← back to ultihash.io

8. User and policy management

By default, all requests to the cluster are rejected. You need to explicitly enable access to buckets and objects for users. UltiHash implements a subset of AWS's IAM calls to enable user management and allows you to assign policies to buckets and users.

User Authentication

Any access to UltiHash cluster is authenticated using AWS Signature Version 4. This requires you to set an access key and a secret key for request authentication.

AWS CLI

Depending on the S3 client the way how you pass these credentials may vary. We will use AWS CLI in the following examples. You can install it using the following commands:

# Create a python virtual environment and activate it
python3 -m venv venv
$> . venv/bin/activate

# Install AWS cli using pip
(venv)
$> pip install awscli

You can configure access to UltiHash cluster in your $HOME/.aws/config file. We will create a profile uh to be used with UltiHash:

[profile uh]
endpoint_url = https://my-uh-cluster.my-company.io
region=my-region

We can now run aws commands using the profile parameters:

$> aws --profile=uh ...

By adding our credentials to $HOME/.aws.credentials we can also authenticate ourselfs to the cluster:

[uh]
aws_secret_key_id = FANCY-ROOT-KEY
aws_secret_access_key = SECRET

Root User Account

During the first deployment UltiHash creates a root user account in the cluster that can be used to implement further user management.

The credentials for the root user are stored as a Kubernetes secret. You can find it out the following way:

# Obtain access key ID
kubectl get secret <release-name>-super-user-credentials -n <namespace> -o jsonpath="{.data.access-key-id}" | base64 --decode; echo
# Obtain secret key value
kubectl get secret <release-name>-super-user-credentials -n <namespace> -o jsonpath="{.data.secret-key}" | base64 --decode; echo

Replace the <release-name> and <namespace> with the Helm chart release name and Kubernetes namespace correspondingly.

In order to prevent you from locking yourself out of your cluster, requests issued by the root user are not checked against any policy but executed right away. You should not use this account for anything else than cluster administration.

Managing User Accounts

User Creation and Deletion

To create a new user, use IAM calls:

$> aws --profile=uh iam create-user --user-name 'foo'
{
    "User": {
        "Path": "/",
        "UserName": "foo",
        "UserId": "e55d4d45-9848-4778-a5b7-2b148cf3b850",
        "Arn": "arn:uh:iam::da2ce577214c40019c7bfd6397dea8ca:user/foo"
    }
}

You can remove users using the delete-user call:

$> aws --profile=uh iam delete-user --user-name 'foo'

Access Keys

To create a new access key, use create-access-key action:

$> aws --profile=uh iam create-access-key --user-name 'foo'
{
    "AccessKey": {
        "UserName": "foo",
        "AccessKeyId": "atdyycpemrypcgjmynaq",
        "Status": "Active",
        "SecretAccessKey": "edkeqpdhkenuqylgwdxbapvfmvgaweda"
    }
}

To delete the access key:

$> aws --profile=uh iam delete-access-key --access-key-id ACCESS-KEY-ID

Policies

UltiHash implements a subset of the IAM policy framework used in AWS. UltiHash allows assigning policies to buckets and to user accounts.

Policy documents must be crafted according to the AWS policy grammar (see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html)

User Policies

User policies are policies that are assigned to a user. The policies are evaluated only for requests that are issued by that user. They can be used to grant special permissions based on user level.

You can assign policies to each user account using IAM actions:

To add an action to a user account:

# Set a policy allowing global access to any action for user foo
$> aws --profile=uh iam put-user-policy --user-name 'foo' --policy-name 'allow-all' \
    --policy-document '{ "Version": "2012-10-17", "Statement": { "Sid": "AllowAllForAnybody", "Effect": "Allow", "Action": "*", "Principal": "*", "Resource": "*" } }'

To list all assigned actions of a user account:

$> aws --profile=uh iam list-user-policies --user-name foo
{
    "PolicyNames": [
        "allow-all"
    ]
}

To remove an action from a user account:

$> aws --profile=uh iam delete-user-policy --user-name foo --policy-name allow-all

Bucket Policies

Bucket policies are policies assigned to a bucket. They are evaluated for all actions that target that bucket.

To assign a policy to a bucket:

$> aws --profile=uh s3api put-bucket-policy --bucket test --policy '{ "Version": "2012-10-17", "Statement": { "Sid": "AllowAllForAnybody", "Effect": "Allow", "Action": "*", "Principal": "*", "Resource": "*" } }'

To read policies assigned to a bucket:

$> aws --profile=uh s3api get-bucket-policy  --bucket test
{
    "Policy": "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Sid\": \"AllowAllForAnybody\", \"Effect\": \"Allow\", \"Action\": \"*\", \"Principal\": \"*\", \"Resource\": \"*\" } }"
}

To delete a policy from a bucket:

$> aws --profile=uh s3api delete-bucket-policy --bucket test

Differences to IAM policy framework

Conditions

UltiHash supports only the following condition operators:

  • StringEquals

  • StringNotEquals

  • StringEqualsIgnoreCase

  • StringNotEqualsIgnoreCase

  • StringLike

  • StringNotLike

  • NumericEquals

  • NumericNotEquals

  • NumericLessThan

  • NumericLessThanEquals

  • NumericGreaterThan

  • NumericGreaterThanEquals

Compare to AWS IAM policy operators here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

Variables

UltiHash lacks at the moment support for request variables.

Last updated