Access Control

AIStor Key Manager uses a Policy-Based Access Control (PBAC) system where each user identity has a corresponding attached policy. A policy controls what operations the identity can perform within a given enclave.

Policy Structure

Policies consist of allow and deny rules that control access to Key Manager operations:

{
  "allow": {
    "<ACTION>": "<resource-pattern>" | ["<pattern1>", "<pattern2>"]
  },
  "deny": {
    "<ACTION>": "<resource-pattern>" | ["<pattern1>", "<pattern2>"]
  }
}

A resource pattern lets you specify one or more simple GLOB-style patterns to match resource names. For example, you can match against a specific string to control access to a single resource, or use a wildcard (*) to match all resources.

Key Manager supports the following pattern matching behavior:

  • Exact match: my-key matches only my-key
  • Prefix match: my-key* matches my-key, my-key-1, my-key-backup
  • Wildcard: * matches any resource name

Key Manager evaluates policies with a deny-by-default approach. Any action not explicitly allowed is denied, and any action explicitly denied is denied regardless of allow rules.

Policy Actions Reference

The following sections list the available policy actions for admin and user identities.

Operations related to enclave or cluster management require root permissions. You cannot elevate non-root identities to perform these operations through policy controls.

Key Operations

Action Description Resource Example
KEY:CREATE Create a new cryptographic key 'object-store-dc-1-key-*'
KEY:DELETE Delete an existing key 'object-store-dc-1-key-*'
KEY:IMPORT Import an external key 'object-store-dc-1-key-*'
KEY:STATUS View key status and metadata 'object-store-dc-1-key-*'
KEY:ENCRYPT Encrypt data using a key 'object-store-dc-1-key-*'
KEY:DECRYPT Decrypt data using a key 'object-store-dc-1-key-*'
KEY:GENERATE Generate a data encryption key 'object-store-dc-1-key-*'
KEY:LIST List all keys Not Supported
KEY:LISTVERSIONS List all versions of a key 'object-store-dc-1-key-*'
KEY:MAC Generate a MAC using a key 'object-store-dc-1-key-*'

Policy Management

Action Description Resource Example
POLICY:CREATE Create a new policy 'object-store-dc-1-policy-*'
POLICY:DELETE Delete an existing policy 'object-store-dc-1-policy-*'
POLICY:ASSIGN Assign a policy to an identity 'object-store-dc-1-policy-*'
POLICY:GET Retrieve a policy definition 'object-store-dc-1-policy-*'
POLICY:STATUS View policy status 'object-store-dc-1-policy-*'
POLICY:LIST List all policies Not Supported

Identity Management

Action Description Resource Example
IDENTITY:CREATE Create a new identity 'object-store-dc-identity-*'
IDENTITY:DELETE Delete an existing identity 'object-store-dc-identity-*'
IDENTITY:STATUS View identity status 'object-store-dc-identity-*'
IDENTITY:LIST List all identities Not Supported

Example Policies

For a given policy, the scope of access for each action is further limited by the enclave of the identity the policy is attached to. For example, an identity attached to the dev-enclave can only perform actions on resources within that enclave.

Read-only key access

The following policy grants the user read permission to the Key Manager database. This provides the ability to perform encryption and decryption operations with keys in an enclave:

{
  "allow": {
    "KEY:STATUS": ["*"],
    "KEY:LIST": ["*"],
    "KEY:LISTVERSIONS": ["*"],
    "KEY:ENCRYPT": ["*"],
    "KEY:DECRYPT":["*"]
  }
}

Application-specific key management

The following policy grants the user all key-related operations for the subset of keys matching the specified prefix patterns:

{
  "allow": {
    "KEY:CREATE": ["app-*", "service-*"],
    "KEY:DELETE": ["app-*", "service-*"],
    "KEY:STATUS": ["app-*", "service-*"],
    "KEY:ENCRYPT": ["app-*", "service-*"],
    "KEY:DECRYPT": ["app-*", "service-*"],
    "KEY:GENERATE": ["app-*", "service-*"]
  }
}

Restricted key management

The following policy grants the user most key management operations for all keys, while denying the ability to delete keys:

{
  "allow": {
    "KEY:CREATE": ["*"],
    "KEY:STATUS": ["*"],
    "KEY:ENCRYPT": ["*"],
    "KEY:DECRYPT": ["*"],
    "KEY:GENERATE": ["*"],
    "KEY:LIST": [],
    "KEY:LISTVERSIONS": ["*"],
    "KEY:MAC": ["*"]
  },
  "deny": {
    "KEY:DELETE": ["*"]
  }
}