Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 7. Bucket policies in the Multicloud Object Gateway
OpenShift Data Foundation supports AWS S3 bucket policies. Bucket policies allow you to grant users access permissions for buckets and the objects in them.
7.1. Introduction to bucket policies
Bucket policies are an access policy option available for you to grant permission to your AWS S3 buckets and objects. Bucket policies use JSON-based access policy language. For more information about access policy language, see AWS Access Policy Language Overview.
7.2. Using bucket policies in Multicloud Object Gateway
Prerequisites
- A running OpenShift Data Foundation Platform.
- Access to the Multicloud Object Gateway (MCG), see Chapter 2, Accessing the Multicloud Object Gateway with your applications.
- A valid Multicloud Object Gateway user account. See Creating a user in the Multicloud Object Gatewayfor instructions to create a user account.
Procedure
To use bucket policies in the MCG:
Create the bucket policy in JSON format.
For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
john.doe@example.comwith a valid Multicloud Object Gateway user account.Using AWS S3 client, use the
put-bucket-policycommand to apply the bucket policy to your S3 bucket:aws --endpoint ENDPOINT --no-verify-ssl s3api put-bucket-policy --bucket MyBucket --policy file://BucketPolicy
# aws --endpoint ENDPOINT --no-verify-ssl s3api put-bucket-policy --bucket MyBucket --policy file://BucketPolicyCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Replace
ENDPOINTwith the S3 endpoint. -
Replace
MyBucketwith the bucket to set the policy on. -
Replace
BucketPolicywith the bucket policy JSON file. Add
--no-verify-sslif you are using the default self signed certificates.For example:
aws --endpoint https://s3-openshift-storage.apps.gogo44.noobaa.org --no-verify-ssl s3api put-bucket-policy -bucket MyBucket --policy file://BucketPolicy
# aws --endpoint https://s3-openshift-storage.apps.gogo44.noobaa.org --no-verify-ssl s3api put-bucket-policy -bucket MyBucket --policy file://BucketPolicyCopy to Clipboard Copied! Toggle word wrap Toggle overflow For more information on the
put-bucket-policycommand, see the AWS CLI Command Reference for put-bucket-policy.NoteThe principal element specifies the user that is allowed or denied access to a resource, such as a bucket. Currently, Only NooBaa accounts can be used as principals. In the case of object bucket claims, NooBaa automatically create an account
obc-account.<generated bucket name>@noobaa.io.NoteBucket policy conditions are not supported.
-
Replace
Additional resources
- There are many available elements for bucket policies with regard to access permissions.
- For details on these elements and examples of how they can be used to control the access permissions, see AWS Access Policy Language Overview.
- For more examples of bucket policies, see AWS Bucket Policy Examples.
7.3. Creating a user in the Multicloud Object Gateway
Prerequisites
- A running OpenShift Data Foundation Platform.
Download the MCG command-line interface for easier management.
subscription-manager repos --enable=rh-odf-4-for-rhel-8-x86_64-rpms yum install mcg
# subscription-manager repos --enable=rh-odf-4-for-rhel-8-x86_64-rpms # yum install mcgCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteSpecify the appropriate architecture for enabling the repositories using the subscription manager.
- For IBM Power, use the following command:
subscription-manager repos --enable=rh-odf-4-for-rhel-8-ppc64le-rpms
# subscription-manager repos --enable=rh-odf-4-for-rhel-8-ppc64le-rpmsCopy to Clipboard Copied! Toggle word wrap Toggle overflow - For IBM Z, use the following command:
subscription-manager repos --enable=rh-odf-4-for-rhel-8-s390x-rpms
# subscription-manager repos --enable=rh-odf-4-for-rhel-8-s390x-rpmsCopy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, you can install the MCG package from the OpenShift Data Foundation RPMs found at Download RedHat OpenShift Data Foundation page.
NoteChoose the correct Product Variant according to your architecture.
Procedure
Execute the following command to create an MCG user account:
noobaa account create <noobaa-account-name> [--allow_bucket_create=true] [--default_resource='']
noobaa account create <noobaa-account-name> [--allow_bucket_create=true] [--default_resource='']<noobaa-account-name>- Specify the name of the new MCG user account.
--allow_bucket_create- Allows the user to create new buckets.
--default_resource- Sets the default resource.The new buckets are created on this default resource (including the future ones).
To give access to certain buckets of MCG accounts, use AWS S3 bucket policies. For more information, see Using bucket policies in AWS documentation.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}