Example of Multiple Tier Authorization

On the file system side, you can protect files either by using MapR Access Control Expressions (ACEs) that allow you to grant read/write/execute permissions for files or directories to a specific user, or by using mixed mode.

On the S3 side, the owner of the bucket can leverage bucket policies to grant access to other users.

Example Scenario

Tenant A creates bucket B1. The system applies on the bucket, the default bucket policy of read/write/execute access to only the owner and no access to other tenants. These permissions are UNIX permissions: 0700.

Tenant A calls the REST API for bucket policy resulting in the following policy on bucket B1:
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
   {
     "Sid": "ExampleStatement01",
     "Effect": "Allow",
     "Principal": {
           "AWS": "B"
        },
      "Action": [
        "s3:GetObject",
      ],
      "Resource": [
        "arn:aws:s3:::B1/*",
      ]
    }
  ]
}  

This policy is processed by the MapR Object Store and allows access to tenant B. The policy indicates that the Access Control Expression (ACE) is set up for the objects, as -readdir u:B | u:A and is applied to the bucket directory, while the ACE expression -readfile u:B | u:A is applied to all existing files. In mixed mode, tenant B has access.