Sharing Buckets
You can share one bucket at a
time.
To share a bucket, you can use access control
lists or bucket policies.
Access control lists allow you to implement fine
grained control over your buckets and the objects using the buckets. To share a bucket with an
access control list, you edit the access permissions to the bucket by using the built-in
canned access control lists, or by creating a custom access control list.
Bucket policies allow you to implement global
control over your buckets. They can only be assigned to buckets but not to the objects in the
bucket.
Access Control Lists
Use access control lists to manage access to buckets.
You can use access control lists to grant
access to buckets. Access control lists define who has access to your buckets and what
level of access they have. There are two types of access control lists:
- Canned access control lists are predefined.
- Custom access control lists can be modified to your needs.
Before you share a bucket using an access control list, you must verify that you have the
required set of rights.
If you are an ... | You can ... |
---|---|
organization administrator | share buckets that users in your organization own. |
organization user | share buckets that you own. |
- Alternatively, the owner must assign one of the following sets of permissions for the bucket to your user account.
- Read of Bucket,Write of Bucket,Read of ACL, andWrite of ACL
- Read of Bucket,Read of ACL, andWrite of ACL
- Full Control
Share a Bucket Using a Canned Access Control List
Canned access control lists are predefined, built-in access control lists that you can use to share buckets within your organization or publicly over the Internet.
Setting a canned access control list to a bucket overwrites existing permissions configuration for the bucket.
- Log in to theVMware Cloud Director tenant portal.
- In the primary left navigation panel, underMore, selectObject Storage.
- In theBucketspane, click the name of the bucket that you want to share.
- On thePermissionstab, clickSet Canned ACL.
- Select a canned access control list name for the bucket and clickSet ACL.PrivateOnly the bucket owner and theorganization administratorcan access the bucket.Public ReadGrantsReadpermissions on the bucket to all users.Public Read/WriteGrantsReadandWritepermissions on the bucket to all users.Authenticated Users ReadGrantsReadpermissions to all authenticatedVMware Cloud Directorusers.Tenant ReadGrantsReadpermissions on the bucket to all users within theVMware Cloud Directororganization.If you use theECSstorage platform, this option is not available.If you useAWS S3, this option is not available.Tenant Read/WriteGrantsReadandWritepermissions on the bucket to all users within theVMware Cloud Directororganization.If you useECSorAWS S3, this option is not available.System LoggerTo write bucket logs,VMware Cloud Director Object Storage Extensionuses the System Logger account. Modifying the permissions of the System Logger account for a logging target bucket might result in failure to write bucket logs. For more information, see Bucket Logs.If you use theECSstorage platform, this option is not available.
Share a Bucket Using a
Custom Access Control List
You can share buckets with users in
your organization by creating a custom access control list.
The following table describes the
available access control list options.
Option | Description |
---|---|
Full Control | Grants Read
and Write permissions on the bucket, and Read
and Write permissions for the access control list of
the bucket. |
Read of Bucket | Grants Read
permissions on the bucket. |
Write of Bucket | Grants Write permissions on the bucket. |
Read of ACL | Grants Read
permissions on the access control list of the bucket. |
Write of ACL | Grants Write permissions on the access control list of the
bucket. |
- Log in to theVMware Cloud Director tenant portal.
- In the primary left navigation panel, underMore, selectObject Storage.
- In theBucketspane, click the name of the bucket that you want to share.
- On thePermissionstab, clickEdit.
- Configure the required set of permissions for the bucket and clickSave.
- To share the bucket with users from your tenant organization, use the toggle buttons in theTenant Usersrow.If you use theECSstorage platform, this option is not available.
- To share the bucket with authenticated users from all tenant organizations, use the toggle buttons in theAuthenticated Usersrow.
- To share the bucket with all users, use the toggle buttons in thePublicrow.
- To share the bucket with specific users within your organization, click theAdd Userbutton, select the user, and use the toggle buttons in the corresponding row.
- To write bucket logs,VMware Cloud Director Object Storage Extensionuses the System Logger account. Modifying the permissions of the System Logger account for a logging target bucket might result in failure to write bucket logs. For more information, see Bucket Logs.If you use theECSstorage platform, this option is not available.
Bucket Policies
With bucket policies, you allow or deny an action to a resource in a bucket. You can
also define conditions within a policy.
To grant access permissions to your bucket and the objects in it, you use bucket
policies. Bucket policies are an important element in securing your buckets against
unauthorized access.
Bucket policies consist of policy statements
and are limited to 20 KB in size. You can create a single policy per bucket, but you can
add multiple statements to a single policy.
Bucket policies use a JSON-based language.
See Policies and
Permissions in Amazon S3 .
VMware Cloud Director Object Storage Extension
provides a policy editor that you
can use instead of the JSON editor.Only the bucket owner can create and edit bucket policies.
Create a Bucket Policy
To create a bucket policy, you define rules and conditions for accessing the objects in a bucket.
To create a bucket policy, you must be the owner of the bucket.
- Log in to theVMware Cloud Director tenant portal.
- In the primary left navigation panel, underMore, selectObject Storage.
- In theBucketspane, click the name of the bucket that you want to edit.
- On thePermissionstab, click text in the bucket policy area.
- Enter the details of the policy and clickSave.
- You can use the policy editor to enter ID, effect, settings, and conditions for the policy.
- You can use the JSON editor to enter the policy statements.
- To create aPublic ReadorPublic Read/Writepolicy, click the respective shortcut.