Updated on 2024-12-09 GMT+08:00

Configuring a Bucket ACL (SDK for Node.js)

If you have any questions during development, post them on the Issues page of GitHub.

Function

OBS provides access control over buckets. You can use an access policy to define whether a user can perform certain operations on a specific bucket. OBS access control can be implemented using IAM permissions, bucket policies, and ACLs (including bucket and object ACLs). For more information, see Introduction to OBS Access Control.

A bucket ACL applies permissions to another Huawei Cloud account and its IAM users, rather than the current account and its IAM users. It can grant access to both a bucket (including the objects in it) and the bucket ACL. The granted access includes view and edit permissions. You must specify a bucket name when configuring a bucket ACL. For more information, see ACLs.

This API modifies a bucket ACL.

Restrictions

Method

ObsClient.setBucketAcl(params)

Request Parameters

Table 1 List of request parameters

Parameter

Type

Mandatory (Yes/No)

Description

Bucket

string

Yes

Explanation:

Bucket name.

Restrictions:

  • A bucket name must be unique across all accounts and regions.
  • A bucket name:
    • Must be 3 to 63 characters long and start with a digit or letter. Lowercase letters, digits, hyphens (-), and periods (.) are allowed.
    • Cannot be formatted as an IP address.
    • Cannot start or end with a hyphen (-) or period (.).
    • Cannot contain two consecutive periods (..), for example, my..bucket.
    • Cannot contain a period (.) and a hyphen (-) adjacent to each other, for example, my-.bucket or my.-bucket.
  • If you repeatedly create buckets with the same name in the same region, no error will be reported, and the bucket attributes comply with those set in the first creation request.

Value range:

The value can contain 3 to 63 characters.

Default value:

None

ACL

AclType

No

Explanation:

Pre-defined ACL

Restrictions:

You must specify either ACL or the combination of Owner and Grants.

Value range:

See Table 2.

Default value:

None

Owner

Owner

No

Explanation:

Bucket owner

Restrictions:

  • Owner and Grants must be used together, and they cannot be used with ACL.
  • You must specify either ACL or the combination of Owner and Grants.

Value range:

See Table 3.

Default value:

None

Grants

Grant[]

No

Explanation:

Grantees and permissions

Restrictions:

  • Owner and Grants must be used together, and they cannot be used with ACL.
  • You must specify either ACL or the combination of Owner and Grants.

Value range:

See Table 4.

Default value:

None

Table 2 AclType

Constant

Default Value

Description

ObsClient.enums.AclPrivate

private

Private read and write

A bucket or object can only be accessed by its owner.

ObsClient.enums.AclPublicRead

public-read

Public read and private write

If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket.

If this permission is granted on an object, everyone can obtain the content and metadata of the object.

ObsClient.enums.AclPublicReadWrite

public-read-write

Public read and write

If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions in the bucket and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart upload tasks.

If this permission is granted on an object, everyone can obtain the content and metadata of the object.

ObsClient.enums.AclPublicReadDelivered

public-read-delivered

Public read on a bucket as well as the objects in the bucket.

If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions and read the content and metadata of objects in the bucket.

NOTE:

AclPublicReadDelivered does not apply to objects.

ObsClient.enums.AclPublicReadWriteDelivered

public-read-write-delivered

Public read and write on a bucket as well as the objects in the bucket.

If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart uploads. They can also read the content and metadata of objects in the bucket.

NOTE:

AclPublicReadWriteDelivered does not apply to objects.

ObsClient.enums.AclBucketOwnerFullControl

bucket-owner-full-control

If this permission is granted on an object, only the bucket and object owners have the full control over the object.

By default, if you upload an object to a bucket of any other user, the bucket owner does not have the permissions on your object. After you grant this policy to the bucket owner, the bucket owner can have full control over your object. For example, if user A uploads object x to user B's bucket, user B does not have the control over object x. If user A sets the bucket-owner-full-control policy for object x, user B then has the control over object x.

Table 3 Owner

Parameter

Type

Mandatory (Yes/No)

Description

ID

string

Yes if used as a request parameter

Explanation:

Account (domain) ID of the owner

Value range:

To obtain the account ID, see How Do I Get My Account ID and User ID? (SDK for Node.js).

Default value:

None

DisplayName

string

No

Explanation:

Account name of the owner

Default value:

None

Table 4 Grant

Parameter

Type

Mandatory (Yes/No)

Description

Grantee

Grantee

Yes if used as a request parameter

Explanation:

Grantee information. For details, see Table 5.

Permission

PermissionType

Yes if used as a request parameter

Explanation:

Granted permission

Value range:

See Table 8.

Default value:

None

Delivered

boolean

No

Explanation:

Whether the ACL of the bucket applies to its objects

Value range:

  • true: The ACL of the bucket applies to its objects.
  • false: The ACL of the bucket does not apply to its objects.

Default value:

None

Table 5 Grantee

Parameter

Type

Mandatory (Yes/No)

Description

Type

string

Yes if used as a request parameter

Explanation:

Grantee type

Value range:

See Table 6.

Default value:

None

ID

string

Yes if this parameter is used as a request parameter and Type is set to a user

Explanation:

Account (domain) ID of the grantee.

Value range:

To obtain the account ID, see How Do I Get My Account ID and User ID? (SDK for Node.js).

Default value:

None

Name

string

No if used as a request parameter

Explanation:

Account name of the grantee

Restrictions:

  • The account name cannot contain full-width characters.
  • The account name starts with a letter.
  • The account name contains 6 to 32 characters.
  • The account name contains only letters, digits, hyphens (-), or underscores (_).

Default value:

None

URI

GroupUriType

Yes if this parameter is used as a request parameter and Type is set to a group

Explanation:

Authorized user group

Value range:

See Table 7.

Default value:

None

Table 6 GranteeType

Constant

Description

Group

Grants permissions to user groups.

CanonicalUser

Grants permissions to individual users.

Table 7 GroupUriType

Constant

Default Value

Description

ObsClient.enums.GroupAllUsers

AllUsers

All users.

ObsClient.enums.GroupAuthenticatedUsers

AuthenticatedUsers

Authorized users. This constant is deprecated.

ObsClient.enums.GroupLogDelivery

LogDelivery

Log delivery group. This constant is deprecated.

Table 8 PermissionType

Constant

Default Value

Description

ObsClient.enums.PermissionRead

READ

A grantee with this permission for a bucket can obtain the list of objects, multipart uploads, bucket metadata, and object versions in the bucket.

A grantee with this permission for an object can obtain the object content and metadata.

ObsClient.enums.PermissionWrite

WRITE

A grantee with this permission for a bucket can upload, overwrite, and delete any object or part in the bucket.

This permission is not applicable to objects.

ObsClient.enums.PermissionReadAcp

READ_ACP

A grantee with this permission can obtain the ACL of a bucket or object.

A bucket or object owner has this permission for their bucket or object by default.

ObsClient.enums.PermissionWriteAcp

WRITE_ACP

A grantee with this permission can update the ACL of a bucket or object.

A bucket or object owner has this permission for their bucket or object by default.

This permission allows the grantee to change the access control policies, meaning the grantee has full control over a bucket or object.

ObsClient.enums.PermissionFullControl

FULL_CONTROL

A grantee with this permission for a bucket has PermissionRead, PermissionWrite, PermissionReadAcp, and PermissionWriteAcp permissions for the bucket.

A grantee with this permission for an object has PermissionRead, PermissionReadAcp, and PermissionWriteAcp permissions for the object.

Responses

Table 9 Responses

Type

Description

Table 10

NOTE:

This API returns a Promise response, which requires the Promise or async/await syntax.

Explanation:

Returned results. For details, see Table 10.

Table 10 Response

Parameter

Type

Description

CommonMsg

ICommonMsg

Explanation:

Common information generated after an API call is complete, including the HTTP status code and error code. For details, see Table 11.

InterfaceResult

Table 12

Explanation:

Results outputted for a successful call. For details, see Table 12.

Restrictions:

This parameter is not included if the value of Status is greater than 300.

Table 11 ICommonMsg

Parameter

Type

Description

Status

number

Explanation:

HTTP status code returned by the OBS server.

Value range:

A status code is a group of digits indicating the status of a response. It ranges from 2xx (indicating successes) to 4xx or 5xx (indicating errors). For details, see Status Codes.

Code

string

Explanation:

Error code returned by the OBS server.

Message

string

Explanation:

Error description returned by the OBS server.

HostId

string

Explanation:

Request server ID returned by the OBS server.

RequestId

string

Explanation:

Request ID returned by the OBS server.

Id2

string

Explanation:

Request ID2 returned by the OBS server.

Indicator

string

Explanation:

Error code details returned by the OBS server.

Table 12 BaseResponseOutput

Parameter

Type

Description

RequestId

string

Explanation:

Request ID returned by the OBS server

Code Examples: Specifying an ACL During Bucket Creation

This example sets a pre-defined ACL (private read and write) when creating a bucket.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
// Import the OBS library.
// Use npm to install the client.
const ObsClient = require("esdk-obs-nodejs");
// Use the source code to install the client.
// var ObsClient = require('./lib/obs');

// Create an ObsClient instance.
const obsClient = new ObsClient({
  // Obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways. Using hard coding may result in leakage.
  // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
  access_key_id: process.env.ACCESS_KEY_ID,
  secret_access_key: process.env.SECRET_ACCESS_KEY,
  // (Optional) If you use a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding, which may result in information leakage. You can obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways.
  // security_token: process.env.SECURITY_TOKEN,
  // Enter the endpoint corresponding to the region where the bucket is located. CN-Hong Kong is used here in this example. Replace it with the one currently in use.
  server: "https://obs.ap-southeast-1.myhuaweicloud.com"
});

async function createBucket() {
  try {
    const params = {
      // Specify the bucket name.
      Bucket: "examplebucket",
      // Specify the region where the bucket is to be created. The region must be the same as that in the passed endpoint. ap-southeast-1 is used in this example.
      // Location: "ap-southeast-1",
      // Specify an access control policy for the bucket. obs.AclPrivate is used in this example.
      ACL: obsClient.enums.AclPrivate,
    };
    // Create a bucket.
    const result = await obsClient.createBucket(params);
    if (result.CommonMsg.Status <= 300) {
      console.log("Create bucket(%s) successful!", params.Bucket);
      console.log("RequestId: %s", result.CommonMsg.RequestId);
      return;
    };
    console.log("An ObsError was found, which means your request sent to OBS was rejected with an error response.");
    console.log("Status: %d", result.CommonMsg.Status);
    console.log("Code: %s", result.CommonMsg.Code);
    console.log("Message: %s", result.CommonMsg.Message);
    console.log("RequestId: %s", result.CommonMsg.RequestId);
  } catch (error) {
    console.log("An Exception was found, which means the client encountered an internal problem when attempting to communicate with OBS, for example, the client was unable to access the network.");
    console.log(error);
  };
};

createBucket();

Code Examples: Specifying an ACL for an Existing Bucket

This example sets an ACL (private) for bucket examplebucket.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
// Import the OBS library.
// Use npm to install the client.
const ObsClient = require("esdk-obs-nodejs");
// Use the source code to install the client.
// var ObsClient = require('./lib/obs');

// Create an instance of ObsClient.
const obsClient = new ObsClient({
  //Obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways. Using hard coding may result in leakage.
  //Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
  access_key_id: process.env.ACCESS_KEY_ID,
  secret_access_key: process.env.SECRET_ACCESS_KEY,
  // (Optional) If you use a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding, which may result in information leakage. You can obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways.
  // security_token: process.env.SECURITY_TOKEN,
  // Enter the endpoint corresponding to the region where the bucket is located. CN-Hong Kong is used here in this example. Replace it with the one currently in use.
  server: "https://obs.ap-southeast-1.myhuaweicloud.com"
});

async function setBucketAcl() {
  try {
    const params = {
      // Specify the bucket name.
      Bucket: "examplebucket",
      // Set the bucket ACL to be private.
      ACL: obsClient.enums.AclPrivate
    };
    // Set the bucket ACL.
    const result = await obsClient.setBucketAcl(params);
    if (result.CommonMsg.Status <= 300) {
      console.log("Set bucket(%s)'s acl successful!", params.Bucket);
      console.log("RequestId: %s", result.CommonMsg.RequestId);
      return;
    };

    console.log("An ObsError was found, which means your request sent to OBS was rejected with an error response.");
    console.log("Status: %d", result.CommonMsg.Status);
    console.log("Code: %s", result.CommonMsg.Code);
    console.log("Message: %s", result.CommonMsg.Message);
    console.log("RequestId: %s", result.CommonMsg.RequestId);
  } catch (error) {
    console.log("An Exception was found, which means the client encountered an internal problem when attempting to communicate with OBS, for example, the client was unable to access the network.");
    console.log(error);
  };
};

setBucketAcl();

Code Examples: Granting Bucket Permissions

This example sets an ACL to allow all users to read from bucket examplebucket but only allow user 0a03f5833900d3730f13c00f49d5exxx to write to the bucket.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
// Import the OBS library.
// Use npm to install the client.
const ObsClient = require("esdk-obs-nodejs");
// Use the source code to install the client.
// var ObsClient = require('./lib/obs');

// Create an instance of ObsClient.
const obsClient = new ObsClient({
  //Obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways. Using hard coding may result in leakage.
  //Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
  access_key_id: process.env.ACCESS_KEY_ID,
  secret_access_key: process.env.SECRET_ACCESS_KEY,
  // (Optional) If you use a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding, which may result in information leakage. You can obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways.
  // security_token: process.env.SECURITY_TOKEN,
  // Enter the endpoint corresponding to the region where the bucket is located. CN-Hong Kong is used here in this example. Replace it with the one currently in use.
  server: "https://obs.ap-southeast-1.myhuaweicloud.com"
});

async function setBucketAcl() {
  try {
    const params = {
      // Specify the bucket name.
      Bucket: "examplebucket",
      // Specify the bucket owner ID. ownerid is used in this example.
      Owner: { ID: 'ownerid' },
      Grants: [
        // Grant the public-read permission to all users.
        { Grantee: { Type: 'Group', URI: obsClient.enums.GroupAllUsers  }, Permission: obsClient.enums.PermissionRead },
          // Grant the write permission to a specific user. In this example, the user ID is 0a03f5833900d3730f13c00f49d5exxx.
        { Grantee: { Type: 'CanonicalUser', ID: '0a03f5833900d3730f13c00f49d5exxx' }, Permission: obsClient.enums.PermissionWrite },
      ]
    };
    // Set the bucket ACL.
    const result = await obsClient.setBucketAcl(params);
    if (result.CommonMsg.Status <= 300) {
      console.log("Set bucket(%s)'s acl successful!", params.Bucket);
      console.log("RequestId: %s", result.CommonMsg.RequestId);
      return;
    };

    console.log("An ObsError was found, which means your request sent to OBS was rejected with an error response.");
    console.log("Status: %d", result.CommonMsg.Status);
    console.log("Code: %s", result.CommonMsg.Code);
    console.log("Message: %s", result.CommonMsg.Message);
    console.log("RequestId: %s", result.CommonMsg.RequestId);
  } catch (error) {
    console.log("An Exception was found, which means the client encountered an internal problem when attempting to communicate with OBS, for example, the client was unable to access the network.");
    console.log(error);
  };
};

setBucketAcl();