We discussed BlackPearl bucket-level Access Control Lists (ACLs) in a past blog post. Bucket-level ACLs define the permissions on individual buckets. Global Bucket ACLs are also part of BlackPearl’s ACL framework and define what actions a user or group can take on all buckets stored on the BlackPearl. The Global Bucket ACL is independent of the bucket-level ACLs and bucket owner.
The following Global Bucket ACL permissions can be granted to users and groups:
- List -- The user can see all buckets and can list the objects in all buckets.
- Read -- The user can get objects and create GET jobs in all buckets.
- Write -- The user can put objects and create PUT jobs in all buckets.
- Delete -- The user can delete objects in all buckets, but cannot delete buckets.
- Job -- The user can modify or cancel jobs in all buckets created by other users. The user can also see the details of jobs created by other users. Note that all users can view all jobs, but by default, only the initiator of the job can see the full details of a job.
- Owner -- The user receives full access to all buckets, including all permissions listed above.
How to Use Global Bucket ACLs
Allowing certain users to access all the buckets on a BlackPearl system might be a key administration requirement at some BlackPearl sites.
In the below example the user has been granted global “List” rights. This means when this user logs in not only can they list every bucket on the system they can also list the contents of every bucket.
The Java Command Line Interface (CLI) is a simple BlackPearl client can be used to view these settings in action. The Java CLI get_service command will provide a list of all buckets on the BlackPearl to which a user has access. Because the user account being used by the Java CLI has global “List” rights, all buckets on the BlackPearl are displayed as shown below.
The “List” rights also allow the user to get a list of objects in a bucket, in this case the “Jom” bucket. The results are shown below.
The user does not have rights to retrieve/GET objects from any buckets. As shown in the image below, if the user attempts to get a file, they receive an error.
We could give the user the ability to retrieve/GET objects from BlackPearl by checking the “Read” permission box as shown in the image below.
When to Use Global Bucket ACLs
The main reason to use Global Bucket ACLs is for ease of administration. Use of Global Bucket ACLs could allow a user or set of users to administer all the buckets without having to log in with the primary administrator “Spectra” user account. One way to do that would be to set up a group of users and to apply the Global Bucket ACLs to that group. That way there is no need to edit individual user accounts to change access levels. You just simply add or remove users from the group. You can see an example below in the group settings dialog.
By using the Global Bucket ACLs, users are being granted access not only to existing buckets, but also buckets that will be created in the future. This may save the administrator the time of having to grant access to individual buckets as the buckets are created.