SAVE AS PDF
Lyve Cloud Account API version 2 Guide
Lyve Cloud Account API version 2 

Was this content helpful?

Creating Permissions

Permissions control access to buckets and define which actions the service accounts can perform on a bucket.

Bucket permission and Policy permission are two options available for granting permission to your buckets.

  • Bucket permission: Bucket permission is used to set Read onlyWrite only, or All operations permission for selected buckets. Using Bucket permissions, you can grant access permissions to your bucket and the objects in the bucket. Only the admin and storage admin can associate permissions for the buckets. The permissions attached to the bucket apply to all of the objects in the bucket. For more information, see Managing bucket access permissions.
  • Policy permission: Policy permissions are used to manage bucket-level permission by uploading a JSON file. You can also import a file compatible with the AWS IAM policy file. Using the Policy permission, you can allow or deny requests at a granular level based on the elements in the policy, resources, and aspects or conditions of the request. For more information, see Creating policy permissions.

Creating new permissions

You can create bucket permissions without any buckets in the account only if you apply permission to all buckets in the account or all buckets with a prefix.

Apply permission types using the type parameter.

  • One or more existing buckets: Choose one or more from the bucket list.
  • All buckets in this account with a prefix: The bucket names must use the same few initial characters. For example, if four unique buckets for customer01 are created, such as customer01rawdata, customer01zipdata, customer01media and customer01, enter a prefix of the bucket names to assign and apply the permission. In this case, use the same beginning characters for each bucket for our prefix, customer01.
  • All buckets in the account: Apply permission to all current and future buckets in the account.
  • Policy: Upload or import a JSON file compatible with the AWS IAM policy file. Specify the details of the permission at a granular level.

Apply actions using the action parameter.

  • All Operations: This option allows to perform all operations on all buckets meeting the conditions applied using the type parameter.
  • Read only: This option allows you to perform a read only operation on all buckets meeting the condition applied using the type parameter.
  • Write only: This option allows you to write objects without reading them back on all buckets meetings the conditions applied using the type parameter.

Using the Policy permission file

In the example below, the policy permission has three statements:

  • Statement 1: Allows object listing with a prefix in the bucket. It is done using a Condition element.
  • Statement 2: Allows read and write operations for objects with the prefix in the bucket.
  • Statement 3: Denies delete object operation.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "statement1",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::mybucket"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "David/*"
          ]
        }
      }
    },
    {
      "Sid": "statement2",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::mybucket/David/*"
      ]
    },
    {
      "Sid": "statement3",
      "Action": [
        "s3:DeleteObject"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::mybucket/David/*",
        "arn:aws:s3:::mycorporatebucket/share/marketing/*"
      ]
    }
  ]
}

The following example illustrates creating a policy permission file using Account API.

{
"name":"permission_name",
"description":"Test data",
"type":"policy",
"policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"statement15feb1\",\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"arn:aws:s3:::*/*\"]}]}"
}

Request

The POST request creates controlled access to the buckets and defines actions the service account can perform on the specified buckets in the account.

POST/permissions

Body parameter

{
  "name": "string", 
  "description": "string", 
  "type": "all-buckets", 
  "actions": "all-operations", 
  "prefix": "string", 
  "buckets": [ "string" ], 
  "policy": {}
}

Parameters

Name In Type Required Description
name body string true Name of the permission.The name allows only alphanumeric, '-', '_' or spaces. Maximum length is 128 characters.
description body string true Description of the permission.Maximum length is 1000 characters.
type body string true The values for the permission type can be:
  • all-buckets: The permission is applied to all the existing and new buckets in the account.When you select the type as all-buckets , the parameters prefix, buckets, and policy are not part of the request.
  • bucket-prefix: Specify a string of characters at the beginning of the bucket's name as a prefix to apply for permission.When you select the type as bucket-prefix, the parameters buckets and policy are not part of the request.
  • bucket-names: The permission is applied to the specified bucket names.When you select the type as bucket-names, the parameters prefix and policy are not part of the request.
  • policy: Permission is applied based on the policy permission file. For more information, see the section called “Using the Policy permission file”.When you select the type as policy, the parameters action, prefix, and buckets are not part of the request.
actions body string false The values for the actions can be:
  • all-operations: Allows you to perform all operations.
  • read-only: Allows you to perform a read only operation on one or more selected buckets and their objects.
  • write-only: Allows you to write objects into the selected buckets without reading them back.
These values are applied to the permission type.
prefix body string false Prefix of your bucket names to assign and apply the permission based on the permission type bucket-prefix.
buckets body [string] false Specify one or more bucket names based on permission type bucket-names.
policy body object false The policy file is based on permission type policy.

Code samples

Go

    package main

    import (
        "bytes"
        "net/http"
    )

    func main() {
        headers := map[string][]string{
            "Content-Type": []string{
                "application/json",
            },
            "Accept": []string{
                "application/json",
            },
            "Authorization": []string{
                "Bearer {access-token}",
            },
        }

        jsonReq := `{"key":"value"}` // replace with your JSON request
        data := bytes.NewBuffer([]byte(jsonReq))
        req, err := http.NewRequest("PUT", "https://api.lyvecloud.seagate.com/v2/permissions/", data)
        if err != nil {
            // handle error
        }
        req.Header = headers

        client := &http.Client{}
        resp, err := client.Do(req)
        if err != nil {
            // handle error
        }
        // handle response _ = resp }

Java

    import java.net.HttpURLConnection;
    import java.net.URL;
    import java.io.BufferedReader;
    import java.io.InputStreamReader;
    import java.io.OutputStream;

    public class Main {
        public static void main(String[] args) {
            try {
                URL obj = new URL("https://api.lyvecloud.seagate.com/v2/permissions/");
                HttpURLConnection con = (HttpURLConnection) obj.openConnection();
                con.setRequestMethod("PUT");
                
                // For a PUT request, we need to send data
                con.setDoOutput(true);
                String jsonInputString = "{\"key\": \"value\"}"; // replace with your actual JSON data
                try(OutputStream os = con.getOutputStream()) {
                    byte[] input = jsonInputString.getBytes("utf-8");
                    os.write(input, 0, input.length);           
                }
                
                int responseCode = con.getResponseCode();
                BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
                String inputLine;
                StringBuffer response = new StringBuffer();
                while ((inputLine = in.readLine()) != null) {
                    response.append(inputLine);
                }
                in.close();
                System.out.println(response.toString());
            } catch (Exception e) { e.printStackTrace(); } } }

JavaScript

    const inputBody = `{
        "name": "string",
        "description": "string",
        "type": "all-buckets",
        "actions": "all-operations",
        "prefix": "string",
        "buckets": ["string"],
        "policy": {}
    }`;

    const headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        'Authorization': 'Bearer {access-token}'
    };

    fetch('https://api.lyvecloud.seagate.com/v2/permissions/', {
        method: 'PUT',
        body: inputBody,
        headers: headers
    })
    .then(function(res) {
        return res.json();
    }).then(function(body) { console.log(body); });

Python

    import requests
    headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        'Authorization': 'Bearer {access-token}'
    }
    r = requests.put('https://api.lyvecloud.seagate.com/v2/permissions/', headers=headers) print(r.json())

Ruby

    require 'rest-client'
    require 'json'

    headers = {
        'Content-Type' => 'application/json',
        'Accept' => 'application/json',
        'Authorization' => 'Bearer {access-token}'
    }

    data = {
        "name" => "string",
        "description" => "string",
        "type" => "all-buckets",
        "actions" => "all-operations",
        "prefix" => "string",
        "buckets" => ["string"],
        "policy" => {}
    }

    result = RestClient.put 'https://api.lyvecloud.seagate.com/v2/permissions/', data.to_json, headers: headers

    p JSON.parse(result)
  

Responses

Status Code Description Return JSON Payload
200 OK

The request to create permission was successfully submitted.

Note—There might be a few seconds difference between the time the successful response is received and when the action is completed, as some regions may still process the create permission request.
{
  "id": "string"
}
400 Bad Request.

The request is invalid and has invalid permission information.
{
  "code": "string",
  "message": "string"
}
code message
ExpiredToken Token expired.
InvalidToken Token is not valid.
InvalidArgument This error might occur for the following reasons:
  • One or more of the specified arguments was not valid.
  • The request was missing an argument.
403 Forbidden

The account has no services enabled.
{
  "code": "string",
  "message": "string"
}
code message
NoServiceAvailable The account has no services enabled for it.
409 The permission name already exists.
{
  "code": "string",
  "message": "string"
}
code message
PermissionNameAlreadyExists The permission name is already in use. Please use a different name.
500 The server encountered an internal error.
{
  "code": "string",
  "message": "string"
}
code message
InternalError The server encountered an internal error. Please retry the request.
503 Service Unavailable
{
  "code": "string",
  "message": "string"
}
code message
ServiceNotReady The server is not ready to handle the request. Please retry the request later.