Using the MapR Object Store Authorization Model

MapR authorization models provide significant flexibility on how best to protect your S3 data.

These models can be used as follows:

  • Option - 1: File-System-Only mode: MapR File System enforcement with S3 bucket policy disabled
    • Configuration maps the application key or secret to a MapR ID.
    • S3 policy is not used and the policy check is skipped.
    • MapR file security validates inbound mapped UID and GID to authorize read or write file permissions.
  • Option - 2: Mixed Mode (DEFAULT): Blend of MapR File System and S3 bucket policy security enforcement
    • Configuration maps the application key or secret to a MapR ID.
    • S3 bucket policy and MapR file security are enforced. Specifically, the two authorization model.
  • Option - 3: S3-Only Mode: S3 security enforcement
    • No configuration to map the application key or secret to a MapR ID.
    • S3 policy is enforced.
    • MapR Object Storeowns the data with no access to data outside of S3. Effectively, the MapR file security is still enforced but enforced only for using the MapR Object Store UID or GID identity.
To change the MapR Object Store mode, edit the deploymentMode field in the /opt/mapr/objectstore-client/objectstore-client-1.0.0/conf/minio.json file and restart the service.
  • fs_only - for option 1
  • mixed - for option 2 (enabled by default)
  • s3_only - for option 3