OBS resources (buckets and objects) are private resources by default. Only owners have the permission to access their resources in OBS. The resource owner is the account who creates the resource. As illustrated in the following figure, an account has multiple IAM users. The bucket created by IAM user1 belongs to the account. If an IAM user2 uploads an object to the bucket, the object also belongs to the account.

OBS permission control refers to granting permissions to other tenants or IAM users by editing access policies. For example, if you have a bucket, you can authorize another IAM user to upload objects to your bucket. You can also open buckets to non-public cloud users, that is, buckets are public resources that can be accessed by anyone on the Internet.

Access control policies describe the resources that can be accessed by users. You can use the following two access control policies to control the permissions for your resources in OBS:

• OBS provides ACLs and bucket policies to implement resource-based permission control.

Each bucket and object has an ACL. Even if no ACL is configured, the OBS generates a default ACL for each object. The following is an example:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AccessControlPolicy xmlns="http://obs.cn-north-4.myhuaweicloud.com/doc/2015-06-30/">
  <Owner>
    <ID>resource owerner id</ID>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee>
        <ID>resource owner id</ID>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
      <Delivered>false</Delivered>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

The ACL displays the information of the resource owner, as well as the list of grantee and the granted permissions. As described in the preceding example, the default ACL of a resource only grants the full control permission to the resource owner, and does not grant any permission to any other users.

In addition, you can leverage the bucket policy to grant other tenants or IAM users the permissions to access your buckets and objects. With the bucket policy, you can grant accounts or users with permissions for only objects created by the bucket owner. The bucket policy, as a supplement to ACL (or replace the ACL in many scenarios), allows more flexible and fine-grained permission control.

{
    "Statement":[
        {
            "Sid":"granteReadObject",
            "Effect":"Allow",
            "Principal":{
                "ID":["*"]
            },
            "Action":["GetObject"],
            "Resource":["bucketname/*"]
        }
    ]
}

The preceding is an example of a bucket policy. You need to use the JSON format to compile the bucket policy. This policy grants all users with the permission to read all objects in a bucket named bucketname.

The account or IAM user ID in the resource policy can be queried through the public cloud console or the API operation of Listing Users. To query the user ID on the public cloud console, perform the following steps:

1. Log in to the console, click the username in the upper right corner, and select My Credential.
2. On the My Credential page, you can view information such as the username and user ID.

• IAM provides user permission control based on IAM user roles.

After an IAM user is created, you need to add the user to an IAM group. IAM can grant the required permissions to the user group. OBS related permissions are classified into the following types (see IAM User Policy (IAM Policy)):