Managing S3 users

The concept of an S3 user is one of the base concepts of object storage along with those of an object and a bucket (a container for storing objects). The Amazon S3 protocol uses a permission model based on access control lists (ACLs), where each bucket and each object are assigned an ACL that lists all users with access to the given resource and the type of this access (read, write, read ACL, or write ACL). The list of users includes the entity owner assigned to every object and bucket at creation. The entity owner has extra rights compared to other users. For example, the bucket owner is the only one who can delete that bucket.

User model and access policies implemented in Virtuozzo Hybrid Infrastructure comply with the Amazon S3 user model and access policies.

User management scenarios in Virtuozzo Hybrid Infrastructure are largely based on the Amazon Web Services user management and include the following operations: create, query, and delete users, as well as generate and revoke user access key pairs.

Each S3 user has one or two key pairs (access key and secret key) for accessing the S3 cloud. You can think of the access key as the login and the secret key as the password. (For more information about S3 key pairs, refer to the Amazon documentation.) The access keys are generated and stored locally in the storage cluster on S3 name servers. Each user can have up to two key pairs. It is recommended to periodically revoke old access key pairs and generate new ones.

Each self-service user that has enabled access to the S3 storage is mapped to an S3 user with an automatically generated name. The user name format is user_id@generated.com. Such an S3 user is also assigned a unique Amazon Resource Name (ARN). The ARN is generated as follows: arn:aws:iam::<domain_id>:<user_id>.

To access a bucket, a user needs the following information:

  • Admin panel IP address
  • DNS name of the S3 cluster specified during configuration
  • S3 access key ID
  • S3 secret access key
  • SSL certificate if the HTTPS protocol was chosen during configuration (the certificate file can be found in the /etc/nginx/ssl/ directory on any node hosting the S3 gateway service)

You can limit object storage usage per S3 user by setting the default quotas. These quotas will be applied to all S3 users by default.

Prerequisites

To copy, add, disable, or delete S3 access key pairs for an S3 user

  1. Open the Storage services > S3 > Users screen, and then select a user.
  2. On the user right pane, browse the S3 access keys section:

    1. To copy an access key ID, click the copy icon next to the key.
    2. To copy a secret access key, click the ellipsis icon next to the key, and then click Copy secret access key.
    3. To delete keys, click the ellipsis icon next to the key, and then click Delete.
    4. To disable keys, click the ellipsis icon next to the key, and then click Disable.
    5. To add new keys, click Create.

To set the default quotas for S3 users

Use the following command:

vinfra service s3 users default-quotas add --quota-size <quota_size>
--quota-size <quota_size>
Quota size, in GB

For example, to set the default quota size to 100 GB for each S3 user, run:

# vinfra service s3 users default-quotas add --quota-size 100
+---------------+-------+
| Field         | Value |
+---------------+-------+
| resource_type | user  |
| size          | 100   |
| units         | GB    |
+---------------+-------+

To remove the default quotas for S3 users

Use the following command:

vinfra service s3 users default-quotas remove

For example, to remove the default quota size for each S3 user, run:

# vinfra service s3 users default-quotas remove