Docroot Restriction for URI Paths

If you are using IBM Aspera Files or Aspera On Demand with Console to transfer files to and from cloud storage, you must configure a docroot restriction on your cloud-based transfer server instead of a docroot absolute path. A configuration with both a docroot absolute path (docrooted user) and a restriction is not supported.

The primary purpose of restrictions is to allow access to certain storage (for example, Amazon S3) for clients that have their own storage credentials. A docroot restriction limits the files a client is allowed to access for browsing and transfers. Files are rejected unless they match any restrictions that are present.

Restriction Syntax

Restrictions work for URI paths and are processed in the following order:

  1. If a restriction starts with "!", any files that match are rejected.
  2. If a restriction does not start with a "!", any files that match are kept.
  3. If any restrictions other than "!" exist, and the file does not match any of them, the file is rejected.
  4. Files that fail restrictions during directory iteration are ignored as if they do not exist.

Restriction syntax is specific to the storage:

Storage Type Format Example
local storage file:////*
S3 and IBM Cloud Object Storage (Cleversafe) s3://*
Swift storage swift//*
Azure storage azu://*

To add a restriction, follow these steps:

  1. Add a restriction.
    Restrictions can be added to specific users or to all users.
    Note: For Aspera on Demand, you can also enter these settings from Console.

    To add a restriction for a user, for example the Files system user xfer restricted to \s3://*, run the following command:

    # asconfigurator -x "set_user_data;user_name,xfer;file_restriction,\s3://*"

    To add a restriction that applies to all users, such as \s3://*, run the following command:

    # asconfigurator -x "set_node_data;file_restriction,\s3://*"
  2. Validate your changes. 
    # /opt/aspera/bin/asuserdata -v
You can also check your configuration by opening /opt/aspera/etc/aspera.conf in a text editor. A restriction configuration will look similar to the following, with a user-specific configuration in the <user> section and an all-users configuration in the <default> section:
<paths>
   <path>
       <restrictions>
           <restriction>s3://*</restriction>
       </restrictions>
   </path>
</paths>