Create a write-only directory for Triton Object Storage (Manta) using RBAC

Travis Paul -

Creating a write-only directory is useful for logs, backups, user uploads, or any situation where it is not desirable for the client to read files it has uploaded or any other files within the upload directory.

To begin, create a policy and role for a subuser using the smartdc CLI utilities. As an example, I have used "WriteOnly" as the policy name and "LogWriter" as the role:

$ sdc-policy create --name WriteOnly --rules "can putobject"
$ sdc-role create --name LogWriter --default-members mysubuser --members mysubuser --policies WriteOnly

Create a directory using the Manta CLI utilities, and add the "LogWriter" role to the directory:

$ mmkdir -p ~~/stor/logs
$ mchmod +LogWriter ~~/stor/logs

As an example, create a log file with random UUID:

$ echo $(date) > $(uuidgen -r).log
$ cat 55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log
November 14, 2016 11:58:50 PM UTC

Now, the subuser can't GET the directory or list its contents:

$ mls ~~/stor/logs
mls: AuthorizationFailedError: username/mysubuser is not allowed to access /username/stor/logs

$ mget ~~/stor/logs
mget: AuthorizationFailedError: username/mysubuser is not allowed to access /username/stor/logs

mput also can't write the file, because it doesn't know if ~~/stor/logs is a directory or an object on the server:

$ mput -f 55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log ~~/stor/logs
mput: ForbiddenError

$ mput -f 55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log ~~/stor/logs/
mput: ForbiddenError

If you specify exactly where to PUT the file, it will succeed because it doesn't need any information about the parent directories:

$ mput -f 55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log ~~/stor/logs/55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log
.../55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log [===============================================================================================>] 100%      34B

And, as expected, you won't be able to read the file back:

$ mget ~~/stor/logs/55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log
mget: AuthorizationFailedError: username/mysubuser is not allowed to access /username/stor/logs/55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.