- Notes, cautions, and warnings
- S3
- Amazon S3 API support in ECS
- S3 API supported and unsupported features
- Bucket policy support
- Object Tagging
- S3 Object Lock
- Object lifecycle management
- S3 Extensions
- Metadata Search
- S3 and Swift Interoperability
- Create and manage secret keys
- Authenticating with the S3 service
- Using s3curl with ECS
- Use SDKs to access the S3 service
- ECS S3 error codes
- Hadoop S3A for ECS
- Enabling data2 IP in ECS S3
- Cloud DVR
- ECS IAM for S3
- OpenStack Swift
- EMC Atmos
- CAS
- Setting up CAS support in ECS
- Cold Storage
- Compliance
- CAS retention in ECS
- Advanced retention for CAS applications: event-based retention, litigation hold, and the min/max governor
- Set up namespace retention policies
- Create and set up a bucket for a CAS user
- Set up a CAS object user
- Set up bucket ACLs for CAS
- ECS Management APIs that support CAS users
- Content Addressable Storage (CAS) SDK API support
- ECS CAS error codes
- Enabling data2 IP in CAS
- ECS Management REST API
- ECS HDFS
- ECS HDFS Introduction
- Configuring Hadoop to use ECS HDFS
- Hadoop authentication modes
- Migration from a simple to a Kerberos Hadoop cluster
- File system interaction
- Supported Hadoop applications
- Integrate a simple Hadoop cluster with ECS HDFS
- Install Hortonworks HDP using Ambari
- Create a bucket for HDFS using the ECS Portal
- Plan the ECS HDFS and Hadoop integration
- Obtain the ECS HDFS installation and support package
- Deploy the ECS HDFS Client Library
- Configure ECS client properties
- Set up Hive
- Verify Hadoop access to ECS
- Secure the bucket
- Relocate the default file system from HDFS to an ECS bucket
- Integrate a secure Hadoop cluster with ECS HDFS
- Verify that AD/LDAP is correctly configured with a secure Hadoop cluster
- Pig test fails: unable to obtain Kerberos principal
- Permission denied for AD user
- Permissions errors
- Failed to process request
- Enable Kerberos client-side logging and debugging
- Debug Kerberos on the KDC
- Eliminate clock skew
- Configure one or more new ECS nodes with the ECS service principal
- Workaround for Yarn directory does not exist error
- Set up the Kerberos KDC
- Configure AD user authentication for Kerberos
- Secure bucket metadata
- Hadoop core-site.xml properties for ECS HDFS
- Hadoop core-site.xml properties for ECS S3
- External key management
- Document feedback
ECS 3.6.2 Data Access Guide
S3 object operation authorization
The below diagram describes how the system evaluates the authorization request for an S3 object operation process:
In the S3 object operation authorization process, at first the system evaluates whether the requester is an ECS IAM user. If yes, then the request is evaluated against the user, bucket, and object contexts. If these three contexts verifications are authorized, the access is granted. Else, it is denied.
The below table describes the summary of access details for the same and cross account bucket operation:
| Bucket owner (account) | Object owner (account) | Requestor | Comments |
|---|---|---|---|
| A1 | A1 | U1 | Access is determined by the user and/or by the bucket policy. No object ACL check |
| A1 | A1 | U2 | U2 needs IAM policy from A2 and if A1 bucket policy does not a make a determination, then the system checks the object ACL |
| A1 | A1 | R1 | IAM policy not relevant for R1. If A1 bucket policy does not a make a determination, then the system checks the object ACL |
| A1 | A1 | R2 | IAM policy not relevant for R2. If A1 bucket policy does not a make a determination, then the system checks the object ACL |
| A1 | A2 | U1 | U1 needs IAM policy or bucket policy allow. Object ACL must allow A1 access. |
| A1 | A2 | U2 | U2 needs IAM policy allow. Bucket policy should not deny.
NOTE: Bucket policy cannot allow access.
|
| A1 | A2 | U3 | U3 needs IAM policy allow. Bucket policy should not deny. Object ACL must allow A3 access.
NOTE: Bucket policy cannot allow access.
|
| A1 | A2 | R1 | IAM policy not relevant. Bucket policy should not be deny. Object ACL needs to allow A1 access.
NOTE: Bucket policy cannot allow access.
|
| A1 | A2 | R2 | IAM policy not relevant. Bucket policy should not be deny. Object ACL must allow A2 access.
NOTE: Bucket policy cannot allow access.
|
| A1 | A2 | R3 | IAM policy not relevant. Bucket policy should not be deny. Object ACL must allow A3 access.
NOTE: Bucket policy cannot allow access.
|
NOTE: In this table, the following legends are used:
A1 = first account, A2 = second account, A3 = third account, U1 = user from the first account, U2 = user from the second account, U3 = user from the third account, R1 = root user from the first account, R2 = root user from the second account, and R3 = root user from the third account. | |||
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\