Managing S3 users
The concept of an S3 user is one of the base concepts of object storage along with those of an object and a bucket (a container for storing objects). The Amazon S3 protocol uses a permission model based on access control lists (ACLs), where each bucket and each object are assigned an ACL that lists all users with access to the given resource and the type of this access (read, write, read ACL, or write ACL). The list of users includes the entity owner assigned to every object and bucket at creation. The entity owner has extra rights compared to other users. For example, the bucket owner is the only one who can delete that bucket.
User model and access policies implemented in Virtuozzo Hybrid Infrastructure comply with the Amazon S3 user model and access policies.
User management scenarios in Virtuozzo Hybrid Infrastructure are largely based on the Amazon Web Services user management and include the following operations: create, query, and delete users, as well as generate and revoke user access key pairs.
Each S3 user has one or two key pairs (access key and secret key) for accessing the S3 cloud. You can think of the access key as the login and the secret key as the password. (For more information about S3 key pairs, refer to the Amazon documentation.) The access keys are generated and stored locally in the storage cluster on S3 name servers.
Each self-service user that has enabled access to the S3 storage is mapped to an S3 user with an automatically generated name. The user name format is user_id@generated.com
. Such an S3 user is also assigned a unique Amazon Resource Name (ARN). The ARN is generated as follows: arn:aws:iam::<domain_id>:<user_id>
.
To access a bucket, a user needs the following information:
- Admin panel IP address
- DNS name of the S3 cluster specified during configuration
- S3 access key ID
- S3 secret access key
- SSL certificate if the HTTPS protocol was chosen during configuration (the certificate file can be found in the /etc/nginx/ssl/ directory on any node hosting the S3 gateway service)
Prerequisites
- S3 users are created, as described in Creating S3 users.
- A clear understanding of the best S3 practices, listed in Best practices for using S3 in Virtuozzo Hybrid Infrastructure.