- Notes, cautions, and warnings
- S3
- Amazon S3 API support in ECS
- S3 API supported and unsupported features
- Bucket policy support
- Object Tagging
- S3 Object Lock
- Object lifecycle management
- S3 Extensions
- Metadata Search
- S3 and Swift Interoperability
- Create and manage secret keys
- Authenticating with the S3 service
- Using s3curl with ECS
- Use SDKs to access the S3 service
- ECS S3 error codes
- Hadoop S3A for ECS
- Enabling data2 IP in ECS S3
- Cloud DVR
- ECS IAM for S3
- OpenStack Swift
- EMC Atmos
- CAS
- Setting up CAS support in ECS
- Cold Storage
- Compliance
- CAS retention in ECS
- Advanced retention for CAS applications: event-based retention, litigation hold, and the min/max governor
- Set up namespace retention policies
- Create and set up a bucket for a CAS user
- Set up a CAS object user
- Set up bucket ACLs for CAS
- ECS Management APIs that support CAS users
- Content Addressable Storage (CAS) SDK API support
- ECS CAS error codes
- Enabling data2 IP in CAS
- ECS Management REST API
- ECS HDFS
- ECS HDFS Introduction
- Configuring Hadoop to use ECS HDFS
- Hadoop authentication modes
- Migration from a simple to a Kerberos Hadoop cluster
- File system interaction
- Supported Hadoop applications
- Integrate a simple Hadoop cluster with ECS HDFS
- Install Hortonworks HDP using Ambari
- Create a bucket for HDFS using the ECS Portal
- Plan the ECS HDFS and Hadoop integration
- Obtain the ECS HDFS installation and support package
- Deploy the ECS HDFS Client Library
- Configure ECS client properties
- Set up Hive
- Verify Hadoop access to ECS
- Secure the bucket
- Relocate the default file system from HDFS to an ECS bucket
- Integrate a secure Hadoop cluster with ECS HDFS
- Verify that AD/LDAP is correctly configured with a secure Hadoop cluster
- Pig test fails: unable to obtain Kerberos principal
- Permission denied for AD user
- Permissions errors
- Failed to process request
- Enable Kerberos client-side logging and debugging
- Debug Kerberos on the KDC
- Eliminate clock skew
- Configure one or more new ECS nodes with the ECS service principal
- Workaround for Yarn directory does not exist error
- Set up the Kerberos KDC
- Configure AD user authentication for Kerberos
- Secure bucket metadata
- Hadoop core-site.xml properties for ECS HDFS
- Hadoop core-site.xml properties for ECS S3
- External key management
- Document feedback
ECS 3.6.2 Data Access Guide
Supported bucket policy conditions
The condition element is used to specify conditions that determine when a policy is in effect.
The following tables show the condition keys that are supported by ECS and that can be used in condition expressions.
| Key name | Description | Applicable operators |
|---|---|---|
| aws:CurrentTime | Used to check for date/time conditions | Date operator |
| aws:EpochTime | Used to check for date/time conditions using a date in epoch or UNIX time (see Date Condition Operators). | Date operator |
| aws:principalType | Used to check the type of principal (user, account, federated user, etc.) for the current request. | String operator |
| aws:SourceIp | Used to check the requester's IP address. | String operator |
| aws:UserAgent | Used to check the requester's client application. | String operator |
| aws:username | Used to check the requester's user name. | String operator |
| Key name | Description | Applicable permissions |
|---|---|---|
| s3:x-amz-acl | Sets a condition to require specific access permissions when the user uploads an object. | s3:PutObject, s3:PutObjectAcl, s3:PutObjectVersionAcl |
| s3:x-amz-grant-permission (for explicit permissions), where permission can be:read, write, read-acp, write-acp, full-control | Bucket owner can add conditions using these keys to require certain permissions. | s3:PutObject, s3:PutObjectAcl, s3:PutObjectVersionAcl |
| s3:x-amz-server-side-encryption | Requires the user to specify this header in the request. | s3:PutObject, s3:PutObjectAcl |
| s3:VersionId | Restrict the user to accessing data only for a specific version of the object | s3:PutObject, s3:PutObjectAcl, s3:DeleteObjectVersion |
| Key name | Description | Applicable permissions |
|---|---|---|
| s3:x-amz-acl | Set a condition to require specific access permissions when the user uploads an object | s3:CreateBucket, s3:PutBucketAcl |
| s3:x-amz-grant-permission (for explicit permissions), where permission can be:read, write, read-acp, write-acp, full-control | Bucket owner can add conditions using these keys to require certain permissions | s3:CreateBucket, s3:PutBucketAcl |
| s3:prefix | Retrieve only the object keys with a specific prefix. | s3:ListBucket, s3:ListBucketVersions |
| s3:delimiter | Require the user to specify the delimiter parameter in the Get Bucket (List Objects) request. | s3:ListBucket, s3:ListBucketVersions |
| s3:max-keys | Limit the number of keys ECS returns in response to the Get Bucket (List Objects) request by requiring the user to specify the max-keys parameter.
NOTE: In EXF900 systems, you can set the
max-keys parameter value up to 20000 per list request.
|
s3:ListBucket, s3:ListBucketVersions |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\