Help Center/ Object Storage Service/ User Guide/ Permissions Control/ Configuring a Bucket ACL

Updated on 2024-10-24 GMT+08:00

View PDF

Configuring a Bucket ACL

Prerequisites

You are the bucket owner or you have the permission to write the bucket ACL.

Ways to Configure a Bucket ACL

You can use OBS Console, APIs, SDKs, OBS Browser+, or obsutil to configure a bucket ACL.

Using OBS Console

In the navigation pane of OBS Console, choose Object Storage.
In the bucket list, click the bucket you want to operate. The Objects page is displayed.
In the navigation pane, choose Permissions > Bucket ACLs.
On the Bucket ACLs page, choose a permission from Private, Public Read, and Public Read/Write to grant bucket ACL permission for anonymous users.
1. After you change Public Read or Public Read/Write to Private, only the bucket owner or object owner has the access.
2. After you change Private to Public Read, anyone can read objects in the bucket. No identity authentication is required.
3. After you change Private to Public Read/Write, anyone can read, write, and delete objects in the bucket. No identity authentication is required.
Figure 1 Changing a public access permission
In the Operation column, click Edit to grant the owner, anonymous user, or log delivery user required ACL permissions for the bucket.
In the middle of the page, click Export to get the bucket ACL configuration. The file includes the user type, account, bucket access, and ACL access.
In the middle of the page, click Add to apply specific ACL permissions to an account.

Enter an account ID and specify ACL permissions for the account. You can obtain the account ID from the My Credentials page.

Click OK.

To select Object read for Object Permission, you must select Read for Access to Bucket.

Figure 2 Granting permissions

Using APIs

Configuring a Bucket ACL

Using SDKs

Using the GUI Tool - OBS Browser+

Log in to OBS Browser+.
Select the bucket you want and click Bucket ACLs.
Configure the bucket ACL as needed and click OK, as shown in Figure 3.

Figure 3 Configuring an ACL

If no ACL permissions are configured for a new bucket, OBS Browser+ automatically disables the access to the bucket and its objects by any other users except the bucket owner.

Using the CLI Tool - obsutil

Command Line Structure

In Windows

obsutil chattri obs://bucket [-sc=xxx] [-acl=xxx] [-aclXml=xxx] [-config=xxx] [-e=xxx] [-i=xxx] [-k=xxx] [-t=xxx]

In Linux or macOS

./obsutil chattri obs://bucket [-sc=xxx] [-acl=xxx] [-aclXml=xxx] [-config=xxx] [-e=xxx] [-i=xxx] [-k=xxx] [-t=xxx]

Examples

Take the Windows OS as an example. Run the obsutil chattri obs://bucket-test -acl=private command to change the access control policy of the bucket to private read and write.
```
obsutil chattri obs://bucket-test -acl=private

Set the acl of bucket [bucket-test] to [private] successfully, request id [04050000016836C5DA6FB21F14A2A0C0]
```

Parameter Description

Parameter	Optional or Mandatory	Description
bucket	Mandatory	Bucket name
sc	Optional (additional parameter)	Default storage class of the bucket. Possible values are: standard: Standard storage class. It features low access latency and high throughput, and is applicable to storing frequently accessed data (multiple accesses per month) or data that is smaller than 1 MB. warm: Infrequent Access storage class. It is ideal for storing infrequently accessed (less than 12 times a year) data, but when needed, the access has to be fast. cold: Archive storage class. It provides secure, durable, and inexpensive storage for rarely-accessed (once a year) data. deep-archive: Deep Archive storage class (under limited beta testing). It is suitable for storing data that is barely (once every few years) accessed. This storage class costs less than the Archive storage class, but takes longer time (usually several hours) to restore data. NOTE: If the multi-AZ mode is enabled for a bucket, the default storage class of the bucket cannot be set to cold.
acl	Optional (additional parameter)	Access control policies that can be specified for buckets. Possible values are: private public-read public-read-write NOTE: The preceding three values indicate private read and write, public read, and public read and write.
aclXml	Optional (additional parameter)	Access control policy of the bucket, in XML format. <AccessControlPolicy> <Owner> <ID>ownerid</ID> </Owner> <AccessControlList> <Grant> <Grantee> <ID>userid</ID> </Grantee> <Permission>[WRITE\|WRITE_ACP\|READ\|READ_ACP\|FULL_CONTROL]</Permission> </Grant> <Grant> <Grantee> <Canned>Everyone</Canned> </Grantee> <Permission>[WRITE\|WRITE_ACP\|READ\|READ_ACP\|FULL_CONTROL]</Permission> </Grant> </AccessControlList> </AccessControlPolicy> NOTE: Owner: Optional. Specify the bucket owner's ID. In AccessControlList, the Grant field contains the authorized users. Grantee specifies the IDs of authorized users. Canned specifies the authorized user group (currently, only Everyone is supported). The following permissions can be granted: WRITE (write), WRITE_ACP (write ACL), READ (read), READ_ACP (read ACL), and FULL_CONTROL (full control). NOTICE: Because angle brackets (<) and (>) are unavoidably included in the parameter value, you must use quotation marks to enclose them for escaping when running the command. Use single quotation marks for Linux or macOS and quotation marks for Windows.
config	Optional (additional parameter)	User-defined configuration file for executing the current command. To learn the parameters that can be configured in this file, see Configuration Parameters.
e	Optional (additional parameter)	Specifies the endpoint.
i	Optional (additional parameter)	Specifies the user's AK.
k	Optional (additional parameter)	Specifies the user's SK.
t	Optional (additional parameter)	Specifies the user's security token.

Only one from sc, acl, or aclXml can be set for each command.

Follow-up Procedure

After a specified account is granted the ACL permissions for a bucket, the authorized user can use the AK and SK to access that bucket by adding the bucket to OBS Browser+.

After certain permissions are granted to an anonymous user, the anonymous user can access the bucket without any authentication. The anonymous user can be either registered or non-registered. A registered anonymous user can use either of the methods above to access the bucket, while a non-registered anonymous user can access the bucket in any of the following ways:

Access the bucket's domain name in a browser to view the objects in the bucket.
Configure the bucket's domain name in a third-party system to directly connect to the bucket.

Parent Topic: Permissions Control

Previous topic: Configuring an Object Policy

Next topic: Configuring an Object ACL

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot