Chapter 7. Bucket policies in the Multicloud Object Gateway

OpenShift Data Foundation supports AWS S3 bucket policies. Bucket policies allow you to grant users access permissions for buckets and the objects in them.

7.1. Introduction to bucket policies

Bucket policies are an access policy option available for you to grant permission to your AWS S3 buckets and objects. Bucket policies use JSON-based access policy language. For more information about access policy language, see AWS Access Policy Language Overview.

7.2. Using bucket policies in Multicloud Object Gateway

Prerequisites

Procedure

To use bucket policies in the MCG:

  1. Create the bucket policy in JSON format.

    For example: 

    {
    "Version": "NewVersion",
    "Statement": [
        {
            "Sid": "Example",
            "Effect": "Allow",
            "Principal": [
                    "john.doe@example.com"
            ],
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::john_bucket"
            ]
        }
    ]
}

  2. Using AWS S3 client, use the put-bucket-policy command to apply the bucket policy to your S3 bucket: 

    # aws --endpoint ENDPOINT --no-verify-ssl s3api put-bucket-policy --bucket MyBucket --policy BucketPolicy
    1. Replace ENDPOINT with the S3 endpoint.
    2. Replace MyBucket with the bucket to set the policy on.
    3. Replace BucketPolicy with the bucket policy JSON file.

    4. Add --no-verify-ssl if you are using the default self signed certificates.

      For example: 

      # aws --endpoint https://s3-openshift-storage.apps.gogo44.noobaa.org --no-verify-ssl s3api put-bucket-policy -bucket MyBucket --policy file://BucketPolicy

      For more information on the put-bucket-policy command, see the AWS CLI Command Reference for put-bucket-policy.

      Note

      The principal element specifies the user that is allowed or denied access to a resource, such as a bucket. Currently, Only NooBaa accounts can be used as principals. In the case of object bucket claims, NooBaa automatically create an account obc-account.<generated bucket name>@noobaa.io.

      Note

      Bucket policy conditions are not supported.

Additional resources

7.3. Creating a user in the Multicloud Object Gateway

Prerequisites

  • A running OpenShift Data Foundation Platform.

  • Download the MCG command-line interface for easier management. 

    # subscription-manager repos --enable=rh-odf-4-for-rhel-8-x86_64-rpms
# yum install mcg
    Note

    Specify the appropriate architecture for enabling the repositories using the subscription manager.

    • For IBM Power, use the following command: 
    # subscription-manager repos --enable=rh-odf-4-for-rhel-8-ppc64le-rpms
    • For IBM Z infrastructure, use the following command: 
    # subscription-manager repos --enable=rh-odf-4-for-rhel-8-s390x-rpms

  • Alternatively, you can install the MCG package from the OpenShift Data Foundation RPMs found at Download RedHat OpenShift Data Foundation page.

    Note

    Choose the correct Product Variant according to your architecture.

Procedure

Execute the following command to create an MCG user account: 

noobaa account create <noobaa-account-name> [--allow_bucket_create=true] [--default_resource='']
<noobaa-account-name>
Specify the name of the new MCG user account.
--allow_bucket_create
Allows the user to create new buckets.
--default_resource
Sets the default resource.The new buckets are created on this default resource (including the future ones).
Note

To give access to certain buckets of MCG accounts, use AWS S3 bucket policies. For more information, see Using bucket policies in AWS documentation.