- Notes, cautions, and warnings
- S3
- Amazon S3 API support in ECS
- S3 API supported and unsupported features
- Bucket policy support
- Object Tagging
- S3 Object Lock
- Object lifecycle management
- S3 Extensions
- Metadata Search
- S3 and Swift Interoperability
- Create and manage secret keys
- Authenticating with the S3 service
- Using s3curl with ECS
- Use SDKs to access the S3 service
- ECS S3 error codes
- Hadoop S3A for ECS
- Enabling data2 IP in ECS S3
- Cloud DVR
- ECS IAM for S3
- OpenStack Swift
- EMC Atmos
- CAS
- Setting up CAS support in ECS
- Cold Storage
- Compliance
- CAS retention in ECS
- Advanced retention for CAS applications: event-based retention, litigation hold, and the min/max governor
- Set up namespace retention policies
- Create and set up a bucket for a CAS user
- Set up a CAS object user
- Set up bucket ACLs for CAS
- ECS Management APIs that support CAS users
- Content Addressable Storage (CAS) SDK API support
- ECS CAS error codes
- Enabling data2 IP in CAS
- ECS Management REST API
- ECS HDFS
- ECS HDFS Introduction
- Configuring Hadoop to use ECS HDFS
- Hadoop authentication modes
- Migration from a simple to a Kerberos Hadoop cluster
- File system interaction
- Supported Hadoop applications
- Integrate a simple Hadoop cluster with ECS HDFS
- Install Hortonworks HDP using Ambari
- Create a bucket for HDFS using the ECS Portal
- Plan the ECS HDFS and Hadoop integration
- Obtain the ECS HDFS installation and support package
- Deploy the ECS HDFS Client Library
- Configure ECS client properties
- Set up Hive
- Verify Hadoop access to ECS
- Secure the bucket
- Relocate the default file system from HDFS to an ECS bucket
- Integrate a secure Hadoop cluster with ECS HDFS
- Verify that AD/LDAP is correctly configured with a secure Hadoop cluster
- Pig test fails: unable to obtain Kerberos principal
- Permission denied for AD user
- Permissions errors
- Failed to process request
- Enable Kerberos client-side logging and debugging
- Debug Kerberos on the KDC
- Eliminate clock skew
- Configure one or more new ECS nodes with the ECS service principal
- Workaround for Yarn directory does not exist error
- Set up the Kerberos KDC
- Configure AD user authentication for Kerberos
- Secure bucket metadata
- Hadoop core-site.xml properties for ECS HDFS
- Hadoop core-site.xml properties for ECS S3
- External key management
- Document feedback
ECS 3.6.2 Data Access Guide
User-specific access using SAML keys
It is recommended to specify permissions based on the users identity when creating access policies in ECS IAM.
As to create policies that contain user-specific information, the user identity should be available in SAML keys. The following SAML keys can be used in policy conditions to create unique user identifiers.
| SAML keys | Description |
|---|---|
| saml:namequalifier |
A hash value based on the concatenation of the Issuer response value (saml:iss) and a string with the ECS namespace (account ID) and the friendly name (the last part of the ARN) of the SAML provider in IAM. The namespace (account ID) and provider name must be separated by a '/' as in "123456789012/provider_name". The combination of NameQualifier and Subject can be used to uniquely identify a federated user. The following pseudocode shows how this value is calculated. In this pseudocode, "+" indicates concatenation, SHA1 represents a function that produces a message digest using SHA-1, and Base64 represents a function that produces Base-64 encoded version of the hash output. Base64 = ( SHA1 ( "https://example.com/saml" + "ECSNamespace" + "/SamlProvider" ) ) |
| saml:sub | This is the subject of the claim, which includes a value that uniquely identifies an individual user within an organization. For example, _3e52ef03414f3464d2461c00ebae0152c25fb88bbc. |
| saml:sub_type | This key can be persistent, transient, or the full Format URI from the Subject and NameID elements used in your SAML assertion. A value of persistent indicates that the value in saml:sub is the same for a user across all sessions. If the value is transient, the user has a different saml:sub value for each session. |
IAM Policy
The following example shows a permission policy that uses the preceding keys to grant permissions to a user-specific folder in Amazon S3. The policy assumes that the Amazon S3 objects are identified using a prefix that includes both
saml:namequalifier and
saml:sub. Notice that the
Condition element includes a test to be sure that
saml:sub_type is set to persistent. If it is set to transient, the
saml:sub value for the user can be different for each session, and the combination of values should not be used to identify user-specific folders.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::exampleECSBucket/backup/${saml:namequalifier}/${saml:sub}",
"arn:aws:s3:::exampleECSBucket/backup/${saml:namequalifier}/${saml:sub}/*"
],
"Condition": {"StringEquals": {"saml:sub_type": "persistent"}}
}
}
Example with sample values
- Create a role using AssumeRoleWithSAML. See AssumeRoleWithSAML for more information.
- Attach an IAM policy to this role as below.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::exampleECSBucket/backup/${saml:namequalifier}/${saml:sub}", "arn:aws:s3:::exampleECSBucket/backup/${saml:namequalifier}/${saml:sub}/*" ], "Condition": {"StringEquals": {"saml:sub_type": "persistent"}} } }
The values in the above example are as follows:
- saml:iss = http://AD.adfs.emc.com/adfs/services/trust. See ECS IAM supported condition keys for the list of SAML condition keys.
- account = s3
- providername = provider1
- saml:sub = ADFS\Bob
- Base64 = SHA1 ("http://AD.adfs.emc.com/adfs/services/trust " + "s3" + "/provider1")
- SHA1 = BB9445BB2D9C57D519ACEBD08EFD428076522D5B
- Base64 of BB9445BB2D9C57D519ACEBD08EFD428076522D5B is u5RFuy2cV9UZrOvQjv1CgHZSLVs=.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\