Authorization

Authorization in AWS S3 is based on S3 bucket access policies and object ACLs. IBM Spectrum Scale DAS uses a different approach for authorization to seamlessly integrate S3 access into IBM Spectrum Scale to support workflows that require multiple access protocols including S3.

IBM Spectrum Scale DAS uses the standard UNIX access policy based on the user, group, and other permissions, known as Discretionary Access Control (DAC), and allows Security-Enhanced Linux (SELinux) policies, known as Mandatory Access Control (MAC), to secure S3 access to files and directories in IBM Spectrum Scale.

After successful authentication of an S3 client, IBM Spectrum Scale DAS looks up the corresponding S3 account’s UID and GID from the internal user database and uses them to authorize access to S3 buckets and S3 objects.

In case of S3 read access, IBM Spectrum Scale DAS enforces the ACLs stored in the IBM Spectrum Scale file system. Access to S3 buckets and S3 objects is denied when the S3 application has no proper permissions in the IBM Spectrum Scale file system to access the underlying directories and files.

In case of write access, IBM Spectrum Scale DAS stores each S3 object as file in the IBM Spectrum Scale file system and sets the owner of the new file to the respective UID and GID of the prior identified and authenticated S3 account. IBM Spectrum Scale DAS sets the permissions of new files to 660 that allows sharing of S3 objects with other S3 accounts which have the same GID.

Directories can be created by different means. An IBM Spectrum Scale DAS administrator can create a directory on the storage cluster before creating an S3 export using the mmdas CLI command or the IBM Spectrum Scale DAS REST API. In this case, the administrator is responsible to configure the desired owner and access permissions or ACLs of the new directory using standard Linux and IBM Spectrum Scale commands.

S3 applications can use the CreateBucket S3 API request to create a new S3 bucket. In this case, IBM Spectrum Scale DAS tries to create a new directory for the new S3 bucket. The creation of a new S3 bucket will fail, in case the respective S3 account does not have the permission in the file system to create the new directory. In case the creation of the new directory is successful, IBM Spectrum Scale DAS sets the owner of the new directory to the respective UID and GID of the prior identified and authenticated S3 account. IBM Spectrum Scale DAS sets the permissions of new directory to 770 which allows sharing of S3 buckets with other S3 accounts that have the same GID.

IBM Spectrum Scale DAS uses the slash (/) as delimiter in object names. When an S3 application uploads an object that has the delimiter in the object name, then IBM Spectrum Scale DAS creates respective sub directories. In this case, IBM Spectrum Scale DAS sets the owner of the new sub directory to the respective UID and GID of the prior identified and authenticated S3 account. IBM Spectrum Scale DAS sets the permissions of new sub directories to 770 which allows sharing of S3 objects that have a delimiter in their object name with other S3 accounts which have the same GID.

In addition, IBM Spectrum Scale DAS supports usage of SELinux Multi-Category Security (MCS) to confine all IBM Spectrum Scale DAS processes. IBM Spectrum Scale DAS inherits SELinux MCS from Red Hat OpenShift that isolates running pods by using SELinux MCS by default. If you have SELinux enabled on the storage cluster, the deployment procedure of IBM Spectrum Scale DAS ensures that the SELinux context of IBM Spectrum Scale DAS pods, which access data in IBM Spectrum Scale, matches the SELinux context of data in IBM Spectrum Scale. Other pods and other applications running on the same Red Hat OpenShift cluster by default cannot access the same data in IBM Spectrum Scale because they run with a different SELinux MCS context.