This section explains how to use the
qq s3_bucket_policy_explain_access
command.For more information, see Managing Access Policies for an S3 Bucket in a Qumulo Cluster in the Qumulo Administrator Guide.
Examples
To Explain a User Access Policy for an S3 Bucket
Run the s3_bucket_policy_explain_access
command and specify the bucket name and the auth ID of the Qumulo user. For example:
qq s3_bucket_policy_explain_access \
--bucket my-bucket \
--auth-id 1234
The following is example output. The command lists the S3 API permissions that the specified auth ID can perform on the specified S3 bucket.
Bucket `my-bucket` access for identity:
{
"auth_id": "1234"
}
Policy statements access evaluation:
==== 1 ====
Effect: Allow
Actions: s3:GetObject, s3:ListBucket
==== 2 ====
Effect: None
==== 3 ====
Effect: Deny
Actions: s3:PutObject
==== 4 ====
Effect: Allow
Actions s3:DeleteBucket
S3 actions granted by RBAC:
s3:DeleteBucket, s3:GetBucketPolicy
S3 actions allowed for bucket:
action source
================== ============
s3:DeleteBucket RBAC, policy
s3:GetBucketPolicy RBAC
s3:GetObject policy
s3:ListBucket policy
Description
Details a users access as allowed by the bucket policy
Usage
qq s3_bucket_policy_explain_access [-h] --bucket BUCKET [--auth-id AUTH_ID] [--anonymous] [identifier]
Flags
Flag Name | Required | Description |
---|---|---|
--bucket
|
Yes | The bucket for which the access policy will be explained. |
--auth-id
|
No | Auth ID of the qumulo user |
--anonymous
|
No | An unauthenticated S3 user |
Positional Options
Option Name | Description |
---|---|
identifier
|
An auth_id, SID, or name optionally qualified with a domain prefix (e.g "local:name", "ad:name", "AD\name") or an ID type (e.g. "auth_id:513", "SID:S-1-1-0"). Groups are not supported for access keys, must be a user. |