Skip to main content

Create or modify an ONTAP S3 object store server policy

Contributors netapp-ahibbard netapp-aaron-holt netapp-dbagwell netapp-thomi netapp-aherbin

You can create policies that can apply to one or more buckets in an object store. Object store server policies can be attached to groups of users, thereby simplifying the management of resource access across multiple buckets.

Before you begin

An S3-enabled SVM containing an S3 server and a bucket must already exist.

About this task

You can enable access policies at the SVM level by specifying a default or custom policy in an object storage server group. The policies do not take effect until they are specified in the group definition.

Note When you use object storage server policies, you specify principals (that is, users and groups) in the group definition, not in the policy itself.

There are three read-only default policies for access to ONTAP S3 resources:

  • FullAccess

  • NoS3Access

  • ReadOnlyAccess

You can also create new custom policies, then add new statements for new users and groups, or you can modify the attributes of existing statements. Learn more about the vserver object-store-server policy command in the ONTAP command reference.

Beginning with ONTAP 9.9.1, if you plan to support AWS client object tagging functionality with the ONTAP S3 server, the actions GetObjectTagging, PutObjectTagging, and DeleteObjectTagging need to be allowed using the bucket or group policies.

The procedure you follow depends on the interface that you use—​System Manager or the CLI:

System Manager

Use System Manager to create or modify an object store server policy

Steps
  1. Edit the storage VM: click Storage > storage VMs, click the storage VM, click Settings and then click Edit icon under S3.

  2. Add a user: click Policies, then click Add.

    1. Enter a policy name and select from a list of groups.

    2. Select an existing default policy or add a new one.

      When adding or modifying a group policy, you can specify the following parameters:

      • Group: the groups to whom access is granted.

      • Effect: allows or denies access to one or more groups.

      • Actions: permissible actions in one or more buckets for a given group.

      • Resources: paths and names of objects within one or more buckets for which access is granted or denied. For example:

        • * grants access to all buckets in the storage VM.

        • bucketname and bucketname/* grant access to all objects in a specific bucket.

        • bucketname/readme.txt grants access to an object in a specific bucket.

    3. If desired, add statements to existing policies.

CLI

Use the CLI to create or modify an object store server policy

Steps
  1. Create an object storage server policy:

    vserver object-store-server policy create -vserver svm_name -policy policy_name [-comment text]

  2. Create a statement for the policy:

    vserver object-store-server policy statement create -vserver svm_name -policy policy_name -effect {allow|deny} -action object_store_actions -resource object_store_resources [-sid text]

    The following parameters define access permissions:

    -effect

    The statement may allow or deny access

    -action

    You can specify * to mean all actions, or a list of one or more of the following: GetObject, PutObject, DeleteObject, ListBucket,GetBucketAcl, GetObjectAcl, ListAllMyBuckets, ListBucketMultipartUploads, and ListMultipartUploadParts.

    -resource

    The bucket and any object it contains. The wildcard characters * and ? can be used to form a regular expression for specifying a resource.

    You can optionally specify a text string as comment with the -sid option.

    By default, new statements are added to the end of the list of statements, which are processed in order. When you add or modify statements later, you have the option to modify the statement's -index setting to change the processing order.

Learn more about the commands described in this procedure in the ONTAP command reference.