When you use S3 protocol compatibility in Lindorm, bucket access is controlled by a permission model that maps directly to table-level permissions in LindormTable. Understanding this mapping lets you plan the minimum permissions required for each user before granting access.
Permission types
Five permission types control bucket access. You can apply them at the Table, Namespace, or Global level to control whether they affect a single bucket, all buckets in a namespace, or all buckets across the instance.
| Permission | Allowed operations |
|---|---|
| READ | listObjects, getObject, headBucket, setTagging, getLifecycle |
| WRITE | putObject, multipartUpload, setTagging, setLifecycle |
| TRASH | deleteObject, deleteTagging, deleteLifecycle |
| ADMIN | All READ, WRITE, and TRASH operations |
| SYSTEM | All READ, WRITE, and TRASH operations (equivalent to ADMIN) |
Default permissions:
The root user of LindormTable has ADMIN and SYSTEM permissions on all buckets.
Newly created users have no bucket permissions. Grant permissions explicitly before they can access any bucket.
How bucket permissions work
Each bucket maps to a table with the same name in the lfsdata namespace. Permissions on a bucket are the permissions on that corresponding table.
For example, the WRITE permission on a bucket named testbucket is the same as the WRITE permission on the table lfsdata.testbucket.
To create a bucket, a user must have write permissions on the lfsdata namespace.
Grant and revoke bucket permissions
Two methods are available:
Cluster management system: Grants Namespace- or Global-level permissions. Use this when you want to apply a permission to all buckets in a namespace at once.
Lindorm-cli: Grants Table-, Namespace-, or Global-level permissions. Use this when you need per-bucket control.
Use the cluster management system
In the cluster management system of LindormTable, you can grant a user Namespace- or Global-level permissions on buckets.
For example, granting user1 the READ permission on namespace1 gives user1 READ access to all buckets in that namespace.
Select lfsdata for namespace when granting permissions in the cluster management system.
For detailed steps, see the "Grant permissions to a user" section in Permission management for access control.
Use Lindorm-cli with GRANT and REVOKE
Lindorm-cli lets you run GRANT or REVOKE statements for Table-, Namespace-, or Global-level permissions, giving you per-bucket control.
Connect to LindormTable using Lindorm-cli. For connection instructions, see Use Lindorm-cli to connect to and use LindormTable.
Grant WRITE permission on a specific bucket to user1:
GRANT WRITE ON TABLE lfsdata.testbucket TO user1;Revoke all permissions on a namespace from user1:
REVOKE ADMIN ON SCHEMA lfsdata FROM user1;