You can share one bucket at a time.
To share a bucket, you can use access control lists or bucket policies.
Access control lists allow you to implement fine grained control over your buckets and the objects using the buckets. To share a bucket with an access control list, you edit the access permissions to the bucket by using the built-in canned access control lists, or by creating a custom access control list.
Bucket policies allow you to implement global control over your buckets. They can only be assigned to buckets but not to the objects in the bucket.
Access Control Lists
Use access control lists to manage access to buckets.
- Canned access control lists are predefined.
- Custom access control lists can be modified to your needs.
| If you are an ... | You can ... |
|---|---|
| organization administrator | share buckets that users in your organization own. |
| organization user | share buckets that you own. |
- Alternatively, the owner must assign one of the following sets of permissions for the bucket to your user account.
- Read of Bucket, Write of Bucket, Read of ACL, and Write of ACL
- Read of Bucket, Read of ACL, and Write of ACL
- Full Control
Share a Bucket Using a Canned Access Control List
Canned access control lists are predefined, built-in access control lists that you can use to share buckets within your organization or publicly over the Internet.
Procedure
- Log in to the VMware Cloud Director tenant portal.
- From the More drop-down menu, select Object Storage.
- In the Buckets pane, click the name of the bucket that you want to share.
- On the Permissions tab, click Set Canned ACL.
- Select a canned access control list name for the bucket and click Set ACL.
Option Description Private Only the bucket owner and the organization administrator can access the bucket. Public Read Grants Read permissions on the bucket to all users. Public Read/Write Grants Read and Write permissions on the bucket to all users. Authenticated Users Read Grants Read permissions to all authenticated VMware Cloud Director users. Tenant Read Grants Read permissions on the bucket to all users within the VMware Cloud Director organization. If you use the ECS storage platform, this option is not available.
If you use AWS S3, this option is not available.
Tenant Read/Write Grants Read and Write permissions on the bucket to all users within the VMware Cloud Director organization. If you use ECS or AWS S3, this option is not available.
System Logger To write bucket logs, VMware Cloud Director Object Storage Extension uses the System Logger account. Modifying the permissions of the System Logger account for a logging target bucket might result in failure to write bucket logs. For more information, see Bucket Logs. If you use the ECS storage platform, this option is not available.
Share a Bucket Using a Custom Access Control List
You can share buckets with users in your organization by creating a custom access control list.
| Option | Description |
|---|---|
| Full Control | Grants Read and Write permissions on the bucket, and Read and Write permissions for the access control list of the bucket. |
| Read of Bucket | Grants Read permissions on the bucket. |
| Write of Bucket | Grants Write permissions on the bucket. |
| Read of ACL | Grants Read permissions on the access control list of the bucket. |
| Write of ACL | Grants Write permissions on the access control list of the bucket. |
Procedure
- Log in to the VMware Cloud Director tenant portal.
- From the More drop-down menu, select Object Storage.
- In the Buckets pane, click the name of the bucket that you want to share.
- On the Permissions tab, click Edit.
- Configure the required set of permissions for the bucket and click Save.
- To share the bucket with users from your tenant organization, use the toggle buttons in the Tenant Users row.
If you use the ECS storage platform, this option is not available.
- To share the bucket with authenticated users from all tenant organizations, use the toggle buttons in the Authenticated Users row.
- To share the bucket with all users, use the toggle buttons in the Public row.
- To share the bucket with specific users within your organization, click the Add User button, select the user, and use the toggle buttons in the corresponding row.
- To write bucket logs, VMware Cloud Director Object Storage Extension uses the System Logger account. Modifying the permissions of the System Logger account for a logging target bucket might result in failure to write bucket logs. For more information, see Bucket Logs.
If you use the ECS storage platform, this option is not available.
- To share the bucket with users from your tenant organization, use the toggle buttons in the Tenant Users row.
Bucket Policies
With bucket policies, you allow or deny an action to a resource in a bucket. You can also define conditions within a policy.
To grant access permissions to your bucket and the objects in it, you use bucket policies. Bucket policies are an important element in securing your buckets against unauthorized access.
Bucket policies consist of policy statements and are limited to 20 KB in size. You can create a single policy per bucket, but you can add multiple statements to a single policy.
Bucket policies use a JSON-based language. See Policies and Permissions in Amazon S3 .
VMware Cloud Director Object Storage Extension provides a policy editor that you can use instead of the JSON editor.
Only the bucket owner can create and edit bucket policies.
Create a Bucket Policy
To create a bucket policy, you define rules and conditions for accessing the objects in a bucket.
Prerequisites
Procedure
- Log in to the VMware Cloud Director tenant portal.
- From the More drop-down menu, select Object Storage.
- In the Buckets pane, click the name of the bucket that you want to edit.
- On the Permissions tab, click text in the bucket policy area.
- Enter the details of the policy and click Save.
- You can use the policy editor to enter ID, effect, settings, and conditions for the policy.
- You can use the JSON editor to enter the policy statements.
- To create a Public Read or Public Read/Write policy, click the respective shortcut.
