ACL

Access control lists (ACLs) enable you to manage the permission to access buckets and objects. Each bucket or object has an attached ACL that functions as a child resource and defines which domains have the permission to access the bucket or object and the type of the permission. After receiving a request to access a specific resource, OBS checks the corresponding ACL to determine whether the requester has the access permission.

During bucket or object creation, OBS creates a default ACL to grant the full control to the resource owner. The following provides an example of an ACL (a default object ACL has the same structure).

<?xml version="1.0" encoding="UTF-8"?>   
<AccessControlPolicy xmlns="http://obs.cn-north-1.myhwclouds.com/doc/2006-03-01/">     
 <Owner>       
  <ID>*** Owner-Canonical-User-ID ***</ID>       
  <DisplayName>owner-display-name</DisplayName>     
 </Owner>     
 <AccessControlList>       
  <Grant>         
   <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"                   xsi:type="Canonical User">           
    <ID>*** Owner-Canonical-User-ID ***</ID>           
    <DisplayName>display-name</DisplayName>         
   </Grantee>         
   <Permission>FULL_CONTROL</Permission>       
  </Grant>     
 </AccessControlList>   
</AccessControlPolicy> 

The example ACL contains an Owner element that can identify the resource owner using the ID of a standard OBS domain user. A Grant element can identify grantees (authorized users supported by OBS) and the granted permission. The ACL contains a Grant element applicable to the resource owner. Users can grant permission by adding Grant elements. Each element indicates a grantee and the granted permission. Each item in an ACL indicates the permission granted to a grantee. Users can invoke an ACL interface to modify the ACL of or generate an ACL for an existing bucket or object.

Registration