Skip to content

Object Storage - add support for whitelist ips #8269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: develop
Choose a base branch
from
Open

Object Storage - add support for whitelist ips #8269

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
7ffeb0c
Update guide.en-gb.md
lason-ovh Aug 11, 2025
9030e05
Update guide.fr-fr.md
lason-ovh Aug 11, 2025
dce1f93
Proofreading & duplication
Y0Coss Aug 13, 2025
995e281
minor update FR versions
benchbzh Aug 14, 2025
07920e7
Update guide.fr-fr.md
lason-ovh Aug 21, 2025
fa0d1b2
Update guide.en-gb.md
lason-ovh Aug 21, 2025
5f264a6
Update guide.fr-fr.md
lason-ovh Aug 21, 2025
049b253
Update guide.en-gb.md
lason-ovh Aug 21, 2025
7f5df4c
Proofreading new commits + duplication
Y0Coss Aug 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
148 changes: 135 additions & 13 deletions ...rage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: Object Storage - Identitäts- und Zugriffsverwaltung (EN)
excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources
updated: 2025-03-21
updated: 2025-08-26
---

## Objective
Expand All @@ -23,11 +23,11 @@ Click `Create User`{.action}.

If you already have OpenStack users, you can select one of these:

![Add Object Storage user](images/highperf-identity-and-access-management-20220928085304931.png)
![Add Object Storage user](images/highperf-identity-and-access-management-20220928085304931.png){.thumbnail}

then

![Add Object Storage user](images/highperf-identity-and-access-management-2022092808554688.png)
![Add Object Storage user](images/highperf-identity-and-access-management-2022092808554688.png){.thumbnail}

> [!primary]
>
Expand All @@ -36,11 +36,11 @@ then

Otherwise, create a new user:

![Add Object Storage user](images/highperf-identity-and-access-management-20220928085501719.png)
![Add Object Storage user](images/highperf-identity-and-access-management-20220928085501719.png){.thumbnail}

Once your user has been created, you will see the credentials:

![Credentials](images/highperf-identity-and-access-management-20220928085714656.png)
![Credentials](images/highperf-identity-and-access-management-20220928085714656.png){.thumbnail}

> [!primary]
>
Expand All @@ -53,46 +53,75 @@ You can define access to your buckets via predefined profiles.

Click on the `...`{.action} at the end of your bucket line, then `Add a user to a container`{.action}.

![Add a user to a container](images/highperf-identity-and-access-management-20220928090844174.png)
![Add a user to a container](images/highperf-identity-and-access-management-20220928090844174.png){.thumbnail}

Select the user to add to your bucket and click `Next`{.action}.

![Add a user to my container](images/highperf-identity-and-access-management-20220928083641625.png)
![Add a user to my container](images/highperf-identity-and-access-management-20220928083641625.png){.thumbnail}

Set access to your bucket for this user and click on `Confirm`{.action}.

![Add a user to my container - Role](images/highperf-identity-and-access-management-20220928083800300.png)
![Add a user to my container - Role](images/highperf-identity-and-access-management-20220928083800300.png){.thumbnail}

### Manage access to an object via a profile

You can also set access to your objects via predefined profiles.

Click on the `...`{.action} at the end of your object line, then `Add user to my object`{.action}.

![object menu](images/highperf-identity-and-access-management-20220928084137918.png)
![object menu](images/highperf-identity-and-access-management-20220928084137918.png){.thumbnail}

Select the user and click `Next`{.action}.

![add user to my object](images/highperf-identity-and-access-management-20220928084222940.png)
![add user to my object](images/highperf-identity-and-access-management-20220928084222940.png){.thumbnail}

Select the access profile for this user and click `Confirm`{.action}.

![add role to my object](images/highperf-identity-and-access-management-20220928084308265.png)
![add role to my object](images/highperf-identity-and-access-management-20220928084308265.png){.thumbnail}

### Advanced resource access management

#### Overview

By default, all resources (buckets, objects) and sub-resources (lifecycle configuration, webite configuration, etc.) are private in Object Storage. Only the resource owner, i.e the user account that creates it, has full control.

Access to private resources can be granted via access policies. Access policies can be categorized broadly into 2 types :

- user based: access policies attached to a specific user are called user policies. A user policy is evaluated using Object Storage IAM permissions and applies only to the specific user it is attached to.
- resource based : bucket policies and ACLs are policies that are attached directly to specific resources

> [!primary]
>
> Bucket policies is a feature that is not yet available for Object Storage. This article is about user policies.
>

You can refine your permissions by importing a JSON configuration file. To do this, go to the `Object Storage Policy Users`{.action} tab.

![Object Storage users](images/highperf-identity-and-access-management-20220928084435242.png)
![Object Storage users](images/highperf-identity-and-access-management-20220928084435242.png){.thumbnail}

Click on the `...`{.action} at the end of your user's line, then `Import JSON file`{.action}.

> [!primary]
>
> If you want to change a user's rights, you may need to download the JSON configuration file in advance by selecting `Download JSON File`{.action}.
>

#### Understanding the user policy evaluation process

At the moment, user permissions are evaluated as follows:

1. if exists, evaluate user policy else fallback to ACLs
1. check for an explicit deny: if there is an explicit deny, then deny permission, else, check for an explicit allow
2. check for an explicit allow: if there is an explicit allow, then allow permission
3. if there is no explicit deny nor explicit allow, then fallback to ACLs
2. fallback to ACLs

> [!primary]
>
> This evaluation process will be subject to change with the upcoming implementation of bucket policies.
>

Some examples of JSON configuration files:
#### Some examples of JSON configuration files:

**Read/write access to a bucket and its objects**

Expand Down Expand Up @@ -120,6 +149,24 @@ Some examples of JSON configuration files:
}
```

**Deny listing of all buckets owned by the parent account**

> [!primary]
>
> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation.
>

```json
{
"Statement":[{
"Sid": "DenyListBucket",
"Effect": "Deny",
"Action":["s3:ListAllMyBuckets"],
"Resource":["*"]
}]
}
```

**Allow all operations on all project resources**

```json
Expand All @@ -146,6 +193,80 @@ Some examples of JSON configuration files:
}
```

**Allow all operations to specific IPs by whitelisting authorized IPs**

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::companybucket",
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

> [!primary]
>
> As a consequence of the current authorization process, **implicit** deny is **not** supported by OVHcloud Object Storage if the user is the bucket owner i.e since ACLs are evaluated by default and since the bucket owner has FULL_CONTROL ACL, if the user is the bucket owner and even if there is no explicit allow in the policy file, he will be authorized.
>

The following policy to attempt to allow read access to objects only to specific IPs will **not** work under current conditions if attached to the bucket owner i.e even if the bucket owner makes his requests from IPs that are not in the specified range, he will be authorized.

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

The following policy to attempt to deny read access to objects to specific IPs by blacklisting unauthorized IPs will **not** work under current conditions if attached to the bucket owner because there is no explicit deny and requests from the specified IPs will not match the allow, therefore, we fallback to the ACLs.

```json
{
"Statement": {
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::companybucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "10.0.0.5/16"
}
}
}
}
```

### List of supported actions

| Action | Scope |
Expand Down Expand Up @@ -176,6 +297,7 @@ Some examples of JSON configuration files:
| s3:GetObjectRetention | Object |
| s3:GetObjectTagging | Object |
| s3:GetReplicationConfiguration | Bucket |
| s3:ListAllMyBuckets | Bucket |
| s3:ListBucket | Bucket |
| s3:ListBucketMultipartUploads | Bucket |
| s3:ListMultipartUploadParts | Object |
Expand Down
Loading