- Notes, cautions, and warnings
- Revision history
- About using this guide
- Overview
- Getting Started with ObjectScale
- IAM accounts and account entities
- Introduction to Identity and Access Management
- Accounts
- New Accounts
- View the summary of an account
- Edit Account
- Enable or Disable an Account
- Delete an account
- Users
- Groups
- Roles
- Policies
- Create a new customer-managed policy
- Edit a customer-managed policy
- Delete a customer-managed policy
- Attach a policy to an account entity
- Detach a policy from an account entity
- Attach a permission boundary to an account entity
- Detach a permission boundary from an account entity
- Actions in IAM Policy
- Principal types in IAM Policies
- Identity Provider
- Root Access Keys
- Notification Destinations
- Metrics
- Object stores
- About ObjectScale object stores
- Creating a new object store
- Edit the settings of an object store
- Delete an object store
- View the Summary of an object store
- View the Dashboard of an object store
- Set capacity alerts for an object store
- Add additional accounts to an object store
- Edit an account values for an object store
- Remove an account from an object store
- View the certificates for an object store
- Monitor and manage replication for an object store
- View the health of an object store
- Metrics
- Buckets
- Federate ObjectScale Systems
- ObjectScale Replication
- Management Users and Roles in ObjectScale Software Bundle
- Authentication Providers in ObjectScale Software Bundle
- Maintain ObjectScale
- ObjectScale Management REST API
- Accessing data with IAM and S3
- ObjectScale IAM overview
- Amazon S3 API support in ObjectScale
- Alerts
- About ObjectScale instance event and issue monitoring
- Monitoring Events, Audits, and Alerts
- CSI-01
- CSI-03
- CSI-05
- DECKS-HC-1000
- DECKS-LIC-1002
- DECKS-LIC-1005
- DECKS-LIC-1006
- DECKS-LIC-1008
- DECKS-LIC-1011
- DECKS-SA-1023
- DECKS-SA-1024
- KAHM-HC-1000
- NVMF-1389
- NVMF-1390
- NVMF-1393
- NVMF-1395
- OBJSC-FED-1001
- OBJSC-IAM-1004
- OBJSC-LIC-0004
- OBJSC-MGR-3000
- OBJSC-MGR-HC-1000
- OBJSC-MON-1111
- OBJSC-MON-1112
- OBJSC-MON-1113
- OBJSC-MON-3002
- OBJSC-MON-3003
- OBJSC-MON-4019
- OBJSC-MON-4020
- OBJSC-MON-4021
- OBJSC-MON-4022
- OBJSC-MON-4025
- OBJSC-MON-4028
- OBJSC-SP-0000
- OBJSC-SP-0001
- OBJSC-SP-0002
- OBJSC-SP-0003
- OBJSC-SP-0004
- OBJSC-TARGET-01
- OBJSOP-1000
- OBJSOP-1001
- OBJSOP-1002
- OBJSOP-1003
- OBJSOP-1004
- OBJSOP-1005
- OBJSOP-1006
- OBJSOP-2001
- OBJSOP-2002
- OBJST-1006
- OBJST-1008
- OBJST-12001
- OBJST-12003
- OBJST-12004
- OBJST-12005
- OBJST-12006
- OBJST-12007
- OBJST-12008
- OBJST-13000
- OBJST-13001
- OBJST-13002
- OBJST-13003
- OBJST-13004
- OBJST-13005
- OBJST-13006
- OBJST-13007
- OBJST-13008
- OBJST-13009
- OBJST-13010
- OBJST-13011
- OBJST-1320
- OBJST-1321
- OBJST-1324
- OBJST-1325
- OBJST-1328
- OBJST-1329
- OBJST-1332
- OBJST-1333
- OBJST-1336
- OBJST-1337
- OBJST-1340
- OBJST-1341
- OBJST-1344
- OBJST-1345
- OBJST-1352
- OBJST-1354
- OBJST-1364
- OBJST-1365
- OBJST-1366
- OBJST-1389
- OBJST-1390
- OBJST-1392
- OBJST-1600
- OBJST-1601
- OBJST-1602
- OBJST-1603
- OBJST-1604
- OBJST-1605
- OBJST-1700
- OBJST-1701
- OBJST-2100
- OBJST-2101
- OBJST-MON-4016
- OBJST-MON-4019
- OBJST-MON-4020
- OBJSTORE-HC-1000
- SNMPNOTI-1000
- TEST TRAP
- Metrics for ObjectScale and object stores
- Troubleshooting and service procedures
- About the ObjectScale service pod
- Collecting troubleshooting logs
- About ObjectScale service procedures
- About ObjectScale capacity expansion procedures
- About ObjectScale maintenance modes
- Maintenance mode in ObjectScale on OpenShift
- Place a node into temporary maintenance mode (ObjectScale on OpenShift)
- Remove a node from temporary maintenance mode (ObjectScale on OpenShift)
- Place a healthy node into permanent maintenance mode (ObjectScale on OpenShift)
- Place a failed node into permanent maintenance mode (ObjectScale on OpenShift)
- Temporary maintenance mode for ObjectScale Software Bundle
- Maintenance mode in ObjectScale on OpenShift
- Disk replacement service procedure
- Perform a node replacement service procedure (ObjectScale on OpenShift)
- Add a node (ObjectScale Software Bundle)
- Remove a node (ObjectScale Software Bundle)
- Prepare a failed node for node hardware or software maintenance (ObjectScale Software Bundle)
- Prepare a healthy node for node hardware or software maintenance (ObjectScale Software Bundle)
- Replace a healthy node within the ObjectScale Software Bundle
- Replace a failed node within the ObjectScale Software Bundle
- View service procedure status
Dell EMC ObjectScale 1.2.x Administration Guide
S3 request authorization
During the S3 request authorization process, ObjectScale evaluates permission using user, bucket, and object contexts as needed.
| Context | Description |
|---|---|
| User | In this context, if the requester is an ObjectScale IAM principal, the principal must have permission from the parent account to which it belongs. In this step, the subset of policies that are owned by the parent account (also referred as the context authority) is evaluated. This subset of policies includes the user policy that the parent attaches to the principal. If the parent also owns the resource in the request (bucket, object), then the corresponding resource policies (bucket policy, bucket ACL, and object ACL) are also evaluated at the same time. |
| Bucket | In this context, ObjectScale evaluates policies that are owned by the account that owns the bucket. If the account that owns the object in the request is not same as the bucket owner, in the bucket context the policies are checked to verify that the bucket owner has not explicitly denied access to the object. If there is an explicit deny set on the object, then the request is not authorized. |
| Object | In this context, the requester must have permissions from the object owner to perform a specific object operation. In this step, the object ACL is evaluated if required. |
Bucket authorization
In the S3 bucket operation authorization process, at first the system evaluates whether the requester is an IAM user. If yes, then the request is evaluated against the user context and the bucket contexts. If both verifications are authorized, the access is granted. Else, it is denied.
The below table describes the summary of access details for the same and cross account bucket operation:
| Bucket owner (account) | Requestor (account, user) | Comments |
|---|---|---|
| A1 | U1 | The user or the bucket policy determines the access. There is no bucket ACL check. |
| A1 | U2 | U2 needs IAM policy from A2, if A1 bucket policy does not a make a determination, then the system checks the bucket ACL. |
| A1 | R1 | IAM policy is not relevant for root user (R1). If A1 bucket policy does not a make a determination, then the system checks the bucket ACL. |
| A1 | R2 | IAM policy is not relevant for root user (R2). If A1 bucket policy does not a make a determination, then the system checks the bucket ACL. |
NOTE: In this table, the following legends are used: A1 = first account, A2 = second account, U1 = user from the first account, U2 = user from the second account, R1 = root user from the first account, and R2 = root user from the second account. | ||
Object authorization
In the S3 object operation authorization process, at first the system evaluates whether the requester is an IAM user. If yes, then the request is evaluated against the user, bucket, and object contexts. If these three contexts verifications are authorized, the access is granted. Else, it is denied.
The below table describes the summary of access details for the same and cross account bucket operation:
| Bucket owner (account) | Object owner (account) | Requestor | Comments |
|---|---|---|---|
| A1 | A1 | U1 | Access is determined by the user and/or by the bucket policy. No object ACL check |
| A1 | A1 | U2 | U2 needs IAM policy from A2 and if A1 bucket policy does not a make a determination, then the system checks the object ACL |
| A1 | A1 | R1 | IAM policy not relevant for R1. If A1 bucket policy does not a make a determination, then the system checks the object ACL |
| A1 | A1 | R2 | IAM policy not relevant for R2. If A1 bucket policy does not a make a determination, then the system checks the object ACL |
| A1 | A2 | U1 | U1 needs IAM policy or bucket policy allow. Object ACL must allow A1 access. |
| A1 | A2 | U2 | U2 needs IAM policy allow. Bucket policy should not deny. NOTE: Bucket policy cannot allow access. |
| A1 | A2 | U3 | U3 needs IAM policy allow. Bucket policy should not deny. Object ACL must allow A3 access. NOTE: Bucket policy cannot allow access. |
| A1 | A2 | R1 | IAM policy not relevant. Bucket policy should not deny. Object ACL needs to allow A1 access. NOTE: Bucket policy cannot allow access. |
| A1 | A2 | R2 | IAM policy not relevant. Bucket policy should not deny. Object ACL must allow A2 access. NOTE: Bucket policy cannot allow access. |
| A1 | A2 | R3 | IAM policy not relevant. Bucket policy should not deny. Object ACL must allow A3 access. NOTE: Bucket policy cannot allow access. |
NOTE: In this table, the following legends are used: A1 = first account, A2 = second account, A3 = third account, U1 = user from the first account, U2 = user from the second account, U3 = user from the third account, R1 = root user from the first account, R2 = root user from the second account, and R3 = root user from the third account. | |||
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\