ACLs
Access control lists (ACLs) allow resource owners to grant other accounts the access to resources. OBS ACLs define the read and write permissions that are attached to accounts. The permissions granted to an account are also applied to its IAM users. ACLs are not as fine-grained as bucket policies or IAM policies. It is recommended that you use IAM permissions and bucket policies for access control.
By default, only the bucket creator (also the bucket owner) has full control over the bucket, and only the object uploader (also the object owner) has full control over the object. If resource owners want other accounts to access their resources, they can use ACLs to grant the read and write permissions.
Scenarios
You can configure an ACL to:
- Let another account, rather than you (the object owner), have full control over your object. Suppose you have uploaded object a to a bucket of account B. By default, account B does not have the read and write permissions for your object a. In this case, you can set the object ACL to bucket-owner-full-control so that account B has full control over object a and can further manage it in the bucket in a unified manner.
- Individually control access to a specific object. Suppose you have applied a bucket policy to a set of objects and you want to further control access to a single object in this set of objects. You can use the object ACL to achieve this.
Relationship Between Bucket ACLs and Object ACLs
Both buckets and objects have their own ACL. Table 1 shows the relationship between bucket ACLs and object ACLs.
|
Dimension |
Bucket ACL |
Object ACL |
|---|---|---|
|
Grantor |
Bucket owner (the account that created the bucket) A bucket owner has full control over the bucket by default. The read and write permissions for the bucket ACL are permanently available to the bucket owner, and cannot be modified. It is not recommended to modify a bucket owner's read and write permissions for the bucket. |
Object owner (the account that uploaded the object, rather than the owner of the bucket that stores the object) For example, if account A uploads object a to a bucket of account B, the owner of object a is account A. The object owner has full control over the object by default. The read and write permissions for the object ACL are permanently available to the object owner, and cannot be modified. |
|
|
|
|
|
|
|
Inheritance relationship between bucket ACLs and object ACLs |
When an object ACL inherits a bucket ACL, the union of permissions from both ACLs is applied.
|
|
Grantee
You can configure an ACL to grant users listed in Table 2 access to buckets.
|
Principal |
Description |
|---|---|
|
Other accounts |
ACLs can be used to grant accounts permissions to access buckets and objects. Once a specific account is granted such permissions, all IAM users under this account have the same permissions as this account. If you want to grant different permissions to different IAM users under other accounts, you can configure bucket policies.
NOTE:
Users must have both the ACL and IAM permissions to access resources across accounts. For details, see Which Permissions Apply When They Conflict? |
|
Anonymous users |
Visitors who have not registered with Huawei Cloud.
CAUTION:
If anonymous users are granted the access to a bucket or an object, anyone can access the bucket or the object without authentication. |
|
Log delivery user groups
NOTE:
Only the bucket ACL supports authorizing permissions to the log delivery user. |
A log delivery user group only delivers access logs of buckets and objects to the configured target bucket. OBS does not create or upload any file to a bucket automatically. Therefore, if you want to record access logs for buckets, you need to grant the permission to a log delivery user group who will deliver the access logs to your specified target bucket. This user group is only used to record internal logs of OBS.
NOTICE:
After logging is enabled, the log delivery user will be automatically granted the permission to read the bucket ACL and write the bucket where logs are saved. If you manually disable such permissions, bucket logging fails. |
Permissions That Can Be Granted
Table 3 and Table 4 list the permissions that can be configured in a bucket ACL.
|
Permission |
Description |
|---|---|
|
Read |
A user with this permission can obtain the list of objects in a bucket and the metadata of the bucket. |
|
Write |
A user with this permission can upload objects to a bucket, and can delete and overwrite existing objects in the bucket. |
|
Object read |
Objects in a bucket inherit the read permission configured for the bucket. An authorized user can obtain the content and metadata of objects. |
|
Permission |
Description |
|---|---|
|
Read |
A user with this permission can read the bucket ACL. |
|
Write |
A user with this permission can update the bucket ACL. |
Table 5 and Table 6 list the permissions that can be configured in an object ACL.
How Do I Configure an ACL?
You can use the predefined bucket or object ACLs or customize an ACL.
OBS provides six types of predefined ACLs, as described in Table 7. A predefined ACL is applied to all users.
|
Predefined ACL |
Description |
|---|---|
|
private |
A bucket or an object can only be accessed by its owner. By default, the ACL is set to private. |
|
public-read |
If this permission is set for a bucket, anyone can obtain its object list, multipart tasks, and metadata. If this permission is set for an object, anyone can obtain the content and metadata of the object. |
|
public-read-write |
If this permission is set for a bucket, anyone can obtain its object list, multipart upload tasks, and metadata, and can upload, delete objects, initiate multipart uploads, upload, assemble, and copy parts, and cancel multipart uploads. If this permission is set for an object, anyone can obtain the content and metadata of the object. This permission works the same as public-read. |
|
public-read-delivered |
If this permission is set for a bucket, anyone can obtain its object list, multipart upload tasks, and metadata. Compared with public-read, this permission also allows access to the content and metadata of the objects in the bucket. This permission does not apply to objects. |
|
public-read-write-delivered |
If this permission is set for a bucket, anyone can obtain its object list, multipart upload tasks, and metadata, and can upload, delete objects, initiate multipart uploads, upload, assemble, and copy parts, and cancel multipart uploads. Compared with public-read-write, this permission also allows access to the content and metadata of the objects in the bucket. This permission does not apply to objects. |
|
bucket-owner-full-control |
Setting this permission for an object will enable the bucket owner to have full control over the object. By default, if you upload an object to a bucket of any other user, the bucket owner does not have the access to your object. After you grant the bucket-owner-full-control permission to the bucket owner, the bucket owner can have full control over your object. |
Using OBS Console to Configure Predefined ACLs
You can configure predefined ACLs on OBS Console.
- There are five types of predefined ACLs for buckets.
In the navigation pane, choose Bucket ACL. The bucket ACL configuration page is displayed.
In the Public Access area, Private corresponds to the predefined private permission, Public Read corresponds to the predefined public-read permission, and Public Read/Write corresponds to the predefined public-read-write permission.
Click Edit in the row where Anonymous User is located in the User Access area.
- Select Read for Access to Bucket and Read for Access to Objects. This setting corresponds to the public-read-delivered permission.
- Select both Read and Write for Access to Bucket, and Read for Access to Objects. This setting corresponds to the public-read-write-delivered permission.
- There are two types of predefined ACLs for objects on OBS Console: private and public-read. To configure an object ACL on OBS Console, click the object name to go to the object details page and then click the Object ACL tab. On the page that is displayed, configure the object ACL.
Using APIs to Configure Predefined ACLs
You can use the x-obs-acl header to configure the bucket or object ACL when creating a bucket or uploading an object. For details, see Creating a Bucket and Uploading an Object. You can also configure the bucket or object ACL after the bucket is created or the object is uploaded. For details, see Configuring a Bucket ACL and Configuring an Object ACL.
Using SDKs to Configure Predefined ACLs
|
Configuring the ACL when creating a bucket |
BrowserJS: not supported |
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Configuring a bucket ACL |
||||||||||
|
Configuring the ACL when uploading an object |
||||||||||
|
Configuring an object ACL |
Using OBS Browser+ to Configure Predefined ACLs
Using obsutil to Configure Predefined ACLs
You can customize ACLs to grant permissions to specified accounts or anonymous users. Table 8 lists the permissions that can be configured in bucket or object ACLs.
|
Permission |
When Granted for a Bucket |
When Granted for an Object |
API Header |
|---|---|---|---|
|
READ |
A user with this permission can obtain the list of objects in the bucket and the metadata of the bucket. |
A user with this permission can obtain the content and metadata of the object. |
x-obs-grant-read |
|
WRITE |
A user with this permission can upload objects to the bucket, and can delete and overwrite existing objects in the bucket. |
Not supported |
x-obs-grant-write |
|
READ_ACP |
A user with this permission can read the bucket ACL. |
A user with this permission can read the object ACL. |
x-obs-grant-read-acp |
|
WRITE_ACP |
A user with this permission can update the bucket ACL. |
A user with this permission can update the object ACL. |
x-obs-grant-write-acp |
|
FULL_CONTROL |
A user with this permission has the READ, WRITE, READ_ACP, and WRITE_ACP permissions. |
A user with this permission has the READ, READ_ACP, and WRITE_ACP permissions for the object. |
x-obs-grant-full-control |
OBS allows you to customize an object ACL to inherit the bucket ACL. You can use the x-obs-grant-read-delivered header to configure a bucket ACL so that grantees can obtain the list of objects in the bucket and the metadata of the bucket, and also have the READ permission for objects in the bucket. Using the x-obs-grant-full-control-delivered header in a bucket ACL to grant the grantee the READ, WRITE, READ_ACP, and WRITE_ACP permissions for the bucket and also the READ, READ_ACP, and WRITE_ACP permissions for the objects in the bucket.
Using OBS Console to Customize an ACL
You can customize ACLs on OBS Console.
-
The Read and Write permissions for Access to Bucket correspond to READ and WRITE, respectively. The Read permission for Access to Objects indicates that the objects inherit the READ permission of the bucket. The Read and Write permissions for Access to ACL correspond to READ_ACP and WRITE_ACP, respectively.
- To configure an object ACL on OBS Console, click the object name to go to the object details page. Click the Object ACL tab, and click Add in the User Access area.
The Read permission for Access to Object corresponds to READ, and the Read and Write permissions for Access to ACL correspond to READ_ACP and WRITE_ACP, respectively.
Using APIs to Customize an ACL
- When creating a bucket or uploading an object, you can use the headers in Table 8 to configure the bucket or object ACL.
- You can also configure an ACL after a bucket is created or an object is uploaded. For details, see Configuring a Bucket ACL and Configuring an Object ACL.
Using SDKs to Customize an ACL
|
Configuring the ACL when creating a bucket |
BrowserJS: not supported |
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Configuring a bucket ACL |
||||||||||
|
Configuring the ACL when uploading an object |
||||||||||
|
Configuring an object ACL |
Using OBS Browser+ to Customize an ACL
To configure an object ACL, do as follows:
- Click
on the right of the row where the object is located and choose Object ACL.
Using obsutil to Customize an ACL
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
