Useful for logs, backups, etc where it may not be desirable for the client to read files it has uploaded or other files within the upload directory.
Example policy and role for subuser:
$ sdc-policy create --name WriteOnly --rules "can putobject"
$ sdc-role create --name LogWriter --default-members mysubuser --members mysubuser --policies WriteOnly
Create the directory in Manta, and add the LogWriter role to the directory:
$ mmkdir -p ~~/stor/logs
$ mchmod +LogWriter ~~/stor/logs
Example log file with random UUID:
$ echo $(date) > $(uuidgen -r).log
$ cat 55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log
November 14, 2016 11:58:50 PM UTC
Subuser can't get directory or list contents:
$ mls ~~/stor/logs
mls: AuthorizationFailedError: travis.paul/mysubuser is not allowed to access /travis.paul/stor/logs
$ mget ~~/stor/logs
mget: AuthorizationFailedError: travis.paul/mysubuser is not allowed to access /travis.paul/stor/logs
mput can't write the file because it doesn't know if ~~/stor/logs is a directory or an object on the server.
$ mput -f 55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log ~~/stor/logs
mput: ForbiddenError
$ mput -f 55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log ~~/stor/logs/
mput: ForbiddenError
If you specify exactly where to PUT the file, it will succeed because it doesn't need any info about the partent directories.
$ mput -f 55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log ~~/stor/logs/55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log
.../55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log [===============================================================================================>] 100% 34B
And, as expected you won't be able to read the file back:
$ mget ~~/stor/logs/55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log
mget: AuthorizationFailedError: travis.paul/mysubuser is not allowed to access /travis.paul/stor/logs/55f70bb3-ffb2-62e4-ed85-bb022a6e7634.log