross-linking, this is not a mechanism to be relied upon to provide site security.
Prefix Condition
Gateway supports conditional requirements on the prefix match. This can be used to require object searching be constrained to a set of prefix patterns.
This is an example of a policy that only allows the listing of objects if a prefix query argument is specified.
Allowed: GET /usersbucket?format=json&prefix=home/Shared/
Denied: GET /usersbucket?format=json&prefix=home/Shared
© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.