ACLs

A default ACL is generated during the creation of a bucket or an object. The entries in an ACL define the permissions granted to accounts. You can use PUT Bucket/Object acl to create an ACL for a bucket or object.

  • Table 1 describes each grantee and their access permissions.
Table 1 Grantees in OBS

Grantee

Description

OBS user

The permission to access a bucket or object can be granted to any OBS user. An OBS user can access the bucket or object in OBS using its AK and SK.

Registered user group

The permissions to access a bucket or object can be granted to all users in a registered user group. Users in the registered user group can access a bucket or object in OBS using its AK and SK. This group represents all OBS accounts.

Anonymous user

The permissions to access a bucket or object can be granted to anonymous users. After the permissions are granted, all users can access the bucket or object.

Log delivery user group

The permissions to access a bucket can be granted to all users in a log delivery user group. Users in the log delivery user group can access the bucket. The permissions are mainly used in bucket log management.

  • ACL syntax

The requests (PUT /?acl, PUT /ObjectKey?acl) for modifying or setting the ACL of a bucket or object must contain an ACL in the following syntax:

<AccessControlPolicy>
<Owner>      
<ID>id</ID>      
<DisplayName>displayname</DisplayName>    
</Owner>    
<AccessControlList>      
<Grant>        
<Grantee>grantee</Grantee>        
<Permission>permission</Permission>      
</Grant>      
<Grant>  ............      </Grant>    
</AccessControlList>  
</AccessControlPolicy>

In the preceding ACL, permission indicates one of the five permission types supported by OBS. (For details about the permissions, see Table 2.) The format of content in Grantee (including OBS user, registered user group, anonymous user, and log delivery user group) varies with the grantee.

  • An OBS user as the grantee
    <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
    <ID>domainId</ID>
    <DisplayName>displayname</DisplayName>
    </Grantee>
  • A registered user group as the grantee
    <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
    </Grantee>
  • An anonymous user as the grantee
    <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
    </Grantee>
  • Log delivery user group as the grantee
    <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/s3/LogDelivery</URI>
    </Grantee>
Table 2 Permissions on an OBS bucket or object

Permission

Description

READ

A grantee with such a permission on a bucket can obtain the list of objects in the bucket and the bucket metadata.

A grantee with such a permission on an object can obtain the object content and metadata.

WRITE

A grantee with such a permission on a bucket can upload, overwrite, and delete any object in the bucket.

Such a permission does not apply to an object.

READ_ACP

A grantee with such a permission can obtain the ACL of a bucket or object. A bucket or object owner has such a permission permanently.

WRITE_ACP

A grantee with such a permission can update the ACL of a bucket or object. A bucket or object owner has such a permission permanently.

A grantee with such a permission can modify the access control policy to obtain desired access permission.

FULL_CONTROL

A grantee with such a permission on a bucket has READWRITEREAD_ACP, and WRITE_ACP permissions.

A grantee with such a permission on an object has READREAD_ACP, and WRITE_ACP permissions. READ_ONLY users are not subject to this restriction.

NOTE:
  1. A request can contain a maximum of 100 grants.
  2. The ACL of a bucket or object is overwritten after permission associated with the bucket or object is granted.

Access Control Policies

You can set an access control policy in the x-amz-acl HTTP header when creating a bucket or uploading an object. Available access control policies are predefined in OBS, as described in Table 3.

Table 3 Predefined access control policies

Policy

Description

private

Indicates that the owner of a bucket or object has the FULL_CONTROL permission on the bucket or object. Other users have no permission to access the bucket or object.

public-read

Indicates that the owner of a bucket or object has the FULL_CONTROL permission on the bucket or object. Other users including anonymous users have the READ permission.

public-read-write

Indicates that the owner of a bucket or object has the FULL_CONTROL permission on the bucket or object. Other users including anonymous users have the READ and WRITE permission.

authenticated-read

Indicates that the owner of a bucket or object has the FULL_CONTROL permission on the bucket or object. Other OBS users have the READ permission.

bucket-owner-read

Indicates that the owner of an object has the FULL_CONTROL permission on the object and the owner of the bucket where the object resides has the READ permission.

bucket-owner-full-control

Indicates that the owner of an object has the FULL_CONTROL permission on the object and the owner of the bucket where the object resides has the FULL_CONTROL permission for the object.

log-delivery-write

Indicates that a log delivery group has WRITE and READ_ACP permissions on buckets.

NOTE:

By default, the access control policy is private.

Registration