Managing S3 users

The concept of an S3 user is one of the base concepts of object storage along with those of an object and a bucket (a container for storing objects). The Amazon S3 protocol uses a permission model based on access control lists (ACLs), where each bucket and each object are assigned an ACL that lists all users with access to the given resource and the type of this access (read, write, read ACL, or write ACL). The list of users includes the entity owner assigned to every object and bucket at creation. The entity owner has extra rights compared to other users. For example, the bucket owner is the only one who can delete that bucket.

User model and access policies implemented in Virtuozzo Infrastructure comply with the Amazon S3 user model and access policies.

S3 user management includes:

• Creating and deleting users
• Generating, enabling/disabling, and deleting access keys
• Setting and removing user quotas
• Setting and removing user limits

How you manage S3 users depends on the user scope.

S3 user scopes

Virtuozzo Infrastructure supports two S3 user scopes: domain and project.

Domain S3 users

• Linked to domain administrators (domain scope)
• Managed via the admin panel or vinfra service s3 self-service user commands
• Can sign in to the S3 self-service panel

Use domain S3 users when you want users to manage their S3 storage through the self-service interface at the domain level.

Project S3 users

• Created inside a project (project scope)
• Managed via the admin panel or vinfra service s3 project user commands
• Cannot sign in to the S3 self-service panel

Use project S3 users when you need project-scoped S3 quotas and limits for applications or automation and do not require self-service access.

Bucket access

To access a bucket, a user needs the following information:

• Admin panel IP address
• DNS name of the S3 cluster specified during configuration
• S3 access key ID
• S3 secret access key
• SSL certificate if the HTTPS protocol was chosen during configuration (the certificate file can be found in the /etc/nginx/ssl/ directory on any node hosting the S3 gateway service)

The region parameter specified in S3 client configuration is not taken into account when sending requests to Virtuozzo Infrastructure S3 storage. Because region-based routing is not used, the region value can be set to an arbitrary value.

Prerequisites

• S3 users are created, as described in Creating S3 users.
• A clear understanding of the best S3 practices, listed in Best practices for using S3 in Virtuozzo Infrastructure.