Managing Per-User Filesystems Using Filesystem Pool And IAM Policy
If you have multiple users and want to keep each user separated in their own filesystem, you can use ObjectiveFS’s filesystem pool feature to manage the per-user filesystems.
IAM Policy
We will set up two types of user: admin who manages all filesystems and regular user who can access only their filesystem.
Admin
The admin manages all filesystems and has IAM permissions to perform all filesystem operations (e.g. create, list, destroy) on these filesystems.
Here is an IAM policy for the admin. The GetBucketLocation
is needed to determine the S3 endpoint and the ListAllMyBuckets
is needed for the list command.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
Regular User
A regular user has IAM permissions that give them access only to their own filesystem.
Here is an IAM policy for a regular user. The GetBucketLocation
is needed to determine the S3 endpoint. This policy restricts the user’s S3 commands to their own filesystem.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::YOUR-BUCKET",
"Condition": {
"StringLike": { "s3:prefix": "USER/*" }
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::YOUR-BUCKET/USER/*"
}
]
}
Filesystem Pool Example
Here’s an example of a way to set up a per-user filesystem using filesystem pool.
Credentials
The admin sets up the ObjectiveFS credentials for the admin user (in the default location in this example) and for all users in separate directories.
For admin:
$ sudo mount.objectivefs config
Creating config in /etc/objectivefs.env
Enter ObjectiveFS license: <your ObjectiveFS license>
Enter Access Key Id: <admin's S3 access key>
Enter Secret Access Key: <admin's S3 secret key>
For every user:
$ sudo mount.objectivefs config /etc/objectivefs.USER
Creating config in /etc/objectivefs.USER
Enter ObjectiveFS license: <your ObjectiveFS license>
Enter Access Key Id: <USER's S3 access key>
Enter Secret Access Key: <USER's S3 secret key>
Creating a new filesystem
The admin then creates a different filesystem for each user using YOUR-BUCKET/USER
(e.g. myfs/user1
). Each filesystem has a unique passphrase.
$ sudo mount.objectivefs create myfs/user1
Passphrase (for s3://myfs/user1): <passphrase for user1's filesystem>
Verify passphrase (for s3://myfs/user1): <same passphrase as above>
Mounting a filesystem
The filesystem can now be mounted for the user with the user’s credentials (e.g. from /etc/objectivefs.USER
).You’ll need an existing empty directory (e.g. /dir1
) to mount the filesystem.
$ sudo mount.objectivefs -oenv=/etc/objectivefs.USER s3://myfs/user1 /dir1
Passphrase (for s3://myfs/user1): <passphrase for user1's filesystem>
Destroying a Filesystem
Only the admin can destroy a filesystem with the admin IAM credentials.
Please see User Guide for more commands, filesystem pool details and mount on boot information.
by ObjectiveFS staff, October 1, 2015
ObjectiveFS is a shared file system for OS X and Linux that automatically scales and gives you scalable cloud storage.
If you have questions or article idea suggestions, please email us at お問い合わせはこちら