Home > Storage > PowerScale (Isilon) > Product Documentation > Protocols > Dell EMC PowerScale OneFS S3 Overview > ACL
OneFS implements both the bucket ACL and object ACL to control user access. Every bucket and object has an associated ACL. The ACL defines which OneFS users or groups are granted access and the type of access.
The following list includes the set of permissions that OneFS S3 supports in a bucket ACL. The bucket owner always has FULL_CONTROL on the bucket.
OneFS always handles permission enforcement based on the OneFS ACL. The object ACL is for representation only. The object ACL only defines ALLOW ACL, whereas OneFS ACL also defines DENY ACL. When viewing the object ACL through S3, it is possible that only a subset of the actual ACL is shown.
To reconcile the S3 object ACL and OneFS ACL, OneFS provides the following object ACL policy along with the mapping relationship shown as Table 4:
Use the following command to modify object ACL policy on a bucket:
# isi s3 buckets modify <bucket> --object-acl-policy=<replace/deny> --zone=<name>
The object ACL permissions are mapped to the following OneFS ACL permissions respectively in Table 4. See the white paper Access Control Lists on Dell EMC PowerScale OneFS on Dell.com/StorageResources for more details about OneFS ACL permissions.
Object ACL permission | OneFS ACL permission |
READ | file_read, file_read_attr, file_read_ext_attr, std_synchronize |
WRITE | file_write, append, file_write_attr, file_write_ext_attr, std_synchronize |
READ_ACP | std_read_dac |
WRITE ACP | std_write_dac |
FULL_CONTROL | file_gen_all (this permission includes execute, std_write_owner permission, and all the above permissions) |
S3 has a set of predefined ACLs, known as canned ACLs. Each canned ACL has predefined grantees and permissions. Table 5 lists the canned ACLs supported by OneFS, and the associated predefined grants.
Canned ACL | Applies to | Grantees and permissions added to ACL |
private | Bucket and object | Owner gets FULL_CONTROL. No one else has access rights (default). |
public-read | Bucket and object | Owner gets FULL_CONTROL. The AllUsers group gets READ access. |
public-read-write | Bucket and object | Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access. We do not recommend granting this on a bucket. |
authenticated-read | Bucket and object | Owner gets FULL_CONTROL. The AuthenticatedUsers group gets READ access. |
bucket-owner-read | Object | Object owner gets FULL_CONTROL. Bucket owner gets READ access. |
bucket-owner-full-control | Object | Both the object owner and the bucket owner get FULL_CONTROL over the object. |