Overview
An ACL defines grantees and their granted permissions.
Bucket and object ACLs are associated with accounts. By default, an ACL is created when a bucket or object is created, authorizing the owner the full control over the bucket or object.
For easy and practical authorization, OBS ACLs have the following features:
- An ACL takes effect for both a tenant and users under this tenant.
- If a bucket and its objects have the same owner, the ACL configured on the bucket also applies to the objects in the bucket by default.
- An ACL is created during bucket or object creation by default. You can also configure one after the bucket or object is created.
ACLs control write and read permissions based on accounts, whose permission granularity is not as fine as bucket policies or IAM policies. Generally, it is recommended that you use IAM permissions and bucket policies for access control.
You can grant bucket access permissions to users or user groups listed in Table 1 by configuring an ACL.
Principal |
Description |
---|---|
Specific users |
ACLs can be used to grant accounts access permissions on buckets or objects. Once a specific account is granted the access permissions, all IAM users who have OBS resource permissions under this account can have the same access permissions to operate the bucket or object. If you need to grant different access permissions to IAM users, configure bucket policies. |
Owner |
The owner of a bucket is the account that created the bucket. A bucket owner has all access permissions on the bucket by default. The read and write permissions for the bucket ACL are permanently available to the bucket owner, and cannot be modified. An object owner is the account that uploads the object, but may not be the owner of the bucket that stores the object. The object owner has the read permission on the object, as well as the read and write permissions on the object ACL by default, and such permissions cannot be modified.
NOTICE:
Do not modify the bucket owner's read and write permissions for the bucket. |
Anonymous users |
Visitors who have not registered with Huawei Cloud.
NOTICE:
If anonymous users are granted the permissions to access a bucket and objects, anyone can access the bucket or objects without identity authentication. |
Table 2 lists the access permissions controlled by a bucket ACL.
Permission |
Option |
Description |
---|---|---|
Access to bucket |
Read |
Allows a grantee to obtain the list of objects in a bucket and the bucket metadata. |
Object read |
Allows a grantee to obtain the object content and metadata. |
|
Write |
Allows a grantee to upload, overwrite, and delete any object in a bucket. |
|
Access to ACL |
Read |
Allows a grantee to obtain the bucket ACL. The bucket owner has this permission permanently by default. |
Write |
Allows a grantee to update the bucket ACL. The bucket owner has this permission permanently by default. |
Table 3 lists the access permissions controlled by an object ACL.
Permission |
Option |
Description |
---|---|---|
Access to object |
Read |
Allows a grantee to obtain the content and metadata of an object. |
Access to ACL |
Read |
Allows a grantee to obtain the object ACL. The object owner has this permission permanently by default. |
Write |
Allows a grantee to update the object ACL. The object owner has this permission permanently by default. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.