Sharing Buckets

You can share one bucket at a time.
To share a bucket, you can use access control lists or bucket policies.
Access control lists allow you to implement fine grained control over your buckets and the objects using the buckets. To share a bucket with an access control list, you edit the access permissions to the bucket by using the built-in canned access control lists, or by creating a custom access control list.
Bucket policies allow you to implement global control over your buckets. They can only be assigned to buckets but not to the objects in the bucket.

Access Control Lists

Use access control lists to manage access to buckets.
You can use access control lists to grant access to buckets. Access control lists define who has access to your buckets and what level of access they have. There are two types of access control lists:
  • Canned access control lists are predefined.
  • Custom access control lists can be modified to your needs.
Before you share a bucket using an access control list, you must verify that you have the required set of rights.
If you are an ...
You can ...
organization administrator
share buckets that users in your organization own.
organization user
share buckets that you own.
  • Alternatively, the owner must assign one of the following sets of permissions for the bucket to your user account.
    • Read of Bucket
      ,
      Write of Bucket
      ,
      Read of ACL
      , and
      Write of ACL
    • Read of Bucket
      ,
      Read of ACL
      , and
      Write of ACL
    • Full Control

Share a Bucket Using a Canned Access Control List

Canned access control lists are predefined, built-in access control lists that you can use to share buckets within your organization or publicly over the Internet.
Setting a canned access control list to a bucket overwrites existing permissions configuration for the bucket.
  1. Log in to the
    VMware Cloud Director tenant portal
    .
  2. In the primary left navigation panel, under
    More
    , select
    Object Storage
    .
  3. In the
    Buckets
    pane, click the name of the bucket that you want to share.
  4. On the
    Permissions
    tab, click
    Set Canned ACL
    .
  5. Select a canned access control list name for the bucket and click
    Set ACL
    .
    Private
    Only the bucket owner and the
    organization administrator
    can access the bucket.
    Public Read
    Grants
    Read
    permissions on the bucket to all users.
    Public Read/Write
    Grants
    Read
    and
    Write
    permissions on the bucket to all users.
    Authenticated Users Read
    Grants
    Read
    permissions to all authenticated
    VMware Cloud Director
    users.
    Tenant Read
    Grants
    Read
    permissions on the bucket to all users within the
    VMware Cloud Director
    organization.
    If you use the
    ECS
    storage platform, this option is not available.
    If you use
    AWS S3
    , this option is not available.
    Tenant Read/Write
    Grants
    Read
    and
    Write
    permissions on the bucket to all users within the
    VMware Cloud Director
    organization.
    If you use
    ECS
    or
    AWS S3
    , this option is not available.
    System Logger
    To write bucket logs,
    VMware Cloud Director Object Storage Extension
    uses the System Logger account. Modifying the permissions of the System Logger account for a logging target bucket might result in failure to write bucket logs. For more information, see Bucket Logs.
    If you use the
    ECS
    storage platform, this option is not available.

Share a Bucket Using a Custom Access Control List

You can share buckets with users in your organization by creating a custom access control list.
The following table describes the available access control list options.
Option
Description
Full Control
Grants
Read
and
Write
permissions on the bucket, and
Read
and
Write
permissions for the access control list of the bucket.
Read of Bucket
Grants
Read
permissions on the bucket.
Write of Bucket
Grants
Write
permissions on the bucket.
Read of ACL
Grants
Read
permissions on the access control list of the bucket.
Write of ACL
Grants
Write
permissions on the access control list of the bucket.
  1. Log in to the
    VMware Cloud Director tenant portal
    .
  2. In the primary left navigation panel, under
    More
    , select
    Object Storage
    .
  3. In the
    Buckets
    pane, click the name of the bucket that you want to share.
  4. On the
    Permissions
    tab, click
    Edit
    .
  5. Configure the required set of permissions for the bucket and click
    Save
    .
    • To share the bucket with users from your tenant organization, use the toggle buttons in the
      Tenant Users
      row.
      If you use the
      ECS
      storage platform, this option is not available.
    • To share the bucket with authenticated users from all tenant organizations, use the toggle buttons in the
      Authenticated Users
      row.
    • To share the bucket with all users, use the toggle buttons in the
      Public
      row.
    • To share the bucket with specific users within your organization, click the
      Add User
      button, select the user, and use the toggle buttons in the corresponding row.
    • To write bucket logs,
      VMware Cloud Director Object Storage Extension
      uses the System Logger account. Modifying the permissions of the System Logger account for a logging target bucket might result in failure to write bucket logs. For more information, see Bucket Logs.
      If you use the
      ECS
      storage platform, this option is not available.

Bucket Policies

With bucket policies, you allow or deny an action to a resource in a bucket. You can also define conditions within a policy.
To grant access permissions to your bucket and the objects in it, you use bucket policies. Bucket policies are an important element in securing your buckets against unauthorized access.
Bucket policies consist of policy statements and are limited to 20 KB in size. You can create a single policy per bucket, but you can add multiple statements to a single policy.
Bucket policies use a JSON-based language. See Policies and Permissions in Amazon S3 .
VMware Cloud Director Object Storage Extension
provides a policy editor that you can use instead of the JSON editor.
Only the bucket owner can create and edit bucket policies.

Create a Bucket Policy

To create a bucket policy, you define rules and conditions for accessing the objects in a bucket.
To create a bucket policy, you must be the owner of the bucket.
  1. Log in to the
    VMware Cloud Director tenant portal
    .
  2. In the primary left navigation panel, under
    More
    , select
    Object Storage
    .
  3. In the
    Buckets
    pane, click the name of the bucket that you want to edit.
  4. On the
    Permissions
    tab, click text in the bucket policy area.
  5. Enter the details of the policy and click
    Save
    .
    • You can use the policy editor to enter ID, effect, settings, and conditions for the policy.
    • You can use the JSON editor to enter the policy statements.
    • To create a
      Public Read
      or
      Public Read/Write
      policy, click the respective shortcut.