Understanding the MapR Object Store Authorization Model

The MapR Object Store provides a two-tier authorization model.

Authorization checking first occurs at the S3 REST API level via the S3 Bucket Policies check followed by MapR platform file permission layer.

When a MapR Object Store receives a request from a tenant to access another bucket or object, it first checks for bucket policies that reference that particular tenant. If the tenant does not have access via the bucket policy, then the request is fails and no further checking is performed.

If the tenant does have access via the bucket policy, then the MapR File System performs the next check using the UID and GID credentials for checking access using the mapped UID and GID for the tenant.