A comma separated list of full paths that clients may access. Each path may be prefixed by R and/or W, denoting read or write access, or N to explicitly deny access to a path. If a given path is a directory, all contents and subdirectories will be given the same access. Order of paths does not matter -- the permissions on the longest matching path will apply. The special
character '~' will be replaced by the authenticated user's home directory, and * may be used for simple wildcard matching.
By default all paths are allowed, and access control is handled by the OS.
Examples:
Allow read access to /data and full access to the user's home directory:
RestrictPaths = RW~,R/data
Allow full access to the home directory, but deny hidden files there:
RestrictPaths = RW~,N~/.*
and this -
The --restrict-paths option can be used to place further access restrictions on how directories located in the storage system for which the storage gateway is configured can be accessed. Paths are specified in a comma separated list prefixed by the access permission permitted for the path as given by: R(read), RW(read/write), or N(no access).
For example, consider a storage gateway rooted at /data that the storage gateway creator wants to make available to users generally read/write. Let us also assume that there is a directory /data/static that the creator of the storage gateway wants to make accessible in a read-only manner. Let us further say that there is a /data/secret directory that the storage gateway creator does not want to be accessible via this storage gateway at all. This could be accomplished by setting the --restrict-paths option to RW/data,R/data/static,N/data/secret.
The --users-deny option is used to specify a list of local user accounts that are explicitly forbidden from creating collections using this storage gateway. Users are specified as a comma separated list. This option takes precedence over the --users-allow, --groups-deny, and --groups-allow options.
The --users-allow option is used to specify the complete list of local users that are allowed to create collections using this storage gateway. If --users-allow is used, only the specified local accounts are permitted to create collections via this gateway. Users are specified as a comma separated list. This option takes precedence over the --groups-deny and --groups-allow options, but is overridden by --users-deny.
The --groups-deny option is used to specify a list of local groups whose members are explicitly forbidden from creating collections using this storage gateway. Groups are specified as a comma separated list. This option takes precedence over the --groups-allow option but is overridden by --users-deny and --users-allow.
The --groups-allow option is used to specify the complete list of local groups whose members are allowed to create collections using this storage gateway. If --groups-allow is used, only members of the specified groups are permitted to create collections via this gateway. Groups are specified in a comma separated list. This option is overridden by --users-deny, --users-allow, and --groups-deny