Access Control
AIStor Key Manager uses a Policy-Based Access Control (PBAC) system where each user identity has a corresponding attached policy. A policy controls what operations the identity can perform within a given enclave.
Policy Structure
Policies consist of allow and deny rules that control access to Key Manager operations:
{
"allow": {
"<ACTION>": "<resource-pattern>" | ["<pattern1>", "<pattern2>"]
},
"deny": {
"<ACTION>": "<resource-pattern>" | ["<pattern1>", "<pattern2>"]
}
}
A resource pattern lets you specify one or more simple GLOB-style patterns to match resource names.
For example, you can match against a specific string to control access to a single resource, or use a wildcard (*) to match all resources.
Key Manager supports the following pattern matching behavior:
- Exact match:
my-keymatches onlymy-key - Prefix match:
my-key*matchesmy-key,my-key-1,my-key-backup - Wildcard:
*matches any resource name
Key Manager evaluates policies with a deny-by-default approach. Any action not explicitly allowed is denied, and any action explicitly denied is denied regardless of allow rules.
Policy Actions Reference
The following sections list the available policy actions for admin and user identities.
Operations related to enclave or cluster management require root permissions.
You cannot elevate non-root identities to perform these operations through policy controls.
Key Operations
| Action | Description | Resource Example |
|---|---|---|
KEY:CREATE |
Create a new cryptographic key | 'object-store-dc-1-key-*' |
KEY:DELETE |
Delete an existing key | 'object-store-dc-1-key-*' |
KEY:IMPORT |
Import an external key | 'object-store-dc-1-key-*' |
KEY:STATUS |
View key status and metadata | 'object-store-dc-1-key-*' |
KEY:ENCRYPT |
Encrypt data using a key | 'object-store-dc-1-key-*' |
KEY:DECRYPT |
Decrypt data using a key | 'object-store-dc-1-key-*' |
KEY:GENERATE |
Generate a data encryption key | 'object-store-dc-1-key-*' |
KEY:LIST |
List all keys | Not Supported |
KEY:LISTVERSIONS |
List all versions of a key | 'object-store-dc-1-key-*' |
KEY:MAC |
Generate a MAC using a key | 'object-store-dc-1-key-*' |
Policy Management
| Action | Description | Resource Example |
|---|---|---|
POLICY:CREATE |
Create a new policy | 'object-store-dc-1-policy-*' |
POLICY:DELETE |
Delete an existing policy | 'object-store-dc-1-policy-*' |
POLICY:ASSIGN |
Assign a policy to an identity | 'object-store-dc-1-policy-*' |
POLICY:GET |
Retrieve a policy definition | 'object-store-dc-1-policy-*' |
POLICY:STATUS |
View policy status | 'object-store-dc-1-policy-*' |
POLICY:LIST |
List all policies | Not Supported |
Identity Management
| Action | Description | Resource Example |
|---|---|---|
IDENTITY:CREATE |
Create a new identity | 'object-store-dc-identity-*' |
IDENTITY:DELETE |
Delete an existing identity | 'object-store-dc-identity-*' |
IDENTITY:STATUS |
View identity status | 'object-store-dc-identity-*' |
IDENTITY:LIST |
List all identities | Not Supported |
Example Policies
For a given policy, the scope of access for each action is further limited by the enclave of the identity the policy is attached to.
For example, an identity attached to the dev-enclave can only perform actions on resources within that enclave.
Read-only key access
The following policy grants the user read permission to the Key Manager database. This provides the ability to perform encryption and decryption operations with keys in an enclave:
{
"allow": {
"KEY:STATUS": ["*"],
"KEY:LIST": ["*"],
"KEY:LISTVERSIONS": ["*"],
"KEY:ENCRYPT": ["*"],
"KEY:DECRYPT":["*"]
}
}
Application-specific key management
The following policy grants the user all key-related operations for the subset of keys matching the specified prefix patterns:
{
"allow": {
"KEY:CREATE": ["app-*", "service-*"],
"KEY:DELETE": ["app-*", "service-*"],
"KEY:STATUS": ["app-*", "service-*"],
"KEY:ENCRYPT": ["app-*", "service-*"],
"KEY:DECRYPT": ["app-*", "service-*"],
"KEY:GENERATE": ["app-*", "service-*"]
}
}
Restricted key management
The following policy grants the user most key management operations for all keys, while denying the ability to delete keys:
{
"allow": {
"KEY:CREATE": ["*"],
"KEY:STATUS": ["*"],
"KEY:ENCRYPT": ["*"],
"KEY:DECRYPT": ["*"],
"KEY:GENERATE": ["*"],
"KEY:LIST": [],
"KEY:LISTVERSIONS": ["*"],
"KEY:MAC": ["*"]
},
"deny": {
"KEY:DELETE": ["*"]
}
}