Page Comparison

This page shows you how to control access to your resources on Acacia. Using policies you can give list, upload, download, and delete permissions to other Acacia users and projects.

What makes up a policy?

Policies consist of a JSON formatted text file which contain the following basic elements (for a complete description see AWS Identity and Access Management (external link)):

• Effect - this can be either allow or deny.
• Principal - the user or project for which the policy determines access to your resources.
• Action - the S3 operation which is affected by this policy. These include CreateBucket, DeleteBucket, DeleteObject, GetObject, ListBucket, PutBucketPolicy, PutObject. For the full listing of supported actions see Ceph Bucket policies (external link).
• Resource - your resource to which the policy is to be applied.

A template policy file is shown below:

{
  "Statement": [{
    "Effect": "EFFECT",
    "Principal": {"AWS": ["arn:aws:iam::ACCOUNTID"]},
    "Action": "s3:ACTION",
    "Resource": ["arn:aws:s3:::BUCKET"]
  }]
}

To create a policy you can copy this template and create a file with a .json extension. You then substitute the appropriate information for each element into the file.

Policy example

A single policy can include multiple accounts and actions. For example, if you wanted to give the user lcampbell and the project pawsey0002 permission to list the bucket cou01-share01 belonging to the project courses01 (of which you are a member), you would make the following substitutions:

EFFECT = Allow

ACCOUNTID = :user/USERNAME, ACCOUNTID = UUID:root

ACTION = ListBucket

BUCKET = cou01-share01

{
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": ["arn:aws:iam:::user/lcampbell","arn:aws:iam::0519d807c3a549c0b73cdc8244d6a0c5:root"]},
    "Action": "s3:ListBucket",
    "Resource": ["arn:aws:s3:::cou01-share01"]
  }]
}

...