You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/design/iam.md
+33-1Lines changed: 33 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -94,7 +94,7 @@ If the resource doesn’t have a bucket policy the IAM user accounts can have ac
94
94
For example:
95
95
- root account creates 2 users (both are owned by it): user1, user2 and a bucket (bucket owner: <root-account-id>, bucket creator: <account-id-user1>).
96
96
- user1 upload a file to the bucket
97
-
- user2 can delete this bucket (after it is empty): although user2 is not the creator, without a bucket policy his root account is the owner so he can delete the bucket.
97
+
- user2 can delete this bucket (after it is empty): although user2 is not the creator, without a bucket policy his root account is the owner so it can delete the bucket.
98
98
Note: Currently, we do not allow users to create a bucket.
99
99
100
100
### Root Accounts Manager
@@ -126,3 +126,35 @@ Here attached a diagram with all the accounts that we have in our system:
126
126
- IAM UpdateAccessKey: AccessKeyId, Status, UserName
127
127
- IAM DeleteAccessKey: AccessKeyId, UserName
128
128
- IAM ListAccessKeys: UserName (not supported: Marker, MaxItems)
129
+
130
+
## Other
131
+
### Terminology - AWS vs NooBaa
132
+
|| AWS | NooBaa |
133
+
|---|-----|--------|
134
+
|| root account | account |
135
+
|| IAM user | user |
136
+
137
+
#### Root Account / Account
138
+
- In NooBaa NC, the term "root" is associated with Linux root permission, therefore, the term "account" will be the equivalent term used for"root account".
139
+
- The account is the owner of the users that it created using the IAM API. The account owns the users and manage them (can create, read, update, delete or list them).
140
+
- The account is the owner of the buckets that were created by it or by its users.
141
+
- In AWS root accounts are only created in the console.
142
+
While in NooBaa, accounts can be created by -
143
+
1. NooBaa CLI `account add` command.
144
+
2. IAM API CreateUser operation. The requesting account must have the `iam_operate_on_root_account` property set to true. An account that has `iam_operate_on_root_account` property set to true, will operate on accounts instead of users when calling the IAM API, although it does not own them.
145
+
- In NooBaa, an account is identified by:
146
+
- Name - in the CLI we pass the account name. The account name is unique within all the accounts (you cannot create a new account with the name of an existing account).
147
+
- Access key - in S3 API and IAM API the request is signed with the requesting account credentials.
148
+
149
+
#### Identity
150
+
- In general, we manage identities - currently accounts and users - but in the future, we might support roles, groups, etc.).
151
+
152
+
#### IAM User / User
153
+
- In NooBaa we decide to omit the "IAM" from the term "IAM users" as IAM is Identity & Access Management, and we thought it would be clear enough just the term "user"in our system.
154
+
- users are individual users within an account (for a single person or application), they aren't separate accounts.
155
+
- users and their access keys have long-term credentials to the system resource, they give the ability to make programmatic requests to NooBaa service using the API or CLI.
156
+
This was partially copied from [AWS IAM Guide - Intro](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html#intro-identity-users) and [AWS IAM Guide - When To Use IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/when-to-use-iam.html#security_iam_authentication-iamuser).
157
+
- In NooBaa, a user is identified by:
158
+
- Name - in the IAM API we pass the `--user-name` flag. The username is unique only under the account (not including the account name itself).
159
+
- Access key - in S3 API and IAM API the request is signed with the requesting user credentials.
160
+
- Currently, users cannot use any IAM API operations on other users.
0 commit comments