Object ACL Overview

An ACL can restrict all users' or a specific user's permissions to access objects. The permissions include object read, object write, ACL read, and ACL write. By default, only the creator of a bucket can access the objects in the bucket. Users can set other access policies. For example, a user can set a public access policy for an object to allow all users to read it.

OBS can use an ACL to enable object access permissions to be assigned to the following types of authorized users, as described in Table 1.

Table 1 Authorized users supported by OBS

Authorized User

Description

Owner

A user that has the ACL read and write permissions by default. However, modifications to the two permissions are not supported.

Anonymous User

A user that is not registered with OBS. If the access permission for a bucket and objects in the bucket is assigned to anonymous users, all users can access the bucket and its objects.

Registered User

A user that is registered with OBS. Accesses OBS using AKs and SKs.

Log Delivery User

A user that delivers bucket access logs. The user is configured for bucket log management.

Specific User

An account that has permission to access a bucket. The bucket owner assigns this permission by domain ID or domain name.

OBS supports the following types of object access permissions, as described in Table 2.

Table 2 Access permissions supported by OBS

Permission

Description

Read

Allowed to obtain the object content and metadata.

Write

Allowed to upload, overwrite, and delete the object.

ACL Read

Allowed to obtain the ACL of the object.

The owner of the object has this permission by default. However, modifications to this permission are not allowed.

ACL Write

Allowed to update the ACL of the object.

The owner of the object has this permission by default. However, modifications to this permission are not allowed.

NOTE:
  • A request supports a maximum of 100 permissions.
  • New permissions directly overwrite existing permissions on an object.

If no ACL permission is assigned for a new object, OBS automatically disables the access to the object by users except the object owner.

Registration