Help Center> Object Storage Service> Go> Objects (SDK for Go)> Configuring an Object ACL (SDK for Go)
Updated on 2024-02-01 GMT+08:00

Configuring an Object ACL (SDK for Go)

Function

OBS supports the control of access permission for objects. By default, only the object creators have the read and write permissions on the object. You can set other access control policies for objects. For example, if an object is configured with the public access policy, all users are allowed to read the object. Even if the ACL is configured for an object encrypted in the SSE-KMS mode, the inter-tenant access is unavailable.

You can set an access control policy when uploading an object or make a call of an API operation to modify or obtain the object ACL.

Restrictions

Method

func (obsClient ObsClient) SetObjectAcl(input *SetObjectAclInput) (output *BaseModel, err error)

Request Parameters

Table 1 List of request parameters

Parameter

Type

Mandatory (Yes/No)

Description

input

*SetObjectAclInput

Yes

Explanation:

Input parameters for configuring an ACL for the object. For details, see Table 2.

Table 2 SetObjectAclInput

Parameter

Type

Mandatory (Yes/No)

Description

Bucket

string

Yes

Explanation:

Bucket name

Restrictions:

  • A bucket name must be unique across all accounts and regions.
  • A bucket name:
    • Must be 3 to 63 characters long and start with a digit or letter. Lowercase letters, digits, hyphens (-), and periods (.) are allowed.
    • Cannot be formatted as an IP address.
    • Cannot start or end with a hyphen (-) or period (.).
    • Cannot contain two consecutive periods (..), for example, my..bucket.
    • Cannot contain a period (.) and a hyphen (-) adjacent to each other, for example, my-.bucket or my.-bucket.
  • If you repeatedly create buckets of the same name in the same region, no error will be reported and the bucket attributes comply with those set in the first creation request.

Default value:

None

Key

string

Yes

Explanation:

Object name. An object is uniquely identified by an object name in a bucket. An object name is a complete path that does not contain the bucket name.

For example, if the address for accessing the object is examplebucket.obs.ap-southeast-1.myhuaweicloud.com/folder/test.txt, the object name is folder/test.txt.

Value range:

The value must contain 1 to 1,024 characters.

Default value:

None

VersionId

string

No

Explanation:

Object version ID, for example, G001117FCE89978B0000401205D5DC9A

Value range:

The value must contain 32 characters.

Default value:

None

ACL

AclType

No

Explanation:

Pre-defined ACL

Value range:

See Table 3.

Default value:

None

Owner

Owner

No

Explanation:

Account ID of the object owner. For details, see Table 4.

Restrictions:

Owner and Grants must be used together and they cannot be used with ACL.

Grants

[]Grant

No

Explanation:

Grantees' permission information. For details, see Table 5.

Default value:

None

Table 3 AclType

Constant

Default Value

Description

AclPrivate

private

Private read/write

A bucket or object can only be accessed by its owner.

AclPublicRead

public-read

Public read and private write

If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions in the bucket.

If it is granted on an object, anyone can read the content and metadata of the object.

AclPublicReadWrite

public-read-write

Public read/write

If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions in the bucket, and can upload or delete objects, initiate multipart upload tasks, upload parts, merge parts, copy parts, and cancel multipart upload tasks.

If it is granted on an object, anyone can read the content and metadata of the object.

AclPublicReadDelivered

public-read-delivered

Public read on a bucket as well as objects in the bucket

If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions, and read the content and metadata of objects in the bucket.

NOTE:

AclPublicReadDelivered does not apply to objects.

AclPublicReadWriteDelivered

public-read-write-delivered

Public read/write on a bucket as well as objects in the bucket

If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions in the bucket, and can upload or delete objects, initiate multipart upload tasks, upload parts, merge parts, copy parts, and cancel multipart upload tasks. You can also obtain the content and metadata of objects in the bucket.

NOTE:

AclPublicReadWriteDelivered does not apply to objects.

AclBucketOwnerFullControl

bucket-owner-full-control

If this permission is granted on an object, only the bucket and object owners have the full control over the object.

By default, if you upload an object to a bucket of any other user, the bucket owner does not have the permissions on your object. After you grant this policy to the bucket owner, the bucket owner can have full control over your object.

Table 4 Owner

Parameter

Type

Mandatory (Yes/No)

Description

ID

string

Yes if used as a request parameter

Explanation:

Account (domain) ID of the owner

Value range:

To obtain the account ID, see How Do I Get My Account ID and User ID?

Default value:

None

Table 5 Grant

Parameter

Type

Mandatory (Yes/No)

Description

Grantee

Grantee

Yes if used as a request parameter

Explanation:

Grantee information. For details, see Table 6.

Permission

PermissionType

Yes if used as a request parameter

Explanation:

Granted permission

Value range:

See Table 7.

Default value:

None

Table 6 Grantee

Parameter

Type

Mandatory (Yes/No)

Description

Type

GranteeType

Yes if used as a request parameter

Explanation:

Grantee type

Value range:

See Table 8.

Default value:

None

ID

string

Yes if this parameter is used as a request parameter and Type is set to GranteeUser

Explanation:

Account (domain) ID of the grantee

Value range:

To obtain the account ID, see How Do I Get My Account ID and User ID?

Default value:

None

DisplayName

string

No if used as a request parameter

Explanation:

Account name of the grantee

Restrictions:

  • Starts with a letter.
  • Contains 6 to 32 characters.
  • Contains only letters, digits, hyphens (-), and underscores (_).

Default value:

None

URI

GroupUriType

Yes if this parameter is used as a request parameter and Type is set to GranteeGroup

Explanation:

Authorized user group

Value range:

See Table 9.

Default value:

None

Table 7 PermissionType

Constant

Default Value

Description

PermissionRead

READ

Read permission

PermissionWrite

WRITE

Write permission

PermissionReadAcp

READ_ACP

Permission to read ACL configurations

PermissionWriteAcp

WRITE_ACP

Permission to modify ACL configurations

PermissionFullControl

FULL_CONTROL

Full control access, including read and write permissions for a bucket and its ACL, or for an object and its ACL.

Table 8 GranteeType

Constant

Default Value

Description

GranteeGroup

Group

User group

GranteeUser

CanonicalUser

Individual user

Table 9 GroupUriType

Constant

Default Value

Description

GroupAllUsers

AllUsers

All users

Responses

Table 10 List of returned results

Parameter

Type

Description

output

*BaseModel

Explanation:

Returned results. For details, see Table 11.

err

error

Explanation:

Error messages returned by the API

Table 11 BaseModel

Parameter

Type

Description

StatusCode

int

Explanation:

HTTP status code

Value range:

A status code is a group of digits that can be 2xx (indicating successes) or 4xx or 5xx (indicating errors). It indicates the status of a response. For more information, see Status Code.

Default value:

None

RequestId

string

Explanation:

Request ID returned by the OBS server

Default value:

None

ResponseHeaders

map[string][]string

Explanation:

HTTP response headers

Default value:

None

Code Examples

This example sets the ACL of object example/objectname to be private.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
package main
import (
    "fmt"
    "os"
    obs "github.com/huaweicloud/huaweicloud-sdk-go-obs/obs"
)
func main() {
    //Obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways. Using hard coding may result in leakage.
    //Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
    ak := os.Getenv("AccessKeyID")
    sk := os.Getenv("SecretAccessKey")
    // (Optional) If you use a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding to reduce leakage risks. You can obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways.
    securityToken := os.Getenv("SecurityToken")
    // Enter the endpoint corresponding to the bucket. CN-Hong Kong is used here as an example. Replace it with the one currently in use.
    endPoint := "https://obs.ap-southeast-1.myhuaweicloud.com"
    // Create an obsClient instance.
    // If you use a temporary AK/SK pair and a security token to access OBS, use the obs.WithSecurityToken method to specify a security token when creating an instance.
    obsClient, err := obs.New(ak, sk, endPoint, obs.WithSecurityToken(securityToken))
    if err != nil {
        fmt.Printf("Create obsClient error, errMsg: %s", err.Error())
    }
    input := &obs.SetObjectAclInput{}
    // Specify a bucket name.
    input.Bucket = "examplebucket"
    // Specify an object (example/objectname as an example).
    input.Key = "example/objectname"
    // Set the object ACL to be private.
    input.ACL = obs.AclPrivate
    // Configure the object ACL.
    output, err := obsClient.SetObjectAcl(input)
    if err == nil {
        fmt.Printf("Set Object(%s)'s acl successful with Bucket(%s)!\n", input.Key, input.Bucket)
        fmt.Printf("RequestId:%s\n", output.RequestId)
        return
    }
    fmt.Printf("Set Object(%s)'s acl fail with Bucket(%s)!\n", input.Key, input.Bucket)
    if obsError, ok := err.(obs.ObsError); ok {
        fmt.Println("An ObsError was found, which means your request sent to OBS was rejected with an error response.")
        fmt.Println(obsError.Error())
    } else {
        fmt.Println("An Exception was found, which means the client encountered an internal problem when attempting to communicate with OBS, for example, the client was unable to access the network.")
        fmt.Println(err)
    }
}