Updated on 2022-08-16 GMT+08:00

Configuring Fine-Grained Policies

Custom policies can be created to supplement the system-defined policies of OBS. For the actions supported for custom policies, see Bucket-Related Actions and Object-Related Actions.

You can create custom policies in either of the following two ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
  • JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Policy. The following section contains examples of common OBS custom policies.

Example Custom Policies

  • Example 1: Grant all OBS permissions to users.
    This policy allows users to perform any operation on OBS.
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "obs:*:*"
                ]
            }
        ]
    }
  • Example 2: Grant all OBS Console permissions to users.

    This policy allows users to perform all operations on OBS Console.

    When a user logs in to OBS Console, the user may access resources of other services such as audit information in CTS. Therefore, in addition to the OBS permissions in example 1, you also need to configure the access permissions to other services. You need to configure the Tenant Guest permissions for the global project and regional projects based on the services and regions that you use.
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "obs:*:*"
                ]
            }
        ]
    }
  • Example 3: Grant the read-only permission on a bucket to users (any directory).
    This policy allows users to list and download all objects in bucket obs-example.
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "obs:object:GetObject",
                    "obs:bucket:ListBucket"
                ],
                "Resource": [
                    "obs:*:*:object:obs-example/*",
                    "obs:*:*:bucket:obs-example"
                ]
            }
        ]
    }
  • Example 4: Grant the read-only permission on a bucket to users (specified directory).
    This policy allows users to download objects in only the my-project/ directory of bucket obs-example. Objects in other directories can be listed but cannot be downloaded.
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "obs:object:GetObject",
                    "obs:bucket:ListBucket"
                ],
                "Resource": [
                    "obs:*:*:object:obs-example/my-project/*",
                    "obs:*:*:bucket:obs-example"
                ]
            }
        ]
    }
  • Example 5: Grant the read and write permissions on a bucket to users (specified directory).
    This policy allows users to list, download, upload, and delete objects in the my-project directory of bucket obs-example.
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "obs:object:GetObject",
                    "obs:object:ListMultipartUploadParts",
                    "obs:bucket:ListBucket",
                    "obs:object:DeleteObject",
                    "obs:object:PutObject"
                ],
                "Resource": [
                    "obs:*:*:object:obs-example/my-project/*",
                    "obs:*:*:bucket:obs-example"
                ]
            }
        ]
    }
  • Example 6: Grant all permissions on a bucket to users.
    This policy allows users to perform any operation on bucket obs-example.
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "obs:*:*"
                ],
                "Resource": [
                    "obs:*:*:bucket:obs-example",
                    "obs:*:*:object:obs-example/*"
                ]
            }
        ]
    }
  • Example 7: Deny permissions to users to upload objects.

    A deny policy must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    If you grant the system policy of OBS Operator to a user but do not want the user to have the permission to upload objects (which is also a permission allowed by the OBS Operator policy), you can create a custom bucket policy besides the OBS Operator policy, to deny the user's upload permission. According to the authorization principle, the policy with the deny statement takes precedence, so that the user can perform all operations allowed by the OBS Operator policy except uploading objects. The following is an example of a deny policy:

    { 
             "Version": "1.1", 
             "Statement": [ 
                     {
                             "Effect": "Deny", 
                             "Action": [ 
                                     "obs:object:PutObject" 
                             ],
                     } 
             ] 
     }