Identity Authentication and Access Control
Identity Authentication
You can use OBS Console, OBS Browser+ (a client), obsutil (a command line tool), APIs, and SDKs to access OBS. No matter which method you use, you are accessing OBS over the REST API.
OBS REST APIs support both authenticated and anonymous requests. There will usually be anonymous requests in the scenarios that require public access, for example, accessing a hosted static website. In most cases, requests for OBS resources must be authenticated. An authenticated request must include a signature. The signature is calculated based on the requester's access keys (a pair of AK and SK) that are used as the encryption factor and the specific information included in the request body. OBS uses an access key ID (AK) and a secret access key (SK) together to authenticate the identity of a requester. For more information, see Access Keys (AK/SK).
Other OBS access scenarios include:
Access Control
OBS access control can be implemented based on IAM permissions, bucket policies, ACLs, URL validation, and CORS.
Method |
Description |
Reference |
|
---|---|---|---|
IAM permissions |
IAM permissions define which actions on your cloud resources are allowed or denied. After creating an IAM user, the administrator needs to add it to a user group and grant the permissions required by OBS to the user group. Then, all users in this group automatically inherit the granted permissions. |
||
Bucket policies |
A bucket policy applies to an OBS bucket and the objects in it. A bucket owner can use bucket policies to grant IAM users or other accounts the permissions required to operate the bucket and the objects in it. Bucket policies supplement, and in many cases, replace ACLs of buckets and objects. |
||
ACLs |
An access control list (ACL) defines grantees and their granted permissions. Bucket and object ACLs are associated with accounts or user groups. When you create a bucket or an object, OBS creates a default ACL that authorizes the owner full control over the bucket or object. Bucket or object owners can configure ACLs to grant basic read and write permissions to specific accounts or user groups. |
||
URL validation |
URL validation protects your data in OBS from being stolen using the Referer field in HTTP requests. Such authorization is controlled using whitelists and blacklists. |
||
CORS |
OBS allows you to configure cross-origin resource sharing (CORS) rules on buckets to allow or forbid cross-origin requests from certain websites. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot