File Restrictions for URI Paths

Restrictions are similar to user docroots in that they restrict a client's access to the file system, but they are based on matching rather than a specific path. The primary purpose of restrictions is to allow access to certain storage (for example, Amazon S3) for clients that have their own storage credentials. A restriction limits the files a client is allowed to access for browsing and transfers. Files are rejected unless they match any restrictions that are present.

If you are using IBM Aspera on Cloud or IBM Aspera On Demand with IBM Aspera Console to transfer files to and from cloud storage, you must configure a file restriction on your cloud-based transfer server instead of a docroot absolute path. A configuration with both a docroot absolute path and a restriction is not supported.

Restriction Syntax

Restrictions work for URI paths and are processed in the following order:

  1. If a restriction starts with "!", any files that match are rejected.
  2. If a restriction does not start with a "!", any files that match are kept.
  3. If any restrictions other than "!" exist, and the file does not match any of them, the file is rejected.
  4. Files that fail restrictions during directory iteration are ignored as if they do not exist.

Restriction syntax is specific to the storage:

Storage Type Format Example
local storage For Unix-like OS:
  • specific folder: file:////folder/*
  • drive root: file:////*
For Windows OS:
  • specific folder: file:///c%3A/folder/*
  • drive root: file:///c*
Amazon S3 and IBM Cloud Object Storage - S3 s3://*
Azure azu://*
Azure Files azure-files://*
Azure Data Lake Storage adl://*
Alibaba Cloud oss://*
Google Cloud gs://*
HDFS hdfs://*

Adding a restriction

  1. Add a restriction.
    Restrictions can be added to specific users or to all users. In the asconfigurator command, the restriction must be preceded by a delimiter, preferably a "|". You can use the delimiter to set a series of restrictions.
    Note: For Aspera on Demand, you can also enter these settings from Console.

    To add a restriction for a user, for example the AoC system user xfer restricted to s3://* and not allowed access to key files, run the following command:

    # asconfigurator -x "set_user_data;user_name,xfer;file_restriction,|s3://*|!*.key"

    To add a restriction that applies to all users, such as s3://*, run the following command:

    # asconfigurator -x "set_node_data;file_restriction,|s3://*"
  2. Validate your changes. 
    # /opt/aspera/bin/asuserdata -v
You can also check your configuration by opening /opt/aspera/etc/aspera.conf in a text editor. A restriction configuration will look similar to the following, with a user-specific configuration in the <user> section and an all-users configuration in the <default> section:
<paths>
   <path>
       <restrictions>
           <restriction>s3://*</restriction>
           <restriction>!*.key</restriction>
       </restrictions>
   </path>
</paths>