Accounts and conversion to Container Mode
As part of Container Mode conversion, the IBM Cloud Object Storage System determines the storage account which owns a bucket according to the following criteria, and assigns the storage account to the bucket owner:
- The first user chronologically granted Manager credentials with "owner" permission for the vault.
- If no user has "owner" permission to the vault, then the first user chronologically granted with
"read/write" permission to the vault. Note: If a standard vault does not have an owner assigned before conversion, a user with "read/write" permissions is promoted to the bucket "owner" during conversion and has full control permission. This promotion may result in a user having the following new permissions after conversion:
- Delete a bucket
- Set or retrieve ACL, CORS, or retention policy etc.
- Conversion is not allowed if the vault does not have an assigned owner or user with read/write permission. In this case, a System Administrator must adjust permissions prior to enabling Container Mode.
The system creates storage accounts for other users and explicitly grants these users their original permission to the bucket in the bucket ACL. All storage accounts can create a bucket (container) using the S3 command in Container Mode unless this is disabled as described in “Restrict Bucket Owner S3 Operation in Container Mode.”
To avoid unanticipated additional permissions, a System Administrator must ensure that the bucket owner is the desired bucket owner after conversion. Otherwise, adjust the authorization on the Vault Authorization page of the Manager Web Interface or the Edit vault authorization (see IBM Manager REST API Developer Guide)Edit vault authorization command of Manager REST API prior to conversion.
The following two tables illustrate the examples of storage account, bucket owner, and ACL assignment during conversion. The first table represents a scenario in which a user granted only with a read/write permission is assigned to the vault.
| Vault Mode | Container Mode | ||||||
|---|---|---|---|---|---|---|---|
| Manager User | Permission | Vault | Storage Account | Container | Permission | Bucket owner | Explicit ACL entry |
| acct1 | Read/Write | bucket1 | acct1 | bucket1 | full_control | Yes | Yes |
The following table represents a scenario in which multiple users are granted with either owner or read/write permission to access the vault in the order of acct2, acct3, acct4. In Container Mode, the system creates the storage account for all accounts in Vault Mode and explicitly adds ACL entries to the bucket for the storage accounts other than the bucket owner.
| Vault Mode | Container Mode | ||||||
|---|---|---|---|---|---|---|---|
| Manager User | Permission | Vault | Storage Account | Container | Permission | Bucket owner | Explicit ACL entry |
| acct2 | Read/Write | bucket2 | acct2 | bucket2 | write | No | Yes |
| acct3 | Owner | bucket2 | acct3 | bucket2 | full_control | Yes | No |
| acct4 | Owner | 2ucket2 | acct4 | bucket2 | full_control | No | Yes |