Obtaining the ACL of an Object Version (SDK for Java)

Function

OBS allows the control of access permissions for objects. By default, only object creators have the read and write permissions on the object. You can call an ACL API to modify or obtain the ACL of an existing object.

This API returns the ACL for a specific object version in a bucket.

Restrictions

To obtain an object ACL, you must be the bucket owner or have the required permission (obs:object:GetObjectAcl in IAM or GetObjectAcl in a bucket policy). For details, see Introduction to OBS Access Control, IAM Custom Policies, and Configuring an Object Policy.

To call this API, you must have the read permission on the ACL of the object.

Method

obsClient.getObjectAcl(GetObjectAclRequest request)

Request Parameters

**Table 1** List of request parameters
Parameter	Type	Mandatory (Yes/No)	Description
request	GetObjectAclRequest	Yes	Explanation: Request parameters for obtaining the ACL of the object. For details, see Table 2.

**Table 2** GetObjectAclRequest parameters
Parameter	Type	Mandatory (Yes/No)	Description
bucketName	String	Yes	Explanation: Bucket name. Restrictions: A bucket name must be unique across all accounts and regions. A bucket name: Must be 3 to 63 characters long and start with a digit or letter. Lowercase letters, digits, hyphens (-), and periods (.) are allowed. Cannot be formatted as an IP address. Cannot start or end with a hyphen (-) or period (.). Cannot contain two consecutive periods (..), for example, my..bucket. Cannot contain periods (.) and hyphens (-) adjacent to each other, for example, my-.bucket or my.-bucket. If you repeatedly create buckets of the same name in the same region, no error will be reported and the bucket attributes comply with those set in the first creation request. Default value: None
objectKey	String	Yes	Explanation: Object name. An object is uniquely identified by an object name in a bucket. An object name is a complete path that does not contain the bucket name. For example, if the address for accessing the object is examplebucket.obs.eu-west-101.myhuaweicloud.eu/folder/test.txt, the object name is folder/test.txt. Value range: The value must contain 1 to 1,024 characters. Default value: None
versionId	String	Yes	Explanation: Object version ID. Value range: The value must contain 32 characters. Default value: None

Responses

**Table 3** AccessControlList
Parameter	Type	Mandatory (Yes/No)	Description
owner	Owner	No	Explanation: Bucket owner information. For details, see Table 4.
delivered	boolean	No	Explanation: Whether the bucket ACL is applied to all objects in the bucket. Value range: true: The bucket ACL is applied to all objects in the bucket. false: The bucket ACL is not applied to any objects in the bucket. Default value: false
grants	Set<GrantAndPermission>	No	Explanation: Grantee information. For details, see Table 5.

**Table 4** Owner
Parameter	Type	Mandatory (Yes/No)	Description
id	String	Yes	Explanation: Account (domain) ID of the owner. Value range: To obtain the account ID, see How Do I Get My Account ID and User ID? Default value: None
displayName	String	No	Explanation: Account name of the owner. Value range: To obtain the account name, see How Do I Get My Account ID and User ID? Default value: None

**Table 5** GrantAndPermission
Parameter	Type	Mandatory (Yes/No)	Description
grantee	GranteeInterface	Yes	Explanation: Grantees (users or user groups). For details, see Table 6.
permission	Permission	Yes	Explanation: Permissions to grant. Value range: See Table 9. Default value: None
delivered	boolean	No	Explanation: Whether the bucket ACL is applied to all objects in the bucket. Value range: true: The bucket ACL is applied to all objects in the bucket. false: The bucket ACL is not applied to any objects in the bucket. Default value: false

**Table 6** GranteeInterface
Parameter	Type	Mandatory (Yes/No)	Description
CanonicalGrantee	CanonicalGrantee	Yes	Explanation: Grantee (user) information. For details, see Table 7.
GroupGrantee	GroupGrantee	Yes	Explanation: Grantee (user group) information. Value range: See Table 8. Default value: None

**Table 7** CanonicalGrantee
Parameter	Type	Mandatory (Yes/No)	Description
grantId	String	Yes if Type is set to GranteeUser	Explanation: Account (domain) ID of the grantee. Value range: To obtain the account ID, see How Do I Get My Account ID and User ID? Default value: None
displayName	String	No	Parameter description: Account name of the grantee. Value range: To obtain the account name, see How Do I Get My Account ID and User ID? Default value: None

**Table 8** GroupGrantee
Constant	Description
ALL_USERS	All users.
AUTHENTICATED_USERS	Authorized users. This constant is deprecated.
LOG_DELIVERY	Log delivery group. This constant is deprecated.

**Table 9** Permission
Constant	Default Value	Description
PERMISSION_READ	READ	Read permission. A grantee with this permission for a bucket can obtain the list of objects, multipart uploads, bucket metadata, and object versions in the bucket. A grantee with this permission for an object can obtain the object content and metadata.
PERMISSION_WRITE	WRITE	Write permission. A grantee with this permission for a bucket can upload, overwrite, and delete any object or part in the bucket. This permission is not available for objects.
PERMISSION_READ_ACP	READ_ACP	Permission to read an ACL. A grantee with this permission can obtain the ACL of a bucket or object. A bucket or object owner has this permission for their bucket or object by default.
PERMISSION_WRITE_ACP	WRITE_ACP	Permission to modify an ACL. A grantee with this permission can update the ACL of a bucket or object. A bucket or object owner has this permission for their bucket or object by default. This permission allows the grantee to change the access control policies, meaning the grantee has full control over a bucket or object.
PERMISSION_FULL_CONTROL	FULL_CONTROL	Full control access, including read and write permissions for a bucket and its ACL, or for an object and its ACL. A grantee with this permission for a bucket has READ, WRITE, READ_ACP, and WRITE_ACP permissions for the bucket. A grantee with this permission for an object has READ, WRITE, READ_ACP, and WRITE_ACP permissions for the object.

Code Examples

This example returns the ACL information of object version objectname in bucket examplebucket.

    
     
       
       
         import com.obs.services.ObsClient;
import com.obs.services.exception.ObsException;
import com.obs.services.model.AccessControlList;
public class GetObjectAcl001 {
    public static void main(String[] args) {
        // Obtain an AK/SK pair using environment variables or import the AK/SK pair in other ways. Using hard coding may result in leakage.
        // Obtain an AK/SK pair on the management console.
        String ak = System.getenv("ACCESS_KEY_ID");
        String sk = System.getenv("SECRET_ACCESS_KEY_ID");
        // (Optional) If you are using a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding, which may result in information leakage.
        // Obtain an AK/SK pair and a security token using environment variables or import them in other ways.
        // String securityToken = System.getenv("SECURITY_TOKEN");
        // Enter the endpoint corresponding to the bucket. EU-Dublin is used here as an example. Replace it with the one in your actual situation.
        String endPoint = "https://obs.eu-west-101.myhuaweicloud.eu"; 
        // Obtain an endpoint using environment variables or import it in other ways.
        //String endPoint = System.getenv("ENDPOINT");
        
        // Create an ObsClient instance.
        // Use the permanent AK/SK pair to initialize the client.
        ObsClient obsClient = new ObsClient(ak, sk,endPoint);
        // Use the temporary AK/SK pair and security token to initialize the client.
        // ObsClient obsClient = new ObsClient(ak, sk, securityToken, endPoint);

        try {
            // Obtain the ACL of an object version.
            AccessControlList acl = obsClient.getObjectAcl("examplebucket", "objectname", "versionid");
            System.out.println("getObjectAcl successfully");
            System.out.println(acl);
        } catch (ObsException e) {
            System.out.println("getObjectAcl failed");
            // Request failed. Print the HTTP status code.
            System.out.println("HTTP Code:" + e.getResponseCode());
            // Request failed. Print the server-side error code.
            System.out.println("Error Code:" + e.getErrorCode());
            // Request failed. Print the error details.
            System.out.println("Error Message:" + e.getErrorMessage());
            // Request failed. Print the request ID.
            System.out.println("Request ID:" + e.getErrorRequestId());
            System.out.println("Host ID:" + e.getErrorHostId());
            e.printStackTrace();
        } catch (Exception e) {
            System.out.println("getObjectAcl failed");
            // Print other error information.
            e.printStackTrace();
        }
    }
}

        

      

    
   