Managing Per-User Filesystems Using Filesystem Pool And IAM Policy

If you have multiple users and want to keep each user separated in their own filesystem, you can use ObjectiveFS’s filesystem pool feature to manage the per-user filesystems.

IAM Policy

We will set up two types of user: admin who manages all filesystems and regular user who can access only their filesystem.

Admin

The admin manages all filesystems and has IAM permissions to perform all filesystem operations (e.g. create, list, destroy) on these filesystems.

Here is an IAM policy for the admin. The GetBucketLocation is needed to determine the S3 endpoint and the ListAllMyBuckets is needed for the list command.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::YOUR-BUCKET",
                "arn:aws:s3:::YOUR-BUCKET/*"
            ]
        }
    ]
}

Regular User

A regular user has IAM permissions that give them access only to their own filesystem.

Here is an IAM policy for a regular user. The GetBucketLocation is needed to determine the S3 endpoint. This policy restricts the user’s S3 commands to their own filesystem.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::YOUR-BUCKET",
            "Condition": {
                "StringLike": { "s3:prefix": "USER/*" }
            }
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::YOUR-BUCKET/USER/*"
        }
    ]
}

Filesystem Pool Example

Here’s an example of a way to set up a per-user filesystem using filesystem pool.

Credentials

The admin sets up the ObjectiveFS credentials for the admin user (in the default location in this example) and for all users in separate directories.

For admin:

$ sudo mount.objectivefs config
Creating config in /etc/objectivefs.env
Enter ObjectiveFS license: <your ObjectiveFS license>
Enter Access Key Id: <admin's S3 access key>
Enter Secret Access Key: <admin's S3 secret key>

For every user:

$ sudo mount.objectivefs config /etc/objectivefs.USER
Creating config in /etc/objectivefs.USER
Enter ObjectiveFS license: <your ObjectiveFS license>
Enter Access Key Id: <USER's S3 access key>
Enter Secret Access Key: <USER's S3 secret key>


Creating a new filesystem

The admin then creates a different filesystem for each user using YOUR-BUCKET/USER (e.g. myfs/user1). Each filesystem has a unique passphrase.

$ sudo mount.objectivefs create myfs/user1
Passphrase (for s3://myfs/user1): <passphrase for user1's filesystem>
Verify passphrase (for s3://myfs/user1): <same passphrase as above>


Mounting a filesystem

The filesystem can now be mounted for the user with the user’s credentials (e.g. from /etc/objectivefs.USER). You’ll need an existing empty directory (e.g. /dir1) to mount the filesystem.

To mount a filesystem in the background:

$ sudo mount.objectivefs -oenv=/etc/objectivefs.USER s3://myfs/user1 /dir1
Passphrase (for s3://myfs/user1): <passphrase for user1's filesystem>


Destroying a Filesystem

Only the admin can destroy a filesystem with the admin IAM credentials.

Please see User Guide for more commands, filesystem pool details and mount on boot information.

by ObjectiveFS staff, October 1, 2015
ObjectiveFS is a shared file system for OS X and Linux that automatically scales and gives you scalable cloud storage. If you have questions or article idea suggestions, please email us at support@objectivefs.com