This section explains how to use the qq s3_bucket_policy_explain_access command.

For more information, see Managing Access Policies for an S3 Bucket in a Qumulo Cluster in the Qumulo Administrator Guide.

Examples

To Explain a User Access Policy for an S3 Bucket

Run the s3_bucket_policy_explain_access command and specify the bucket name and the auth ID of the Qumulo user. For example:

qq s3_bucket_policy_explain_access \
  --bucket my-bucket \
  --auth-id 1234

The following is example output. The command lists the S3 API permissions that the specified auth ID can perform on the specified S3 bucket.

Bucket `my-bucket` access for identity:                                                   
{                                                                                           
    "auth_id": "1234"                                                                       
}                                                                                           
                                                                                            
Policy statements access evaluation:                                                        
==== 1 ====                                                                                 
Effect: Allow                                                                             
Actions: s3:GetObject, s3:ListBucket                                                      
==== 2 ====                                                                                 
Effect: None                                                                              
==== 3 ====                                                                                 
Effect: Deny                                                                              
Actions: s3:PutObject                                                                     
==== 4 ====                                                                                 
Effect: Allow                                                                             
Actions s3:DeleteBucket
S3 actions granted by RBAC:                                                                 
s3:DeleteBucket, s3:GetBucketPolicy                                                         
                                                                                            
S3 actions allowed for bucket:                                                              
action              source                                                                  
==================  ============                                                            
s3:DeleteBucket     RBAC, policy                                                            
s3:GetBucketPolicy  RBAC                                                                    
s3:GetObject        policy                                                                  
s3:ListBucket       policy  

Description

Details a users access as allowed by the bucket policy

Usage

qq s3_bucket_policy_explain_access [-h] --bucket BUCKET [--auth-id AUTH_ID] [--anonymous] [identifier]

Flags

Flag Name Required Description
--bucket Yes The bucket for which the access policy will be explained.
--auth-id No Auth ID of the qumulo user
--anonymous No An unauthenticated S3 user

Positional Options

Option Name Description
identifier An auth_id, SID, or name optionally qualified with a domain prefix (e.g "local:name", "ad:name", "AD\name") or an ID type (e.g. "auth_id:513", "SID:S-1-1-0"). Groups are not supported for access keys, must be a user.