8.6. Managing S3 users¶
The concept of an S3 user is one of the base concepts of object storage along with those of an object and a bucket (a container for storing objects). The Amazon S3 protocol uses a permission model based on access control lists (ACLs), where each bucket and each object are assigned an ACL that lists all users with access to the given resource and the type of this access (read, write, read ACL, or write ACL). The list of users includes the entity owner assigned to every object and bucket at creation. The entity owner has extra rights compared to other users. For example, the bucket owner is the only one who can delete that bucket.
User model and access policies implemented in Acronis Cyber Infrastructure comply with the Amazon S3 user model and access policies.
User management scenarios in Acronis Cyber Infrastructure are largely based on the Amazon Web Services user management and include the following operations: create, query, and delete users, as well as generate and revoke user access key pairs.
8.6.1. Adding S3 users¶
To add an S3 user, do the following:
On the Storage services > S3 > Users screen, click Add user.
Specify a valid email address as login for the user, and then click Add.
8.6.2. Managing S3 access key pairs¶
Each S3 user has one or two key pairs (access key and secret key) for accessing the S3 cloud. You can think of the access key as the login and the secret key as the password. (For more information about S3 key pairs, refer to the Amazon documentation.) The access keys are generated and stored locally in the storage cluster on S3 name servers. Each user can have up to two key pairs. It is recommended to periodically revoke old access key pairs and generate new ones.
To view, add, or revoke the S3 access key pairs for an S3 user, select a user in the list, and then click Keys:
- View the existing keys on the Keys pane.
- To revoke a key, click Revoke.
- To add a new key, click Generate access key.
To access a bucket, a user will need the following information:
- Admin panel IP address
- DNS name of the S3 cluster specified during configuration
- S3 access key ID
- S3 secret access key
- SSL certificate if the HTTPS protocol was chosen during configuration (the certificate file can be found in the
/etc/nginx/ssl/
directory on any node hosting the S3 gateway service)