All Products
Search

This Product

    Lindorm:Manage permissions in S3 protocol compatibility

    Document Center

    Lindorm:Manage permissions in S3 protocol compatibility

    Last Updated:Aug 24, 2023

    This topic describes how to manage permission in S3 protocol compatibility.

    Permissions on buckets

    The S3 protocol compatibility feature supports the following five permissions on buckets: READ, WRITE, TRASH, ADMIN, and SYSTEM. The ADMIN permission is equivalent to the SYSTEM permission.

    Permissions on a bucket are defined by a table with the same name as the bucket in the lfsdata namespace. For example, write permissions on a bucket named testbucket are the same as the WRITE permission of a table named testbucket in the lfsdata namespace. Therefore, you must have write permissions on the lfsdata namespace before you create a bucket.

    The following table describes the five permissions on buckets and the operations supported by each permission.

    Permission

    Description

    Supported operations

    WRITE

    The write permission on buckets

    Write operations on buckets, such as putObject, multipartUpload, setTagging, and setLifecycle.

    READ

    The read permission on buckets

    Read operations on buckets, such as listObjects, getObject, headBucket, setTagging, and getLifecycle.

    TRASH

    The delete permission on buckets

    Delete operations on buckets, such as deleteObject, deleteTagging, and deleteLifecycle.

    ADMIN

    The complete permission on buckets

    All operations supported by the WRITE, READ, and TRASH permissions.

    SYSTEM

    The complete permission on buckets

    All operations supported by the WRITE, READ, and TRASH permissions.

    Manage permissions on buckets

    Note

    • By default, the root user of LindormTable has the ADMIN and SYSTEM permissions on all buckets.

    • A newly-created user has no permissions on buckets. You must manually grant permissions to the user.

    You can manage permissions on buckets by using one of the following methods:

    • Method 1: Grant permissions to specific users in the cluster management system of LindormTable. This method can be used only to grant a user permissions of the Namespace or Global level, such as permissions on all buckets in a namespace. For example, you can use this method to grant user1 the READ permission on namespace1. In this case, user1 has the READ permission on all buckets in namespace1. For more information, see the "Grant permissions to a user" section in Permission management for access control.

      Important

      If you grant permissions in the cluster management system of Lindorm, you must select lfsdata for namespace.

    • Method 2: Use Lindorm-cli to connect to LindormTable and use the GRANT or REVOKE statement to grant permissions to or revoke permissions from a user. This method can be used to manage permissions of the Table, Namespace, or Global level on buckets. For more information, see Use Lindorm-cli to connect to and use LindormTable.

      The following examples show how to use the GRANT and REVOKE statements to manage the permissions of a user.

      • Example 1: Grant user1 the WRITE permission on testbucket. 

        GRANT WRITE ON TABLE lfsdata.testbucket TO user1;

      • Example 2: Revoke all permissions on testbucket from user1. 

        REVOKE ADMIN ON SCHEMA lfsdata FROM user1;

      For more information about the GRANT and REVOKE statements, see GRANT and REVOKE.