Access Control with Policy Management

AIStor uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access. Each policy describes one or more actions and conditions that outline the permissions of a user or group of users.

AIStor PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior. This documentation makes a best-effort to cover IAM-specific behavior and functionality. Refer also to the AWS IAM documentation for more information.

The mc admin policy command supports creation and management of policies on the AIStor deployment. See the command reference for examples of usage.

AIStor provides the following built-in policies for assigning to users or groups:

Grants complete access to all S3 and administrative API operations against all resources on the AIStor deployment. Equivalent to the following set of actions:

• s3:*

• admin:*

Grants read-only permissions on any object on the AIStor deployment. The GET action must apply to a specific object without requiring any listing. Equivalent to the following set of actions:

• s3:GetBucketLocation

• s3:GetObject

For example, this policy supports GET operations on objects at a specific path (e.g. GET play/mybucket/object.file), such as:

• mc cp

• mc stat

• mc head

• mc cat

The exclusion of listing permissions is intentional, as typical use cases do not intend for a “read-only” role to have complete discoverability (listing all buckets and objects) on the object storage resource.

Grants read and write permissions for all buckets and objects on the AIStor server. Equivalent to s3:*.

Grants permission to perform diagnostic actions on the AIStor deployment. Includes the following actions:

• admin:ServerTrace

• admin:Profiling

• admin:ConsoleLog

• admin:ServerInfo

• admin:TopLocksInfo

• admin:OBDInfo

• admin:BandwidthMonitor

• admin:Prometheus

Grants write-only permissions to any namespace in the AIStor deployment (bucket and path to object). The PUT action must apply to a specific object location without requiring any listing. Equivalent to the s3:PutObject action.

Run mc admin policy attach to assign a policy to a user or group.

The following table illustrates how you might group users and assign built-in policies on specified resources.

Each user can access only the resources and operations which are explicitly assigned to the built-in role. AIStor denies access to any other resource or action.

	<div class="mb-4 text-base font-bold">Deny Overrides Allow</div>

<div
	class="&_li]:marker:text-current [&_a]:underline [&_a]:decoration-1 [&_a]:underline-offset-4 hover:[&_a]:text-current [&_code]:bg-white dark:[&_code]:bg-slate-800 [&_pre]:mb-0 [&_pre_code]:bg-transparent!"
>
	<p>AIStor follows AWS IAM policy evaluation rules, where a <code>Deny</code> rule overrides an <code>Allow</code> rule on the same action or resource.

</div>

AIStor policy documents use the same schema as AWS IAM Policy documents.

The following sample document provides a template for creating custom policies for use with a AIStor deployment. For more complete documentation on IAM policy elements, see the IAM JSON Policy Elements Reference.

The maximum size for any single policy document is 20KiB. There is no limit to the number of policy documents that can be attached to a user or group.

{ 
      "Version" : "2012-10-17",
      "Statement" : [ 
            { "Effect" : "Allow",
              "Action" : [ "s3:<ActionName>", ... ],
              "Resource" : "arn:aws:s3:::*",
              "Condition" : { ... } 
            },
            { "Effect" : "Deny",
              "Action" : [ "s3:<ActionName>", ... ],
              "Resource" : "arn:aws:s3:::*",
              "Condition" : { ... }
            }
      ]
}

• For the Statement.Action array, specify one or more supported S3 API operations.

• For the Statement.Resource key, specify the bucket or bucket prefix to which to restrict the policy. You can use * and ? wildcard characters as per the S3 Resource Spec.

  The * wildcard may result in unintended application of a policy to multiple buckets or prefixes based on the pattern match. For example, arn:aws:s3:::data* would match the buckets data, data_private, and data_internal. Specifying only * as the resource key applies the policy to all buckets and prefixes on the deployment.

• For the Statement.Condition key, you can specify one or more supported Conditions.

AIStor policy documents support a subset of IAM S3 Action keys. AIStor also supports condition keys for some actions beyond the common set of supported keys.

Selector for all AIStor S3 operations. Applying this action to a given resource allows the user to perform any S3 operation against that resource.

Controls access to the CreateBucket S3 API

Controls access to the DeleteBucket S3 API operation.

Controls access to the DeleteBucket S3 API operation for operations with the x-AIStor-force-delete flag. Required for removing non-empty buckets.

Controls access to the GetBucketLocation S3 API operation.

Controls access to the ListBuckets s3 API operation.

Controls access to the DeleteObject S3 API operation.

Controls access to the GetObject S3 API operation.

Supports the following additional condition keys:

• s3:x-amz-server-side-encryption
• s3:x-amz-server-side-encryption-customer-algorithm
• s3:ExistingObjectTag/
• s3:versionid

Controls access to the ListObjectsV2 S3 API operation.

Supports the following additional condition keys:

• s3:prefix
• s3:delimiter
• s3:max-keys

Controls access to the PutObject S3 API operation.

Supports the following additional condition keys:

• s3:x-amz-copy-source
• s3:x-amz-server-side-encryption
• s3:x-amz-server-side-encryption-customer-algorithm
• s3:x-amz-metadata-directive
• s3:x-amz-storage-class
• s3:versionid
• s3:object-lock-retain-until-date
• s3:object-lock-mode
• s3:object-lock-legal-hold
• s3:RequestObjectTagKeys
• s3:RequestObjectTag/

Controls access to the PutObjectTagging S3 API operation.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/
• s3:RequestObjectTagKeys
• s3:RequestObjectTag/

Controls access to the GetObjectTagging S3 API operation.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

Controls access to the DeleteObjectTagging S3 API operation.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

Controls access to the GetBucketPolicy S3 API operation.

Controls access to the PutBucketPolicy S3 API operation.

Controls access to the DeleteBucketPolicy S3 API operation.

Controls access to the GetBucketTagging S3 API operation.

Controls access to the PutBucketTagging S3 API operation.

Supports the following additional condition keys:

• s3:RequestObjectTagKeys
• s3:RequestObjectTag/

Controls access to the AbortMultipartUpload S3 API operation.

Controls access to the ListParts S3 API operation.

Controls access to the ListMultipartUploads S3 API operation.

Controls access to the PutBucketVersioning S3 API operation.

Controls access to the GetBucketVersioning S3 API operation.

Controls access to the DeleteObjectVersion S3 API operation.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

Controls access to the ListBucketVersions S3 API operation.

Supports the following additional condition keys:

• s3:prefix
• s3:delimiter
• s3:max-keys

Controls access to the PutObjectVersionTagging S3 API operation.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/
• s3:RequestObjectTagKeys
• s3:RequestObjectTag/

Controls access to the GetObjectVersionTagging S3 API operation.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

Controls access to the DeleteObjectVersionTagging S3 API operation.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

Controls access to the GetObjectVersion S3 API operation.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

Controls access to the following S3 API operations on objects locked under GOVERNANCE retention mode:

• s3:PutObjectRetention
• s3:PutObject
• s3:DeleteObject

See the S3 documentation on s3:BypassGovernanceRetention for more information.

Supports the following additional condition keys:

• s3:versionid
• s3:object-lock-remaining-retention-days
• s3:object-lock-retain-until-date
• s3:object-lock-mode
• s3:object-lock-legal-hold
• s3:RequestObjectTagKeys
• s3:RequestObjectTag/

Controls access to the PutObjectRetention S3 API operation.

Required for any PutObject operation that specifies retention metadata.

Supports the following additional condition keys:

• s3:x-amz-server-side-encryption
• s3:x-amz-server-side-encryption-customer-algorithm
• s3:x-amz-object-lock-remaining-retention-days
• s3:x-amz-object-lock-retain-until-date
• s3:x-amz-object-lock-mode
• s3:versionid

Controls access to the GetObjectRetention S3 API operation.

Required for including object locking metadata as part of the response to a GetObject or HeadObject operation.

Supports the following additional condition keys:

• s3:x-amz-server-side-encryption
• s3:x-amz-server-side-encryption-customer-algorithm
• s3:versionid

Controls access to the GetObjectLegalHold S3 API operation.

Required for including legal hold metadata as part of the response to a GetObject or HeadObject operation.

Controls access to the PutObjectLegalHold S3 API operation.

Required for any PutObject operation that specifies legal hold metadata.

Supports the following additional condition keys:

• s3:x-amz-server-side-encryption
• s3:x-amz-server-side-encryption-customer-algorithm
• s3:object-lock-legal-hold
• s3:versionid

Controls access to the GetObjectLockConfiguration S3 API operation.

Controls access to the PutObjectLockConfiguration S3 API operation.

Controls access to the GetBucketNotification S3 API operation.

Controls access to the PutBucketNotification S3 API operation.

Controls API operations related to AIStor bucket notifications.

This action is not intended for use with other S3-compatible services.

Controls API operations related to AIStor bucket notifications.

This action is not intended for use with other S3-compatible services.

Controls access to the PutLifecycleConfiguration S3 API operation.

Controls access to the GetLifecycleConfiguration S3 API operation.

Controls access to the PutEncryptionConfiguration S3 API operation.

Controls access to the GetEncryptionConfiguration S3 API operation.

Controls access to the GetBucketReplication S3 API operation.

Controls access to the PutBucketReplication S3 API operation.

Controls API operations related to AIStor server-side bucket replication.

Required for AIStor server-side replication.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

Controls API operations related to AIStor server-side bucket replication.

Required for synchronizing delete operations as part of AIStor server-side replication.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

Controls API operations related to AIStor server-side bucket replication.

Required for AIStor server-side replication.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

Controls API operations related to AIStor server-side bucket replication.

Required for AIStor server-side replication.

Supports the following additional condition keys:

• s3:versionid
• s3:ExistingObjectTag/

AIStor policy documents support IAM conditional statements.

Each condition element consists of operators and condition keys. AIStor supports a subset of IAM condition keys. For complete information on any listed condition key, see the IAM Condition Element Documentation

AIStor supports the following condition keys for all supported actions:

• aws:Referer

• aws:SourceIp

• aws:UserAgent

• aws:SecureTransport

• aws:CurrentTime

• aws:EpochTime

• aws:PrincipalType

• aws:userid

• aws:username

• x-amz-content-sha256

• s3:signatureAge

	<div class="mb-4 text-base font-bold">Warning</div>

<div
	class="&_li]:marker:text-current [&_a]:underline [&_a]:decoration-1 [&_a]:underline-offset-4 hover:[&_a]:text-current [&_code]:bg-white dark:[&_code]:bg-slate-800 [&_pre]:mb-0 [&_pre_code]:bg-transparent!"
>
	<p>The <code>aws:Referer</code>, <code>aws:SourceIp</code>, and <code>aws.UserAgent</code> keys may be easily spoofed and therefore pose a potential security risk.

</div>

For additional keys supported by a specific S3 action, see the reference documentation for that action.

AIStor extends the S3 standard condition keys with the following extended key:

sts:DurationSeconds

Specify a time in seconds to limit the duration of all Security Token Service credentials generated by AssumeRoleWithWebIdentity.

This value overrides the DurationSeconds field specified to the client.

For example:

{
      "Version": "2012-10-17",
      "Statement": [
      {
            "Effect": "Allow",
            "Action": [
                  "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                  "NumericLessThanEquals": {
                  "sts:DurationSeconds": "300"
                  }
            }
      }
   ]
}

AIStor supports restricting key management service (KMS) actions by policy.

You can restrict KMS activities in a policy with any of the following KMS actions:

Check the status of KMS.

Obtain Prometheus-formatted metrics.

List supported API endpoints.

Retrieve the KMS version.

Create a new KMS key.

Retrieve a list of existing KMS keys.

Retrieve the status of a specified KMS key.

To select all of the available kms policy actions, use kms:*.

KMS actions can be restricted by resource or a resource prefix. The wildcard character * can be used to apply the KMS action policy to all resources that match the prefix.

For example, the following policy document allows a user to list keys, create new keys, and check the status of keys for any resource that begins with keys-abc- or myuser-.

{
      "Version": "2012-10-17",
      "Statement": [
            {
            "Effect": "Allow",
            "Action": [
                  "kms:CreateKey",
                  "kms:KeyStatus",
                  "kms:ListKeys"
            ],
            "Resource": [
                  "arn:AIStor:kms:::keys-abc-*",
                  "arn:AIStor:kms:::myuser-*"
            ]
            }
      ]
}

AIStor supports the following actions for use with defining policies for mc admin operations. These actions are only valid for AIStor deployments and are not intended for use with other S3-compatible services.

Selector for all admin action keys.

Allows heal command

Allows listing server info

Allows listing data usage info

Allows listing top locks

Allows profiling

Allows listing server trace

Allows listing console logs on terminal

Allows creating a new KMS master key

Allows getting KMS key status

Allows listing server info

Allows obtaining cluster on-board diagnostics

Allows AIStor binary update

Allows restart of AIStor service.

Allows stopping AIStor service.

Allows AIStor config management

Allows creating AIStor user

Allows deleting AIStor user

Allows list users permission

Allows enable user permission

Allows disable user permission

Allows GET permission on user info

Allows adding user to group permission

Allows removing user to group permission

Allows getting group info

Allows list groups permission

Allows enable group permission

Allows disable group permission

Allows create policy permission

Allows delete policy permission

Allows get policy permission

Allows attaching a policy to a user/group

Allows listing user policies

Allows creating AIStor Access Key

Allows updating AIStor Access Key

Allows deleting AIStor Access Key

Allows listing AIStor Access Key

Allows setting bucket quota

Allows getting bucket quota

Allows setting bucket target

Allows getting bucket targets

Allows creating and modifying remote storage tiers using the mc ilm tier commands.

Allows listing configured remote storage tiers using the mc ilm tier commands.

Allows retrieving metrics related to current bandwidth consumption.

Allows access to AIStor metrics. Only required if AIStor requires authentication for scraping metrics.

Allows access to list the active batch jobs.

Allows access to the see the definition details of a running batch job.

Allows user to begin a batch job run.

Allows user to stop a batch job currently in process.

Allows access to start, query, or stop a rebalancing of objects across pools with varying free storage space.

AIStor supports the following conditions for use with defining policies for mc admin actions.

• aws:Referer

• aws:SourceIp

• aws:UserAgent

• aws:SecureTransport

• aws:CurrentTime

• aws:EpochTime

For complete information on any listed condition key, see the IAM Condition Element Documentation.

Policies can use conditions to limit a user’s access only to objects with a specific tag. AIStor supports tag-based conditionals for policies for selected actions. Use the s3:ExistingObjectTag/<key> in the Condition statement of the policy.

AIStor supports using policy variables for automatically substituting context from the authenticated user and/or the operation into the user’s assigned policy or policies. Use the ${POLICYVARIABLE} format to specify the variable to the policy as part of the Condition or Resource definition. AIStor policy variables function similarly to AWS IAM policy elements: Variables and tags.

Each AIStor identity provider supports its own set of policy variables:

• AIStor Policy Variables

• OpenID Policy Variables

• Active Directory / LDAP Policy Variables

The following table contains a list of recommended policy variables for use in authorizing AIStor-managed users:

For example, the following policy uses variables to substitute the authenticated user’s username as part of the Resource field such that the user can access only the prefixes that match their username:

{ 
      "Version": "2012-10-17", 
      "Statement": [ 
            { 
            "Action": ["s3:ListBucket"],
            "Effect": "Allow", 
            "Resource": ["arn:aws:s3:::mybucket"],
            "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/**"]}}
            },
            {
            "Action": [
            "s3:GetObject",
            "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": ["arn:aws:s3:::mybucket/${aws:username}/**"]
            }
      ]
}

AIStor replaces the ${aws:username} variable in the Resource field with the username. AIStor then evaluates the policy and allows or denies access to the requested resource and action.

The following table contains a list of supported policy variables for use in authorizing OIDC-managed users.

Each variable corresponds to a claim returned as part of the authenticated user’s JWT token:

See the OpenID Connect Core 1.0 specification for more information on these scopes. Your OIDC provider of choice may have more specific documentation.

For example, the following policy uses variables to substitute the authenticated user’s preferred_username as part of the Resource field such that the user can only access those prefixes which match their username:

{ 
      "Version": "2012-10-17",
      "Statement": [ 
            { 
                  "Action": ["s3:ListBucket"],
                  "Effect": "Allow",
                  "Resource": ["arn:aws:s3:::mybucket"],
                  "Condition": {"StringLike": {"s3:prefix": ["${jwt:preferred_username}/*"]}}
            },
            {
                  "Action": [
                        "s3:GetObject",
                        "s3:PutObject"
                  ],
                  "Effect": "Allow",
                  "Resource": ["arn:aws:s3:::mybucket/${jwt:preferred_username}/*"]
            } 
      ] 
}

AIStor replaces the ${jwt:preferred_username} variable in the Resource field with the value of the preferred_username in the JWT token. AIStor then evaluates the policy and grants or revokes access to the requested API and resource.

The following table contains a list of supported policy variables for use in authorizing AD/LDAP users:

For example, the following policy uses variables to substitute the authenticated user’s name as part of the Resource field such that the user can only access those prefixes which match their name:

{ 
      "Version": "2012-10-17",
      "Statement": [ 
            { 
                  "Action": ["s3:ListBucket"], 
                  "Effect": "Allow", 
                  "Resource": ["arn:aws:s3:::mybucket"], 
                  "Condition": {"StringLike": {"s3:prefix": ["${ldap:username}/*"]}}
            },
            {
                  "Action": [
                  "s3:GetObject",
                  "s3:PutObject"
                  ],
                  "Effect": "Allow",
                  "Resource": ["arn:aws:s3:::mybucket/${ldap:username}/*"] 
            }
      ] 
}

AIStor replaces the ${ldap:username} variable in the Resource field with the value of the authenticated user’s name. AIStor then evaluates the policy and grants or revokes access to the requested API and resource.