Setting up Enforced POSIX Access#
This mode will maintain POSIX metadata for your objects, and will enforce POSIX access controls on those objects. Use this when you want to manage what users have access to based on the UID/GID of their UNIX user and the corresponding POSIX metadata (owner, group, mode) on files. That means users will encounter access denied errors if they try to read or write to a file/directory they haven’t been given permission to (by a suitably privileged user doing chown, chgrp or chmod). Note that this is client-side rather than server-side enforcement. If the user has access to object storage credentials with server-side privileges beyond this, then the user can potentially access or modify objects outside of these POSIX access controls. Contact us for how to setup ACL Policies to enforce server-side access control that reflects POSIX access controls.
Warning
This mode stores POSIX metadata as objects in a “hidden” directory in your buckets alongside your data. You cannot see these directories when using cunoFS to list objects, but you will see them if you use other tools (such as your storage provider’s web console). Non-cunoFS access which renames, moves, or copies objects with cunoFS-stored POSIX file attributes will result in those objects losing their metadata. You will need to use cunoFS to manage those files while preserving their attributes.
Key steps#
Through your object storage provider, generate access credentials with the highest level of permissions that a user/admin could need. On a public cloud supporting IAM, you set up an
adminIAM user with such credentials.The admin credentials are stored privately and are used to set up a cunoFS Mount in an accessible location.
Users are only told the path to the mount; they are not given access to
cunonor to the admin credentials.
Warning
Not suitable if users will be spinning up VMs/instances where they can set any uid/gid.
Note
More instructions coming soon. If you’re interested in this use case specifically, email us at info@cuno.io.