Create or modify an ONTAP S3 object store server policy
You can create policies that can apply to one or more buckets in an object store. Object store server policies can be attached to groups of users, thereby simplifying the management of resource access across multiple buckets.
An S3-enabled SVM containing an S3 server and a bucket must already exist.
You can enable access policies at the SVM level by specifying a default or custom policy in an object storage server group. The policies do not take effect until they are specified in the group definition.
When you use object storage server policies, you specify principals (that is, users and groups) in the group definition, not in the policy itself. |
There are three read-only default policies for access to ONTAP S3 resources:
-
FullAccess
-
NoS3Access
-
ReadOnlyAccess
You can also create new custom policies, then add new statements for new users and groups, or you can modify the attributes of existing statements. Learn more about the vserver object-store-server policy
command in the ONTAP command reference.
Beginning with ONTAP 9.9.1, if you plan to support AWS client object tagging functionality with the ONTAP S3 server, the actions GetObjectTagging
, PutObjectTagging
, and DeleteObjectTagging
need to be allowed using the bucket or group policies.
The procedure you follow depends on the interface that you use—System Manager or the CLI:
Use System Manager to create or modify an object store server policy
-
Edit the storage VM: click Storage > storage VMs, click the storage VM, click Settings and then click under S3.
-
Add a user: click Policies, then click Add.
-
Enter a policy name and select from a list of groups.
-
Select an existing default policy or add a new one.
When adding or modifying a group policy, you can specify the following parameters:
-
Group: the groups to whom access is granted.
-
Effect: allows or denies access to one or more groups.
-
Actions: permissible actions in one or more buckets for a given group.
-
Resources: paths and names of objects within one or more buckets for which access is granted or denied. For example:
-
* grants access to all buckets in the storage VM.
-
bucketname and bucketname/* grant access to all objects in a specific bucket.
-
bucketname/readme.txt grants access to an object in a specific bucket.
-
-
-
If desired, add statements to existing policies.
-
Use the CLI to create or modify an object store server policy
-
Create an object storage server policy:
vserver object-store-server policy create -vserver svm_name -policy policy_name [-comment text]
-
Create a statement for the policy:
vserver object-store-server policy statement create -vserver svm_name -policy policy_name -effect {allow|deny} -action object_store_actions -resource object_store_resources [-sid text]
The following parameters define access permissions:
-effect
The statement may allow or deny access
-action
You can specify
*
to mean all actions, or a list of one or more of the following:GetObject, PutObject, DeleteObject, ListBucket,GetBucketAcl, GetObjectAcl, ListAllMyBuckets, ListBucketMultipartUploads,
andListMultipartUploadParts
.-resource
The bucket and any object it contains. The wildcard characters
*
and?
can be used to form a regular expression for specifying a resource.You can optionally specify a text string as comment with the
-sid
option.By default, new statements are added to the end of the list of statements, which are processed in order. When you add or modify statements later, you have the option to modify the statement's
-index
setting to change the processing order.
Learn more about the commands described in this procedure in the ONTAP command reference.