vserver object-store-server bucket policy statement create
Create a bucket policy statement
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver object-store-server bucket policy statement create
command creates a bucket policy statement for the object store server bucket.
Parameters
-vserver <Vserver Name>
- Vserver Name-
This parameter specifies the name of the Vserver on which the bucket policy statement needs to be created for the object store server bucket.
-bucket <TextNoCase>
- Object Store Server Bucket Name-
This parameter specifies the name of the object store server bucket for which the policy statement needs to be created. The object store bucket must already exist.
[-index <integer>]
- Statement Index-
This parameter specifies the index of the object store server bucket policy statement. The allowed range is 1-10. This is an optional parameter.
-effect {deny|allow}
- Allow or Deny Access-
Use this parameter to specify whether access is allowed or denied when a user requests the specific action.
[-action <Action>,…]
- Bucket Policy Action Allowed or Denied-
Use this parameter to specify resource operations. The set of resource operations that the object store server supports are GetObject, PutObject, DeleteObject, ListBucket, GetBucketAcl, GetObjectAcl, ListBucketMultipartUploads, ListMultipartUploadParts, GetObjectTagging, PutObjectTagging, DeleteObjectTagging, PutBucketPolicy, GetBucketPolicy, DeleteBucketPolicy, GetBucketLocation, GetBucketVersioning, PutBucketVersioning, and ListBucketVersions. Wildcards are accepted for this parameter.
[-principal <Objectstore Principal>,…]
- List of Users to Be Allowed or Denied Access-
Validate the user requesting access against the object store server users or groups or NAS groups specified in this parameter. To gain access, the user in the context should either match one of the users or belong to one of the groups specified in this principle parameter. An object store server group is specified by adding a prefix "group/" to the group name. A NAS group is specified by adding a prefix "nasgroup/" to the group name.
[-resource <text>,…]
- Bucket or Objects to Be Allowed or Denied Access-
Use this parameter to specify the bucket, folder, or object for which allow or deny permissions are set. The user name policy variables '${aws:username}' can be specified here, serving as placeholders that are dynamically replaced with the actual user name during run time based on the request context.
[-sid <SID>]
- Statement Identifier-
This optional parameter specifies a text comment for the object store server bucket policy statement. Alpha numeric characters are allowed as values for this parameter.
Examples
The following example creates an object store server bucket policy statement for storage virtual machine (SVM) vs1 and bucket1 which specifies allowed access to a readme folder for the object store server user user1.
cluster1::> vserver object-store-server bucket policy statement create -vserver vs1 -bucket bucket1 -effect allow -action GetObject,PutObject,DeleteObject,ListBucket -principal user1,group/group1,nasgroup/group2 -resource bucket1/readme/* -sid "fullAccessToReadmeForUser1"
The following example creates an object store server bucket policy statement for storage virtual machine (SVM) vs1 and bucket1 which specifies allowed access to the corresponding user home directory by specifying the user name policy varibale in the resource field.
cluster1::> vserver object-store-server bucket policy statement create -vserver vs1 -bucket bucket1 -effect allow -action * -principal * -resource bucket1,bucket1/${aws:username}/* -sid "fullAccessToUsersHomeDirectory"