User and policy management
By default, all requests to the cluster are rejected. You need to explicitly enable access to buckets and objects for users. UltiHash implements a subset of AWS's IAM calls to enable user management and allows you to assign policies to buckets and users.
User Authentication
Any access to UltiHash cluster is authenticated using AWS Signature Version 4. This requires you to set an access key and a secret key for request authentication.
AWS CLI
Depending on the S3 client the way how you pass these credentials may vary. We will use AWS CLI in the following examples. You can install it using the following commands:
# Create a python virtual environment and activate it
python3 -m venv venv
$> . venv/bin/activate
# Install AWS cli using pip
(venv)
$> pip install awscli
You can configure access to UltiHash cluster in your $HOME/.aws/config
file. We will create a profile uh
to be used with UltiHash:
[profile uh]
endpoint_url = https://my-uh-cluster.my-company.io
region=my-region
We can now run aws
commands using the profile parameters:
$> aws --profile=uh ...
By adding our credentials to $HOME/.aws.credentials
we can also authenticate ourselfs to the cluster:
[uh]
aws_secret_key_id = FANCY-ROOT-KEY
aws_secret_access_key = SECRET
Root User Account
During the first deployment UltiHash creates a root user account in the cluster that can be used to implement further user management.
The credentials for the root user are stored as a Kubernetes secret. You can find it out the following way:
# Obtain access key ID
kubectl get secret <release-name>-super-user-credentials -n <namespace> -o jsonpath="{.data.access-key-id}" | base64 --decode; echo
# Obtain secret key value
kubectl get secret <release-name>-super-user-credentials -n <namespace> -o jsonpath="{.data.secret-key}" | base64 --decode; echo
Replace the <release-name> and <namespace> with the Helm chart release name and Kubernetes namespace correspondingly.
In order to prevent you from locking yourself out of your cluster, requests issued by the root user are not checked against any policy but executed right away. You should not use this account for anything else than cluster administration.
Managing User Accounts
User Creation and Deletion
To create a new user, use IAM calls:
$> aws --profile=uh iam create-user --user-name 'foo'
{
"User": {
"Path": "/",
"UserName": "foo",
"UserId": "e55d4d45-9848-4778-a5b7-2b148cf3b850",
"Arn": "arn:uh:iam::da2ce577214c40019c7bfd6397dea8ca:user/foo"
}
}
You can remove users using the delete-user
call:
$> aws --profile=uh iam delete-user --user-name 'foo'
Access Keys
To create a new access key, use create-access-key
action:
$> aws --profile=uh iam create-access-key --user-name 'foo'
{
"AccessKey": {
"UserName": "foo",
"AccessKeyId": "atdyycpemrypcgjmynaq",
"Status": "Active",
"SecretAccessKey": "edkeqpdhkenuqylgwdxbapvfmvgaweda"
}
}
To delete the access key:
$> aws --profile=uh iam delete-access-key --access-key-id ACCESS-KEY-ID
Policies
UltiHash implements a subset of the IAM policy framework used in AWS. UltiHash allows assigning policies to buckets and to user accounts.
Policy documents must be crafted according to the AWS policy grammar (see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html)
User Policies
User policies are policies that are assigned to a user. The policies are evaluated only for requests that are issued by that user. They can be used to grant special permissions based on user level.
You can assign policies to each user account using IAM actions:
To add an action to a user account:
# Set a policy allowing global access to any action for user foo
$> aws --profile=uh iam put-user-policy --user-name 'foo' --policy-name 'allow-all' \
--policy-document '{ "Version": "2012-10-17", "Statement": { "Sid": "AllowAllForAnybody", "Effect": "Allow", "Action": "*", "Principal": "*", "Resource": "*" } }'
To list all assigned actions of a user account:
$> aws --profile=uh iam list-user-policies --user-name foo
{
"PolicyNames": [
"allow-all"
]
}
To remove an action from a user account:
$> aws --profile=uh iam delete-user-policy --user-name foo --policy-name allow-all
Bucket Policies
Bucket policies are policies assigned to a bucket. They are evaluated for all actions that target that bucket.
To assign a policy to a bucket:
$> aws --profile=uh s3api put-bucket-policy --bucket test --policy '{ "Version": "2012-10-17", "Statement": { "Sid": "AllowAllForAnybody", "Effect": "Allow", "Action": "*", "Principal": "*", "Resource": "*" } }'
To read policies assigned to a bucket:
$> aws --profile=uh s3api get-bucket-policy --bucket test
{
"Policy": "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Sid\": \"AllowAllForAnybody\", \"Effect\": \"Allow\", \"Action\": \"*\", \"Principal\": \"*\", \"Resource\": \"*\" } }"
}
To delete a policy from a bucket:
$> aws --profile=uh s3api delete-bucket-policy --bucket test
Differences to IAM policy framework
Conditions
UltiHash supports only the following condition operators:
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
StringLike
StringNotLike
NumericEquals
NumericNotEquals
NumericLessThan
NumericLessThanEquals
NumericGreaterThan
NumericGreaterThanEquals
Compare to AWS IAM policy operators here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
Variables
UltiHash lacks at the moment support for request variables.
Last updated
Was this helpful?