Updated on 2024-04-29 GMT+08:00

Managing Object ACLs

If you have any questions during development, post them on the Issues page of GitHub.

Object ACLs, similar to bucket ACLs, support predefined ACLs (For details, see Managing Bucket ACLs) and direct configurations.

An object ACL can be configured in any of the following ways:

  1. Specify a pre-defined access control policy during object upload.
  2. Call set_object_acl_by_head to specify a pre-defined access control policy.
  3. Call set_object_acl to set the ACL directly.

Specifying a Pre-defined Access Control Policy During Object Upload

Sample code:

static void test_put_object_acl()
{
    // Create and initialize option.
    obs_options option;
    init_obs_options(&option);
    option.bucket_options.host_name = "<your-endpoint>";
    option.bucket_options.bucket_name = "<Your bucketname>";

    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables ACCESS_KEY_ID and SECRET_ACCESS_KEY.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
    option.bucket_options.access_key = getenv("ACCESS_KEY_ID");
    option.bucket_options.secret_access_key = getenv("SECRET_ACCESS_KEY");

    // Initialize put_properties which can be used to set object properties.
    obs_put_properties put_properties;
    init_put_properties(&put_properties);
    // Specify a pre-defined access control policy.
    put_properties.canned_acl = OBS_CANNED_ACL_PUBLIC_READ_WRITE;
    // Callback data
    put_file_object_callback_data data;
    memset(&data, 0, sizeof(put_file_object_callback_data));
    // Read the file to be uploaded to the callback data.
    data.infile = 0;
    data.noStatus = 1;
    content_length = read_bytes_from_file("<Uploaded filename>", &data);
    // Callback function
    obs_put_object_handler putobjectHandler =
    {
        { &response_properties_callback, &response_complete_callback },
        &put_buffer_object_data_callback
     };
    // Upload data streams.
    put_object(&option,"<object key>", content_length, &put_properties, 0, &putobjectHandler, &data);
    if (OBS_STATUS_OK == data.ret_status) {
        printf("put object from file successfully. \n");
    }
    else
    {
        printf("put object failed(%s).\n",  
               obs_get_status_name(data.ret_status));
    }
}

Setting a Pre-defined Access Control Policy for an Object

You can use set_object_acl_by_head to set object properties. The following table describes the parameters.

Field

Type

Mandatory or Optional

Description

option

The context of the bucket. For details, see Configuring option.

Mandatory

Bucket parameter

object_info

obs_object_info *

Mandatory

Object name and version number. For non-multi-version objects, set version to 0.

canned_acl

obs_canned_acl

Mandatory

For details about how to manage bucket access rights, see Table 1 in Managing Bucket ACLs.

handler

obs_response_handler *

Mandatory

Callback function

callback_data

void *

Optional

Callback data

Sample code:

void test_set_object_acl_byhead()
{
    obs_status ret_status = OBS_STATUS_BUTT;
    // Create and initialize option.
    obs_options option;
    init_obs_options(&option);
    option.bucket_options.host_name = "<your-endpoint>";
    option.bucket_options.bucket_name = "<Your bucketname>";

    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables ACCESS_KEY_ID and SECRET_ACCESS_KEY.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
    option.bucket_options.access_key = getenv("ACCESS_KEY_ID");
    option.bucket_options.secret_access_key = getenv("SECRET_ACCESS_KEY");
    // Set response callback function.
    obs_response_handler response_handler =
    { 
        0, &response_complete_callback
    };
    obs_canned_acl canned_acl = OBS_CANNED_ACL_PUBLIC_READ_WRITE;
    obs_object_info object_info;
    object_info.key = "<object key>";
    object_info.version_id = "<object version ID>";
    //Set a pre-defined access control policy for an object.
    set_object_acl_by_head(&option, &object_info, canned_acl, &response_handler, &ret_status);
    if (ret_status == OBS_STATUS_OK) {
        printf("set bucket acl by head successfully. \n");
    }
    else
    {
        printf("set bucket acl by head failed(%s).\n", obs_get_status_name(ret_status));
    }
}

Directly Setting an Object ACL

You can use set_object_acl to set object properties. The following table describes the parameters.

Field

Type

Mandatory or Optional

Description

option

The context of the bucket. For details, see Configuring option.

Mandatory

Bucket parameter

aclinfo

manager_acl_info *

Mandatory

Structure for managing ACL permission information

aclinfo->object_info

obs_object_info *

Mandatory

Object name and version number. For non-multi-version objects, set version to 0.

aclinfo->owner_id

char *

Optional

User account ID

aclinfo->acl_grant_count_return

int *

Mandatory

Pointer to the number of returned aclinfo->acl_grants

aclinfo->acl_grants

obs_acl_grant *

Mandatory

Pointer to the permission information structure. For details, see Table 2 in Managing Bucket ACLs.

aclinfo->object_delivered

obs_object_delivered

Optional

Indicates whether the object ACL inherits the ACL of the bucket. Valid values are OBJECT_DELIVERED_TRUE and OBJECT_DELIVERED_FALSE. The default value is OBJECT_DELIVERED_TRUE.

handler

obs_response_handler *

Mandatory

Callback function

callback_data

void *

Optional

Callback data

Sample code:

void test_set_object_acl()
{
    obs_status ret_status = OBS_STATUS_BUTT;
    // Create and initialize option.
    obs_options option;
    init_obs_options(&option);
    option.bucket_options.host_name = "<your-endpoint>";
    option.bucket_options.bucket_name = "<Your bucketname>";

    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables ACCESS_KEY_ID and SECRET_ACCESS_KEY.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
    option.bucket_options.access_key = getenv("ACCESS_KEY_ID");
    option.bucket_options.secret_access_key = getenv("SECRET_ACCESS_KEY");

    // Set response callback function.
    obs_response_handler response_handler =
    { 
        0, &response_complete_callback
    };
    // Define the object ACL
    manager_acl_info aclinfo;
    init_acl_info(&aclinfo);
    aclinfo.object_info.key = "<object key>";
    aclinfo.object_info.version_id = "<object version ID>";
    // Set the object ACL.
    set_object_acl(&option, &aclinfo, &response_handler, &ret_status);
    if (OBS_STATUS_OK == ret_status) {
        printf("set object acl successfully. \n");
    }
    else
    {
        printf("set object acl failed(%s).\n", obs_get_status_name(ret_status));
    }
    // Destroy the memory
    deinitialize_acl_info(&aclinfo);
}

The owner or grantee ID needed in the ACL indicates the account ID, which can be viewed on the My Credentials page of OBS Console.

Obtaining the Object ACL

You can call get_object_acl to obtain an object ACL. Sample code:

void test_get_object_acl()
{
    obs_status ret_status = OBS_STATUS_BUTT;
    // Create and initialize option.
    obs_options option;
    init_obs_options(&option);
    option.bucket_options.host_name = "<your-endpoint>";
    option.bucket_options.bucket_name = "<Your bucketname>";

    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables ACCESS_KEY_ID and SECRET_ACCESS_KEY.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
    option.bucket_options.access_key = getenv("ACCESS_KEY_ID");
    option.bucket_options.secret_access_key = getenv("SECRET_ACCESS_KEY");
    // Set response callback function.
    obs_response_handler response_handler =
    { 
        0, &response_complete_callback
    };
    manager_acl_info *aclinfo = malloc_acl_info();
    aclinfo->object_info.key = "<object key>";
    aclinfo->object_info.version_id = "<object version ID>";
    // Obtain the object ACL.
    get_object_acl(&option, aclinfo, &response_handler, &ret_status);
    if (OBS_STATUS_OK == ret_status)
    {
        printf("get object acl: -------------");
        printf("%s %d %s %s\n", aclinfo->owner_id, aclinfo->object_delivered,
            aclinfo->object_info.key, aclinfo->object_info.version_id);
        if (aclinfo->acl_grant_count_return)
        {
            print_grant_info(*aclinfo->acl_grant_count_return, aclinfo->acl_grants);
        }
    }
    else
    {
        printf("get object acl failed(%s).\n", obs_get_status_name(ret_status));
    }
    // Destroy the memory
    free_acl_info(&aclinfo);
}