Bucket ACL

OBS provides account-based ACLs to assign specific access permissions to accounts.

An ACL can restrict all users' or a specific user's permissions to access a single bucket. The permissions include object read, object write, ACL read, and ACL write. By default, only the creator of a bucket can access the objects in the bucket. However, the creator can set other access policies such as a public access policy of a bucket to assign the read permission for the bucket to all users. ACLs are only used to grant permissions.

OBS uses an ACL to grant bucket and object access permissions to the following types of authorized users, as listed in Table 1.

Table 1 Authorized users supported by OBS

Authorized User

Description

Owner

A user that has the ACL read and write permissions by default. However, modifications to the two permissions are not supported.

Anonymous User

A user that is not registered with OBS. If the access permission for a bucket and objects in the bucket is assigned to anonymous users, all users can access the bucket and its objects.

Registered User

A user that is registered with OBS. Accesses OBS using AKs and SKs.

Log Delivery User

A user that delivers bucket access logs. The user is configured for bucket log management.

Specific User

An account that has permission to access a bucket. The bucket owner assigns this permission by domain ID or domain name.

OBS supports the following types of access permissions, as listed in Table 2.

Table 2 Access permissions supported by OBS

Permission

Description

Read

A grantee with this permission for a bucket can obtain the list of objects in the bucket and the metadata of the bucket.

Write

A grantee with this permission for a bucket can upload, overwrite, and delete any object in the bucket.

ACL Read

A grantee with this permission for a bucket can obtain the ACL of the bucket.

The owner of the bucket has this permission by default. However, modifications to this permission are not allowed.

ACL Write

A grantee with this permission for a bucket can update the ACL of the bucket.

The owner of the bucket has this permission by default. However, modifications to this permission are not allowed.

NOTE:
  • A request supports a maximum of 100 permissions.
  • Granting new permissions for a bucket overwrites the existing permissions for the bucket instead of adding permissions for the bucket or object.

If no ACL permission is assigned for a new bucket, OBS automatically disables the access to the bucket and objects by other users except the bucket owner.

Registration