Estos contenidos se han traducido de forma automática para su comodidad, pero Huawei Cloud no garantiza la exactitud de estos. Para consultar los contenidos originales, acceda a la versión en inglés.
Centro de ayuda/ Object Storage Service/ Guía del usuario/ Control de permisos/ Mecanismos de control de permisos/ How Does Authorization Work When Multiple Access Control Mechanisms Co-Exist?
Actualización más reciente 2024-09-18 GMT+08:00
Ver PDF
Compartir

How Does Authorization Work When Multiple Access Control Mechanisms Co-Exist?

Based on the least-privilege principle, decisions default to deny, and an explicit deny statement always takes precedence over an allow statement. For example, permisos de IAM grant a user the access to an object, a bucket policy denies the user's access to that object, and there is no ACL. Then access will be denied.

If no method specifies an allow statement, then the request will be denied by default. Only if no method specifies a deny statement and one or more methods specify an allow statement, will the request be allowed. For example, if a bucket has multiple bucket policies with allow statements, the adding of a new bucket policy with an allow statement will simply add the allowed permissions to the bucket, but the adding of a new bucket policy with a deny statement will result in a re-arrangement of the permissions. The deny statement will take precedence over allowed statements, even the denied permissions are allowed in other bucket policies.

Figura 1 Authorization process

Figura 2 is a matrix of the permisos de IAM, bucket policies, and ACLs (allow and deny effects).

Figura 2 Matrix of the permisos de IAM, bucket policies, and ACLs (allow and deny effects)