Accounts and conversion to Container Mode

As part of Container Mode conversion, the IBM Cloud Object Storage System determines the storage account which owns a bucket according to the following criteria, and assigns the storage account to the bucket owner:

  1. The first user chronologically granted Manager credentials with "owner" permission for the vault.
  2. If no user has "owner" permission to the vault, then the first user chronologically granted with "read/write" permission to the vault.
    Note: If a standard vault does not have an owner assigned before conversion, a user with "read/write" permissions is promoted to the bucket "owner" during conversion and has full control permission. This promotion may result in a user having the following new permissions after conversion:
    • Delete a bucket
    • Set or retrieve ACL, CORS, or retention policy etc.
  3. Conversion is not allowed if the vault does not have an assigned owner or user with read/write permission. In this case, a System Administrator must adjust permissions prior to enabling Container Mode.

The system creates storage accounts for other users and explicitly grants these users their original permission to the bucket in the bucket ACL. All storage accounts can create a bucket (container) using the S3 command in Container Mode unless this is disabled as described in “Restrict Bucket Owner S3 Operation in Container Mode.”

To avoid unanticipated additional permissions, a System Administrator must ensure that the bucket owner is the desired bucket owner after conversion. Otherwise, adjust the authorization on the Vault Authorization page of the Manager Web Interface or the Edit vault authorization (see IBM Manager REST API Developer Guide)Edit vault authorization command of Manager REST API prior to conversion.

The following two tables illustrate the examples of storage account, bucket owner, and ACL assignment during conversion. The first table represents a scenario in which a user granted only with a read/write permission is assigned to the vault.

Table 1. Convert an account granted only read/write vault permission
Vault Mode Container Mode
Manager User Permission Vault Storage Account Container Permission Bucket owner Explicit ACL entry
acct1 Read/Write bucket1 acct1 bucket1 full_control Yes Yes

The following table represents a scenario in which multiple users are granted with either owner or read/write permission to access the vault in the order of acct2, acct3, acct4. In Container Mode, the system creates the storage account for all accounts in Vault Mode and explicitly adds ACL entries to the bucket for the storage accounts other than the bucket owner.

Table 2. Convert multiple accounts granted owner and Read/Write vault permission
Vault Mode Container Mode
Manager User Permission Vault Storage Account Container Permission Bucket owner Explicit ACL entry
acct2 Read/Write bucket2 acct2 bucket2 write No Yes
acct3 Owner bucket2 acct3 bucket2 full_control Yes No
acct4 Owner 2ucket2 acct4 bucket2 full_control No Yes