Disabling S3 bucket replication for a user

As an administrator, you can set a user policy for other users to restrict them from performing any S3 replication API operations on buckets that reside under that particular user/users.

Before you begin

  • A running IBM Storage Ceph 9.9.09.9.1 cluster with Multi-site Ceph object Gateway configured. For more information on creating multi-site sync policies, see Creating a sync policy group.
  • Zonegroup-level policy is created. For more information on creating zone group policies, see Bucket granular sync policies.

Procedure

  1. Create a user policy configuration file to deny access to the S3 bucket replication API.
    For example, 
    [root@host01 ~]# cat user_policy.json
{
    "Version":"2012-10-17",
    "Statement":
    {
        "Effect":"Deny",
        "Action":
        [
            "s3:PutReplicationConfiguration",
            "s3:GetReplicationConfiguration",
            "s3:DeleteReplicationConfiguration"
        ],
        "Resource": "arn:aws:s3:::*",
    }
}
  2. As an admin user, set a user policy to user to disable user access to the S3 API. 
    aws --endpoint-url=ENDPOINT_URL iam put-user-policy --user-name USER_NAME --policy-name USER_POLICY_NAME --policy-document POLICY_DOCUMENT_PATH
    For example, 
    [root@host01 ~]# aws --endpoint-url=http://host01:80 iam put-user-policy --user-name newuser1 --policy-name userpolicy --policy-document file://user_policy.json

What to do next

  • As an admin, verify the user policy set. 
    aws --endpoint-url=ENDPOINT_URL iam get-user-policy --user-name USER_NAME --policy-name USER_POLICY_NAME --region us
    For example, 
    [root@host01 ~]# aws --endpoint-url=http://host01:80 iam get-user-policy --user-name newuser1 --policy-name userpolicy --region us
  • As a user, perform the below S3 bucket replication API operations to verify whether the action is denied as expected.