frostfs-s3-gw/docs/aws_s3_compat.md
Denis Kirillov fbe7a784e8 [#301] Support GetBucketPolicyStatus
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-03-28 09:13:25 +03:00

10 KiB

S3 API support

Reference:

Legend
🟢 Supported
🟡 Partially supported
🔵 Not supported yet, but will be in future
🔴 Not applicable or will never be supported

Object

Method Comments
🟢 CopyObject Done on gateway side
🟢 DeleteObject
🟢 DeleteObjects aka DeleteMultipleObjects
🟢 GetObject
🔴 GetObjectTorrent We don't plan implementing BT gateway
🟢 HeadObject
🟢 ListParts Parts loaded with MultipartUpload
🟢 ListObjects
🟢 ListObjectsV2
🟢 PutObject Content-MD5 header deprecated
🔵 SelectObjectContent Need to have some Lambda to execute SQL
🔵 WriteGetObjectResponse Waiting for Lambda to be developed
🟢 GetObjectAttributes

ACL

For now there are some limitations:

  • Bucket policy supports only one Principal per Statement. Principal must be "AWS": "*" (to refer all users) or "CanonicalUser": "0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf" (hex encoded public key of desired user).
  • Resource in bucket policy is an array. Each item MUST contain bucket name, CAN contain object name (wildcards are not supported):
{
  "Statement": [
    {
      "Resource": [
        "arn:aws:s3:::bucket",
        "arn:aws:s3:::bucket/some/object"
      ]
    }
  ]
}
  • AWS conditions and wildcard are not supported in resources
  • Only CanonicalUser (with hex encoded public key) and All Users Group are supported in ACL
Method Comments
🟡 GetObjectAcl See Limitations
🟡 PutObjectAcl See Limitations

Locking

For now there are some limitations:

  • Retention period can't be shortened, only extended.
  • You can't delete locks or object with unexpired lock.
Method Comments
🟡 GetObjectLegalHold
🟢 GetObjectLockConfiguration GetBucketObjectLockConfig
🟡 GetObjectRetention
🟡 PutObjectLegalHold
🟢 PutObjectLockConfiguration PutBucketObjectLockConfig
🟡 PutObjectRetention

Multipart

CompleteMultipartUpload operations may take long time to complete. Gateway sends whitespace characters to keep connection with the client alive. In this case, gateway is unable to set proper HTTP headers like X-Amz-Version-Id.

Method Comments
🟢 AbortMultipartUpload
🟢 CompleteMultipartUpload
🟢 CreateMultipartUpload
🟢 ListMultipartUploads
🟢 ListParts
🟢 UploadPart
🟢 UploadPartCopy

Tagging

Method Comments
🟢 DeleteObjectTagging
🟢 GetObjectTagging
🟢 PutObjectTagging

Versioning

See also GetObject and other method parameters.

Method Comments
🟢 ListObjectVersions ListBucketObjectVersions
🔵 RestoreObject

Bucket

Method Comments
🟢 CreateBucket PutBucket
🟢 DeleteBucket
🟢 GetBucketLocation
🟢 HeadBucket
🟢 ListBuckets
🔵 PutPublicAccessBlock

Acceleration

Method Comments
🔴 GetBucketAccelerateConfiguration GetBucketAccelerate
🔴 PutBucketAccelerateConfiguration

ACL

Method Comments
🟡 GetBucketAcl See ACL limitations
🟡 PutBucketAcl See ACL Limitations

Analytics

Method Comments
🔵 DeleteBucketAnalyticsConfiguration
🔵 GetBucketAnalyticsConfiguration
🔵 ListBucketAnalyticsConfigurations
🔵 PutBucketAnalyticsConfiguration

CORS

Method Comments
🟢 DeleteBucketCors
🟢 GetBucketCors
🟢 PutBucketCors

Encryption

Method Comments
🔵 DeleteBucketEncryption
🔵 GetBucketEncryption
🔵 PutBucketEncryption

Inventory

Method Comments
🔵 DeleteBucketInventoryConfiguration
🔵 GetBucketInventoryConfiguration
🔵 ListBucketInventoryConfigurations
🔵 PutBucketInventoryConfiguration

Lifecycle

Method Comments
🔵 DeleteBucketLifecycle
🔵 GetBucketLifecycle
🔵 GetBucketLifecycleConfiguration
🔵 PutBucketLifecycle
🔵 PutBucketLifecycleConfiguration

Logging

Method Comments
🔵 GetBucketLogging
🔵 PutBucketLogging

Metrics

Method Comments
🔵 DeleteBucketMetricsConfiguration
🔵 GetBucketMetricsConfiguration
🔵 ListBucketMetricsConfigurations
🔵 PutBucketMetricsConfiguration

Notifications

Method Comments
🔵 GetBucketNotification
🔵 GetBucketNotificationConfiguration
🔵 ListenBucketNotification non-standard?
🔵 PutBucketNotification
🔵 PutBucketNotificationConfiguration

Ownership controls

Method Comments
🔵 DeleteBucketOwnershipControls
🔵 GetBucketOwnershipControls
🔵 PutBucketOwnershipControls

Policy and replication

Bucket policy has the following limitations

  • Supports only AWS principals in format arn:aws:iam::<namespace>:user/<user> or wildcard *.
  • No complex conditions (only conditions for groups now supported)

Simple valid policy example:

{
	"Version": "2012-10-17",
	"Statement": [{
		"Principal": {"AWS": ["arn:aws:iam::111122223333:role/JohnDoe"]},
		"Effect": "Allow",
		"Action": ["s3:GetObject","s3:GetObjectVersion"],
		"Resource": ["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
	}]
}

Bucket policy status determines using the following scheme:

  • If policy has statement with principal that is wildcard (*) then policy is considered as public
Method Comments
🟡 DeleteBucketPolicy See Policy limitations
🔵 DeleteBucketReplication
🔵 DeletePublicAccessBlock
🟡 GetBucketPolicy See Policy limitations
🟡 GetBucketPolicyStatus
🔵 GetBucketReplication
🟢 PostPolicyBucket Upload file using POST form
🟡 PutBucketPolicy See Policy limitations
🔵 PutBucketReplication

Request payment

Method Comments
🔴 GetBucketRequestPayment
🔴 PutBucketRequestPayment

Tagging

Method Comments
🟢 DeleteBucketTagging
🟢 GetBucketTagging
🟢 PutBucketTagging

Tiering

Method Comments
🔵 DeleteBucketIntelligentTieringConfiguration
🔵 GetBucketIntelligentTieringConfiguration
🔵 ListBucketIntelligentTieringConfigurations
🔵 PutBucketIntelligentTieringConfiguration

Versioning

Method Comments
🟢 GetBucketVersioning
🟢 PutBucketVersioning

Website

Method Comments
🔵 DeleteBucketWebsite
🔵 GetBucketWebsite
🔵 PutBucketWebsite