Skip to content

Commit f5f8282

Browse files
ffeldhausffeldhaus
committed
Added section on group and user creation to tutorial
1 parent b416486 commit f5f8282

1 file changed

Lines changed: 39 additions & 1 deletion

File tree

StorageGRID-Webscale-Tutorial.md

Lines changed: 39 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ Connect-SgwServer -Name $Name -Credential $Credential -AccountId $AccountId
7878

7979
## Tenant Management
8080

81-
To create a new S3 tenant use
81+
To create a new S3 tenant use the following steps.
8282

8383
```powershell
8484
$Credential = Get-Credential -UserName root
@@ -131,6 +131,44 @@ Otherwise connect as grid administrator again and then run
131131
$Account | Remove-SgwAccount
132132
```
133133

134+
## Creating local groups and users
135+
136+
Local groups and users can be used to grant full or restricted access to the resources of a tenant to e.g. a specific application.
137+
138+
Make sure that you are connected to the tenant as root user or user with privileges to manager users and groups (check the previous section for details).
139+
140+
```powershell
141+
$Account | Connect-SgwServer -Name $Name -Credential $Credential
142+
```
143+
144+
If you want to restrict S3 access by denying bucket creation, deletion, policy change and versioning change as well as object version deletion create the following policy
145+
146+
```powershell
147+
$GroupPolicy = New-AwsPolicy -Principal $null
148+
$GroupPolicy = $GroupPolicy | Add-AwsPolicyStatement -Principal $null -Effect Deny -Action s3:CreateBucket,s3:DeleteBucket,s3:DeleteBucketPolicy,s3:PutBucketPolicy,s3:PutBucketVersioning,s3:DeleteObjectVersion
149+
```
150+
151+
Now create a new group with the previously created policy
152+
153+
```powershell
154+
$Group = New-SgwGroup -UniqueName "mygroup" -Type "local" -S3Policy $GroupPolicy
155+
```
156+
157+
Users of this group will not be able to log into the tenant portal. If you want to allow Tenant Portal access specify either of the parameters `-RootAccess`,`-ManageAllContainers`,`-ManageOwnS3Credentials`.
158+
159+
If you want to allow full S3 access use the following to create the group
160+
161+
```powershell
162+
$Group = New-SgwGroup -UniqueName "mygroup" -Type "local" -S3FullAccess
163+
```
164+
165+
Now create a local user
166+
167+
```powershell
168+
$UserCredential = Get-Credential -UserName "myuser" -Message "Insert the password for the user"
169+
$User = $Group | New-SgwUser -UniqueName "myuser" -Password $UserCredential.GetNetworkCredential().Password
170+
```
171+
134172
## Export account usage to CSV
135173

136174
As a tenant user, the Account usage can be retrieved with

0 commit comments

Comments
 (0)