View Categories

Authentication

Authentication and ACLs

Authentication

Requests are authenticated with AWS Signatures which are derived from the user’s credentials (S3 access key and secret key).

Most S3 clients and AWS SDKs will generate these signatures for you, given the necessary credentials. When issuing raw HTTP requests, these signatures must be added manually.

AWS Signature v4

Please refer to the official documentation in Authenticating Requests (AWS Signature Version 4).

The following values of the x-amz-content-sha256 request header are supported:

  • Actual payload checksum value
  • UNSIGNED-PAYLOAD
  • STREAMING-UNSIGNED-PAYLOAD-TRAILER
  • STREAMING-AWS4-HMAC-SHA256-PAYLOAD
  • STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER

AWS Signature v2

Please refer to the official documentation in Authenticating Requests (AWS Signature Version 2).

Note

While v2 signatures have been deprecated in AWS, RGW continues to support them.

Access Control Lists (ACLs)

RGW supports S3-compatible ACL functionality. An ACL is a list of access grants that specify which operations a user can perform on a bucket or on an object. Each grant has a different meaning when applied to a bucket versus applied to an object:

PermissionBucketObject
READGrantee can list the objects in the bucket.Grantee can read the object.
WRITEGrantee can write or delete objects in the bucket.N/A
READ_ACPGrantee can read bucket ACL.Grantee can read the object ACL.
WRITE_ACPGrantee can write bucket ACL.Grantee can write to the object ACL.
FULL_CONTROLGrantee has full permissions for object in the bucket.Grantee can read or write to the object ACL.

Internally, S3 operations are mapped to ACL permissions thus:

OperationPermission
s3:GetObjectREAD
s3:GetObjectTorrentREAD
s3:GetObjectVersionREAD
s3:GetObjectVersionTorrentREAD
s3:GetObjectTaggingREAD
s3:GetObjectVersionTaggingREAD
s3:ListAllMyBucketsREAD
s3:ListBucketREAD
s3:ListBucketMultipartUploadsREAD
s3:ListBucketVersionsREAD
s3:ListMultipartUploadPartsREAD
s3:AbortMultipartUploadWRITE
s3:CreateBucketWRITE
s3:DeleteBucketWRITE
s3:DeleteObjectWRITE
s3:s3DeleteObjectVersionWRITE
s3:PutObjectWRITE
s3:PutObjectTaggingWRITE
s3:PutObjectVersionTaggingWRITE
s3:DeleteObjectTaggingWRITE
s3:DeleteObjectVersionTaggingWRITE
s3:RestoreObjectWRITE
s3:GetAccelerateConfigurationREAD_ACP
s3:GetBucketAclREAD_ACP
s3:GetBucketCORSREAD_ACP
s3:GetBucketLocationREAD_ACP
s3:GetBucketLoggingREAD_ACP
s3:GetBucketNotificationREAD_ACP
s3:GetBucketPolicyREAD_ACP
s3:GetBucketRequestPaymentREAD_ACP
s3:GetBucketTaggingREAD_ACP
s3:GetBucketVersioningREAD_ACP
s3:GetBucketWebsiteREAD_ACP
s3:GetLifecycleConfigurationREAD_ACP
s3:GetObjectAclREAD_ACP
s3:GetObjectVersionAclREAD_ACP
s3:GetReplicationConfigurationREAD_ACP
s3:GetBucketEncryptionREAD_ACP
s3:DeleteBucketPolicyWRITE_ACP
s3:DeleteBucketWebsiteWRITE_ACP
s3:DeleteReplicationConfigurationWRITE_ACP
s3:PutAccelerateConfigurationWRITE_ACP
s3:PutBucketAclWRITE_ACP
s3:PutBucketCORSWRITE_ACP
s3:PutBucketLoggingWRITE_ACP
s3:PutBucketNotificationWRITE_ACP
s3:PutBucketPolicyWRITE_ACP
s3:PutBucketRequestPaymentWRITE_ACP
s3:PutBucketTaggingWRITE_ACP
s3:PutPutBucketVersioningWRITE_ACP
s3:PutBucketWebsiteWRITE_ACP
s3:PutLifecycleConfigurationWRITE_ACP
s3:PutObjectAclWRITE_ACP
s3:PutObjectVersionAclWRITE_ACP
s3:PutReplicationConfigurationWRITE_ACP
s3:PutBucketEncryptionWRITE_ACP