- Notes, cautions, and warnings
- S3
- Amazon S3 API support in ECS
- S3 API supported and unsupported features
- Bucket policy support
- Object Tagging
- S3 Object Lock
- Object lifecycle management
- S3 Extensions
- Metadata Search
- S3 and Swift Interoperability
- Create and manage secret keys
- Authenticating with the S3 service
- Using s3curl with ECS
- Use SDKs to access the S3 service
- ECS S3 error codes
- Hadoop S3A for ECS
- Enabling data2 IP in ECS S3
- Cloud DVR
- ECS IAM for S3
- OpenStack Swift
- EMC Atmos
- CAS
- Setting up CAS support in ECS
- Cold Storage
- Compliance
- CAS retention in ECS
- Advanced retention for CAS applications: event-based retention, litigation hold, and the min/max governor
- Set up namespace retention policies
- Create and set up a bucket for a CAS user
- Set up a CAS object user
- Set up bucket ACLs for CAS
- ECS Management APIs that support CAS users
- Content Addressable Storage (CAS) SDK API support
- ECS CAS error codes
- Enabling data2 IP in CAS
- ECS Management REST API
- ECS HDFS
- ECS HDFS Introduction
- Configuring Hadoop to use ECS HDFS
- Hadoop authentication modes
- Migration from a simple to a Kerberos Hadoop cluster
- File system interaction
- Supported Hadoop applications
- Integrate a simple Hadoop cluster with ECS HDFS
- Install Hortonworks HDP using Ambari
- Create a bucket for HDFS using the ECS Portal
- Plan the ECS HDFS and Hadoop integration
- Obtain the ECS HDFS installation and support package
- Deploy the ECS HDFS Client Library
- Configure ECS client properties
- Set up Hive
- Verify Hadoop access to ECS
- Secure the bucket
- Relocate the default file system from HDFS to an ECS bucket
- Integrate a secure Hadoop cluster with ECS HDFS
- Verify that AD/LDAP is correctly configured with a secure Hadoop cluster
- Pig test fails: unable to obtain Kerberos principal
- Permission denied for AD user
- Permissions errors
- Failed to process request
- Enable Kerberos client-side logging and debugging
- Debug Kerberos on the KDC
- Eliminate clock skew
- Configure one or more new ECS nodes with the ECS service principal
- Workaround for Yarn directory does not exist error
- Set up the Kerberos KDC
- Configure AD user authentication for Kerberos
- Secure bucket metadata
- Hadoop core-site.xml properties for ECS HDFS
- Hadoop core-site.xml properties for ECS S3
- External key management
- Document feedback
ECS 3.6.2 Data Access Guide
ECS IAM supported condition keys
ECS IAM supports the following condition keys:
| Global condition keys | Type | Description |
|---|---|---|
| aws:CurrentTime | Date | To check for date and time conditions |
| aws:EpochTime | Date | To check for date and time conditions using a date in epoch or UNIX time |
| aws:PrincipalArn | ARN | Checks the ARN of the IAM user or role that made the request. |
| aws:UserAgent | String | To check the client application of the requestor. |
| aws:PrincipalTag/ tag-key | String | Checks that the tag attached to the principal making the request matches the specified key name and value. |
| aws:RequestTag/ tag-key | String | Checks that the tag key-value pair is present in an AWS request. |
| aws:ResourceTag/ tag-key | String | Checks that the tag key-value pair is attached to the resource. |
| aws:SourceIp | IpAddr | To check the IP address of the requester |
| aws:TagKeys | String,
ForAllValues:String ForAnyValue: String |
This context key is a list of tag keys without values |
| aws:TokenIssueTime | Date | Checks the date and time that temporary security credentials were issued. |
| aws:principaltype | String | Indicates the type of principal making the request.
|
| aws:userid | String | Based on authorized user access is set to the following:
|
| aws:username | String | Based on authorized user access, if requester is an IAM user, it is set to the IAM username otherwise it is not set. |
| IAM condition keys | Type | Description |
|---|---|---|
| iam:PermissionsBoundary | String | Checks that the specified policy is attached as permissions boundary on the IAM principal resource. |
| iam:PolicyARN | ARN | Checks the ARN of a managed policy in requests that involve a managed policy. |
| iam:ResourceTag/ key-name | String | Checks that the tag attached to the IAM entity (user or role) matches the specified key name and value. |
| STS and SAML condition keys | Type | Description |
|---|---|---|
| saml:aud | String | An endpoint URL to which SAML assertions are presented. The value for this key comes from the SAML Recipient field in the assertion, not the Audience field. |
| saml:edupersonorgdn | String | This is an eduPerson attribute in SAML assertion. |
| saml:iss | String | The issuer, which is represented by a URN. |
| saml:namequalifier | String | This contains a hash value that represents the combination of the saml:doc and saml:iss values. It is used as a namespace qualifier; the combination of saml:namequalifier and saml:sub uniquely identifies a user. |
| saml:sub | String | This is the subject of the claim, which includes a value that uniquely identifies an individual user within an organization. |
| saml:sub_type | String | This key can have the value persistent , transient , or consist of the full Format URI from the Subject and NameID elements used in your SAML assertion. A value of persistent indicates that the value in saml:sub is the same for a user between sessions. If the value is transient , the user has a different saml:sub value for each session. |
| S3 condition keys | Description |
|---|---|
| s3:x-amz-acl | Specifies the canned ACL in the request. |
| s3:x-amz-grant- permission | Specifies
permission for the following access.
|
| s3:x-amz-copy-source | Enables restricting copy source to a specific bucket, folder, or object. |
| s3:x-amz-metadata-directive | Specifies certain behavior to be enforced during object uploads (COPY vs REPLACE). |
| s3:x-amz-server-side-encryption | Specifies that the request should contain this header to ensure that the uploads are stored encrypted. |
| s3:VersionId | Limits access to specific versions of object. |
| s3:LocationConstraint | Using this condition key, you can restrict a user to create a bucket in a specific AWS Region. |
| s3:delimiter | Used to require the requester to specify delimiter parameter. |
| s3:max-keys | Limits ListBucket requests to the set s3:max-keys value. |
| s3:prefix | Limits ListBucket and ListBucketVersions to specific prefix. |
| s3:ExistingObjectTag/ <tag-key> | Using this condition key, you can limit the permission for the s3:PutObjectAcl action to only on objects that have a specific tag key and value. |
| s3:RequestObjectTagKeys | Using this condition key, you can limit permission for the s3:PutObject action by restricting the object tags allowed in the request. |
| s3:RequestObjectTag/ <tag-key> | Using this condition key, you can limit permission for the s3:PutObject action by restricting the object tags allowed in the request. |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\