Configuring a Bucket Policy (SDK for Java)
Function
OBS provides access control over buckets. You can use an access policy to define whether a user can perform certain operations on a specific bucket. OBS access control can be implemented using IAM permissions, bucket policies, and ACLs. For more information, see Introduction to OBS Access Control.
A bucket policy applies to both the bucket and objects therein. You can use a bucket policy to grant permissions for a bucket and objects therein to IAM users or other accounts. If you want IAM users to have different permissions for a bucket, you need to configure different bucket policies for each user.
Besides bucket ACLs, bucket owners can use bucket policies to centrally control access to buckets and objects in buckets.
You can call ObsClient.setBucketPolicy to configure a bucket policy.
For more information, see Bucket Policy.
Restrictions
- Permissions for creating a bucket and obtaining a bucket list are service level and should be granted using IAM Permissions.
- Due to data caching, after a bucket policy is configured, it takes 5 minutes at most for the policy to take effect.
- To configure a bucket policy, you must be the bucket owner or have the required permission (obs:bucket:PutBucketPolicy in IAM or PutBucketPolicy in a bucket policy). For details, see Introduction to OBS Access Control, IAM Custom Policies, and Creating a Custom Bucket Policy.
- The latest policy configurations will overwrite the preceding configurations when you call the API for configuring a bucket policy. For example, if you have configured bucket policies A, B, C, and D and you want to add a new bucket policy E, you must add policy E to the file containing the existing four policies and then upload the file with all policies contained. Likewise, if you want to delete bucket policy D, you must remove it from the file containing policies A, B, C, and D, and then upload the file without policy D contained.
- For details about the bucket policy format (JSON), see the Object Storage Service API Reference.
- OBS returns 404 NoSuchBucketPolicy when you call this API in the following scenarios:
- The specified bucket policy does not exist.
- The standard policy of the specified bucket is set to Private and no advanced policies are configured.
Method
obsClient.setBucketPolicy(String bucketName, String policy)
Request Parameters
Parameter |
Type |
Mandatory (Yes/No) |
Description |
---|---|---|---|
bucketName |
String |
Yes |
Explanation: Bucket name. Restrictions:
Default value: None |
policy |
String |
Yes |
Explanation: Policy information in JSON format Restrictions:
Default value: None |
Responses
Parameter |
Type |
Description |
---|---|---|
statusCode |
int |
Explanation: HTTP status code. Value range: A status code is a group of digits that can be 2xx (indicating successes) or 4xx or 5xx (indicating errors). It indicates the status of a response. For more information, see Status Code. Default value: None |
responseHeaders |
Map<String, Object> |
Explanation: HTTP response header list, composed of tuples. In a tuple, the String key indicates the name of the header, and the Object value indicates the value of the header. Default value: None |
Code Examples
This example configures a policy for bucket exampleBucket.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
import com.obs.services.ObsClient; import com.obs.services.exception.ObsException; public class SetBucketPolicy001 { public static void main(String[] args) { // Obtain an AK/SK pair using environment variables or import the AK/SK pair in other ways. Using hard coding may result in leakage. // Obtain an AK/SK pair on the management console. String ak = System.getenv("ACCESS_KEY_ID"); String sk = System.getenv("SECRET_ACCESS_KEY_ID"); // (Optional) If you are using a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding, which may result in information leakage. // Obtain an AK/SK pair and a security token using environment variables or import them in other ways. // String securityToken = System.getenv("SECURITY_TOKEN"); // Enter the endpoint corresponding to the bucket. EU-Dublin is used here as an example. Replace it with the one in your actual situation. String endPoint = "https://obs.eu-west-101.myhuaweicloud.eu"; // Obtain an endpoint using environment variables or import it in other ways. //String endPoint = System.getenv("ENDPOINT"); // Create an ObsClient instance. // Use the permanent AK/SK pair to initialize the client. ObsClient obsClient = new ObsClient(ak, sk,endPoint); // Use the temporary AK/SK pair and security token to initialize the client. // ObsClient obsClient = new ObsClient(ak, sk, securityToken, endPoint); try { // Example bucket name String exampleBucket = "examplebucket"; // Example bucket policy String examplePolicy = "{\"Statement\":[{\"Principal\":\"*\",\"Effect\":\"Allow\",\"Action\":\"ListBucket\",\"Resource\":\"" + exampleBucket + "\"}]}"; obsClient.setBucketPolicy(exampleBucket, examplePolicy); System.out.println("SetBucketAcl successfully"); } catch (ObsException e) { System.out.println("SetBucketAcl failed"); // Request failed. Print the HTTP status code. System.out.println("HTTP Code:" + e.getResponseCode()); // Request failed. Print the server-side error code. System.out.println("Error Code:" + e.getErrorCode()); // Request failed. Print the error details. System.out.println("Error Message:" + e.getErrorMessage()); // Request failed. Print the request ID. System.out.println("Request ID:" + e.getErrorRequestId()); System.out.println("Host ID:" + e.getErrorHostId()); e.printStackTrace(); } catch (Exception e) { System.out.println("SetBucketAcl failed"); // Print other error information. e.printStackTrace(); } } } |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.