04/02/2024 | Press release | Distributed by Public on 04/02/2024 12:08
Today, we're announcing the general availability of object-level granular access controls for the Oracle Cloud Infrastructure (OCI) Object Storage service in all commercial regions. With Object Identity and Access Management (IAM), you can now set access control policies at an object level and enable workloads, such as Hadoop, data lakes, and internet of things (IoT), that share a single bucket with millions of objects with multiple applications.
You can create access control policies at the bucket level and manage access controls to all objects in the bucket. However, workloads like Hadoop often write millions of objects into a few large buckets that are then accessed and processed by dozens to hundreds of higher-level applications and users. Each of these applications and users require a unique set of access privileges for individual objects. Now, with Object IAM, you can create access control policies that govern permissions at the granularity of a single object and specify which operations are allowed by each user or application.
Object IAM enables the following features:
A large data lake customer can use this functionality with the following strategy. For example, you have three different datasets (directories or object names with a common pattern) in a shared bucket and the users and groups need to be given different levels of access to the data, which can change over time:
Object Storage administrators can now set up object-level policies for a bucket from the Oracle Cloud Console or by using the CLI, API or Terraform. The process to create object-level policies is the same as that for bucket-level policies. The new IAM policy variable target.object.nameenables you to apply authorization and permissions to objects.
Policies only allow access; they can't deny access. Denial of access is implicit, which means that by default, users can do nothing and must be granted access through policies. If no Object IAM policies exist, users have access based on policies set at the compartment or bucket level. The policies are cumulative and inherited down: Compartment, Bucket, then Object.
To create a new policy or manage an existing policy, use the following steps:
In addition to viewing and editing an existing policy, you can also delete it.
Policy statements always begin with the word Allow. See the following examples:
After a policy is configured, it enables object-level access control. In most cases, policies become active within five minutes. Policy authorization is evaluated when a request arrives for an object, so a policy change applies after the policy has been propagated. Object IAM policies apply to both existing and new objects.
You can now help improve your security posture with granular level control to allow access at an individual object or set of objects by a specific user or group. You can start using this feature by simply adding an IAM policy at the object level using the new variable, target.object.name. This variable has no impact on customers workloads that depend on high performance from OCI Object Storage.
If you're not yet using Oracle Cloud Infrastructure, you can sign up for a free trial.
For more information, see the following resources: