Multiple-Tiered Authorization Example

The example shows a multi-tiered configuration where a bucket policy and MapR ACEs are both used for authorization.

Tenant A creates bucket B1. The system applies on the bucket, the default bucket policy of read/write/execute permission to only the owner and no access to other tenants. These permissions are UNIX permissions: 0700.

Tenant A calls the REST API for bucket policy resulting in the following policy on bucket B1:
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
   {
     "Sid": "ExampleStatement01",
     "Effect": "Allow",
     "Principal": {
           "AWS": "B"
        },
      "Action": [
        "s3:GetObject",
      ],
      "Resource": [
        "arn:aws:s3:::B1/*",
      ]
    }
  ]
}  

This policy is processed by the MapR Object Store and allows access to tenant B. The policy indicates that the Access Control Expression (ACE) is set up for the objects, as -readdir u:B | u:A and is applied to the bucket directory, while the ACE expression -readfile u:B | u:A is applied to all existing files. In mixed mode, tenant B has access.