Help Center/ Object Storage Service/ SDK Reference/ Python/ Bucket-Related APIs (SDK for Python)/ Configuring a Bucket ACL (SDK for Python)
Updated on 2024-09-05 GMT+08:00
View PDF
Share

Configuring a Bucket ACL (SDK for Python)

Function

OBS provides access control over buckets. You can use an access policy to define whether a user can perform certain operations on a specific bucket. OBS access control can be implemented using IAM permissions, bucket policies, and ACLs (including bucket and object ACLs). For more information, see Introduction to OBS Access Control.

A bucket ACL grants permissions to another Huawei Cloud account and its IAM users, rather than the current account and its IAM users. It can grant access to both a bucket (including the objects in it) and the bucket ACL. The granted access includes view and edit permissions. You must specify a bucket name when configuring a bucket ACL. For more information, see ACLs.

This API configures a bucket ACL.

Restrictions

Method

ObsClient.setBucketAcl(bucketName, acl, aclControl)

Request Parameters

Parameter

Type

Mandatory (Yes/No)

Description

bucketName

str

Yes

Explanation:

Bucket name

Restrictions:

  • A bucket name must be unique across all accounts and regions.
  • A bucket name:
    • Must be 3 to 63 characters long and start with a digit or letter. Lowercase letters, digits, hyphens (-), and periods (.) are allowed.
    • Cannot be formatted as an IP address.
    • Cannot start or end with a hyphen (-) or period (.).
    • Cannot contain two consecutive periods (..), for example, my..bucket.
    • Cannot contain periods (.) and hyphens (-) adjacent to each other, for example, my-.bucket or my.-bucket.
  • If you repeatedly create buckets of the same name in the same region, no error will be reported and the bucket properties comply with those set in the first creation request.

Default value:

None

acl

ACL

No

Explanation:

Bucket ACL

Value range:

See Table 1.

Default value:

None

NOTE:

acl and aclControl are mutually exclusive.

aclControl

str

No

Explanation:

Pre-defined ACL

Value range:

See Table 3.

Default value:

None

NOTE:

acl and aclControl are mutually exclusive.
Table 1 ACL

Parameter

Type

Mandatory (Yes/No)

Description

owner

Owner

Yes if used as a request parameter

Explanation:

Bucket owner information. For details, see Table 4.

Restrictions:

Owner and Grants must be used together and they cannot be used with aclControl.

Default value:

None

grants

list of Grant

Yes if used as a request parameter

Explanation:

List of grantees' permission information. For details, see Table 5.

Default value:

None

delivered

bool

No if used as a request parameter

Explanation:

Whether the bucket ACL is applied to all objects in the bucket

Value range:

True: The bucket ACL is applied to all objects in the bucket.

False: The bucket ACL is not applied to all objects in the bucket.

Default value:

False
Table 2 Permission

Constant

Description

READ

Read permission

A grantee with this permission for a bucket can obtain the list of objects, multipart uploads, bucket metadata, and object versions in the bucket.

A grantee with this permission for an object can obtain the object content and metadata.

WRITE

Write permission

A grantee with this permission for a bucket can upload, overwrite, and delete any object or part in the bucket.

Such permission for an object is not applicable.

READ_ACP

Permission to read ACL configurations

A grantee with this permission can obtain the ACL of a bucket or object.

A bucket or object owner has this permission for the bucket or object permanently.

WRITE_ACP

Permission to modify ACL configurations

A grantee with this permission can update the ACL of a bucket or object.

A bucket or object owner has this permission for the bucket or object permanently.

A grantee with this permission can modify the access control policy and thus the grantee obtains full access permissions.

FULL_CONTROL

Full control access, including read and write permissions for a bucket and its ACL, or for an object and its ACL.

A grantee with this permission for a bucket has READ, WRITE, READ_ACP, and WRITE_ACP permissions for the bucket.

A grantee with this permission for an object has READ, READ_ACP, and WRITE_ACP permissions for the object.
Table 3 HeadPermission

Constant

Default Value

Description

HeadPermission.PRIVATE

private

Private read/write

A bucket or object can only be accessed by its owner.

HeadPermission.PUBLIC_READ

public-read

Public read and private write

If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket.

If it is granted on an object, anyone can read the content and metadata of the object.

HeadPermission.PUBLIC_READ_WRITE

public-read-write

Public read/write

If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions in the bucket, and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart upload tasks.

If it is granted on an object, anyone can read the content and metadata of the object.

HeadPermission.PUBLIC_READ_DELIVERED

public-read-delivered

Public read on a bucket as well as objects in the bucket

If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions, and read the content and metadata of objects in the bucket.

NOTE:

PUBLIC_READ_DELIVERED cannot be applied to objects.

HeadPermission.PUBLIC_READ_WRITE_DELIVERED

public-read-write-delivered

Public read/write on a bucket as well as objects in the bucket

If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket, and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart uploads. They can also read the content and metadata of objects in the bucket.

NOTE:

PUBLIC_READ_WRITE_DELIVERED cannot be applied to objects.

HeadPermission.BUCKET_OWNER_FULL_CONTROL

public-read-write-delivered

If this permission is granted on an object, only the bucket and object owners have the full control over the object. By default, if you upload an object to a bucket of any other user, the bucket owner does not have the permissions on your object. After you grant this policy to the bucket owner, the bucket owner can have full control over your object.
Table 4 Owner

Parameter

Type

Mandatory (Yes/No)

Description

owner_id

str

Yes if used as a request parameter

Explanation:

Account (domain) ID of the owner

Value range:

To obtain the account ID, see How Do I Get My Account ID and IAM User ID? (SDK for Python)

Default value:

None

owner_name

str

No if used as a request parameter

Explanation:

Account name of the owner

Value range:

To obtain the account ID, see How Do I Get My Account ID and IAM User ID? (SDK for Python)

Default value:

None
Table 5 Grant

Parameter

Type

Mandatory (Yes/No)

Description

grantee

Grantee

Yes if used as a request parameter

Explanation:

Grantee information. For details, see Table 6.

permission

str

Yes if used as a request parameter

Explanation:

Granted permission

Value range:

You can select one or more permissions from Table 2.

Default value:

None

delivered

bool

No if used as a request parameter

Explanation:

Whether the bucket ACL is applied to all objects in the bucket

Value range:

True: The bucket ACL is applied to all objects in the bucket.

False: The bucket ACL is not applied to all objects in the bucket.

Default value:

False
Table 6 Grantee

Parameter

Type

Mandatory (Yes/No)

Description

grantee_id

str

Yes if the parameter is used as a request parameter and group is left blank

Explanation:

Account (domain) ID of the grantee.

Value range:

To obtain an account ID, see Obtaining the Account ID.

Default value:

None

grantee_name

str

No if used as a request parameter

Explanation:

Username of the grantee. For details, see How Do I Get My Account ID and IAM User ID? (SDK for Python)

Restrictions:

  • Cannot contain full-width characters.
  • Starts with a letter.
  • Contains 6 to 32 characters.
  • Contains only letters, digits, hyphens (-), and underscores (_).

Default value:

None

group

str

Yes if the parameter is used as a request parameter and grantee_id is left blank

Explanation:

Authorized user group

Value range:

See Table 7.

Default value:

None

The authorized entity can be an individual user or a user group. grantee_id and grantee_name must be used together and they cannot be used with group.

Table 7 Group

Constant

Description

ALL_USERS

All users

AUTHENTICATED_USERS

Authorized users. This constant is deprecated.

LOG_DELIVERY

Log delivery group. This constant is deprecated.

Responses

Type

Description

GetResult

Explanation:

SDK common results
Table 8 GetResult

Parameter

Type

Description

status

int

Explanation:

HTTP status code

Value range:

A status code is a group of digits ranging from 2xx (indicating successes) to 4xx or 5xx (indicating errors). It indicates the status of a response. For more information, see Status Code.

Default value:

None

reason

str

Explanation:

Reason description.

Default value:

None

errorCode

str

Explanation:

Error code returned by the OBS server. If the value of status is less than 300, this parameter is left blank.

Default value:

None

errorMessage

str

Explanation:

Error message returned by the OBS server. If the value of status is less than 300, this parameter is left blank.

Default value:

None

requestId

str

Explanation:

Request ID returned by the OBS server

Default value:

None

indicator

str

Explanation:

Error indicator returned by the OBS server.

Default value:

None

hostId

str

Explanation:

Requested server ID. If the value of status is less than 300, this parameter is left blank.

Default value:

None

resource

str

Explanation:

Error source (a bucket or an object). If the value of status is less than 300, this parameter is left blank.

Default value:

None

header

list

Explanation:

Response header list, composed of tuples. Each tuple consists of two elements, respectively corresponding to the key and value of a response header.

Default value:

None

body

object

Explanation:

Result content returned after the operation is successful. If the value of status is larger than 300, this parameter is left blank. The value varies with the API being called. For details, see Bucket-Related APIs (SDK for Python) and Object-Related APIs (SDK for Python).

Default value:

None

Code Examples

This example sets the ACL permission control for bucket examplebucket to public read for all users and to read and write for an IAM user (userid). 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
from obs import ObsClient, HeadPermission
from obs import ACL
from obs import Owner
from obs import Grantee
from obs import Grant
from obs import Group
from obs import Permission
import os
import traceback

# Obtain an AK and SK pair using environment variables or import the AK and SK pair in other ways. Using hard coding may result in leakage.
# Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
ak = os.getenv("AccessKeyID")
sk = os.getenv("SecretAccessKey")
# (Optional) If you use a temporary AK and SK pair and a security token to access OBS, obtain them from environment variables.
security_token = os.getenv("SecurityToken")
# Set server to the endpoint corresponding to the bucket. Here uses CN-Hong Kong as an example. Replace it with the one in use.
server = "https://obs.ap-southeast-1.myhuaweicloud.com" 

# Create an obsClient instance.
# If you use a temporary AK and SK pair and a security token to access OBS, you must specify security_token when creating an instance.
obsClient = ObsClient(access_key_id=ak, secret_access_key=sk, server=server)
try:
    # Specify the account ID of the bucket owner (ownerid as an example).
    owner_id = 'ownerid'
    owner = Owner(owner_id=owner_id)
    # Specify the IAM user ID (userid).
    grantee1 = Grantee(grantee_id='userid')
    # Specify all users.
    grantee2 = Grantee(group=Group.ALL_USERS)
    # Grant the read and write permissions to the specified IAM user.
    grant1 = Grant(grantee=grantee1, permission=Permission.READ)
    grant2 = Grant(grantee=grantee1, permission=Permission.WRITE)
    # Grant the read permission to all users.
    grant3 = Grant(grantee=grantee2, permission=Permission.READ)
    # Set the ACL permission control for bucket examplebucket to public read for all users and to read and write for the IAM user.
    acl = ACL(owner=owner, grants=[grant1, grant2, grant3])
    bucketName = "examplebucket"
    # Configure the bucket ACL.
    resp = obsClient.setBucketAcl(bucketName, acl)

    # If status code 2xx is returned, the API is called successfully. Otherwise, the API call fails.
    if resp.status < 300:
        print('Set Bucket Acl Succeeded')
        print('requestId:', resp.requestId)
    else:
        print('Set Bucket Acl Failed')
        print('requestId:', resp.requestId)
        print('errorCode:', resp.errorCode)
        print('errorMessage:', resp.errorMessage)
except:
    print('Set Bucket Acl Failed')
    print(traceback.format_exc())

Helpful Links