Configuring an Object ACL (SDK for Python)

Function

OBS allows the control of access permissions for objects. By default, only object creators have the read and write permissions on the object. However, the creator can set a public access policy to assign the read permission to all other users. If an object is encrypted with SSE-KMS, the ACL configured for it is not in effect in the cross-tenant case.

You can set an access control policy when uploading an object or call an ACL API to modify or obtain the ACL of an existing object.

This API sets an ACL for an object in a specified bucket.

Restrictions

To configure an object ACL, you must be the bucket owner or have the required permission (obs:object:PutObjectAcl in IAM or PutObjectAcl in a bucket policy). For details, see Introduction to OBS Access Control, IAM Custom Policies, and Configuring an Object Policy.
The mapping between OBS regions and endpoints must comply with what is listed in Regions and Endpoints.
An object can have a maximum of 100 policies in its ACL.

Method

ObsClient.setObjectAcl(bucketName, objectKey, acl, versionId, aclControl)

Request Parameters

**Table 1** List of request parameters
Parameter	Type	Mandatory (Yes/No)	Description
bucketName	str	Yes	Explanation: Bucket name Restrictions: A bucket name must be unique across all accounts and regions. A bucket name: Must be 3 to 63 characters long and start with a digit or letter. Lowercase letters, digits, hyphens (-), and periods (.) are allowed. Cannot be formatted as an IP address. Cannot start or end with a hyphen (-) or period (.). Cannot contain two consecutive periods (..), for example, my..bucket. Cannot contain periods (.) and hyphens (-) adjacent to each other, for example, my-.bucket or my.-bucket. If you repeatedly create buckets of the same name in the same region, no error will be reported and the bucket properties comply with those set in the first creation request. Default value: None
objectKey	str	Yes	Explanation: Object name. An object is uniquely identified by an object name in a bucket. An object name is a complete path that does not contain the bucket name. For example, if the address for accessing the object is examplebucket.obs.ap-southeast-1.myhuaweicloud.com/folder/test.txt, the object name is folder/test.txt. Value range: The value must contain 1 to 1,024 characters. Default value: None
acl	ACL	No	Explanation: Access permissions on the object Value range: See Table 2. Default value: None
versionId	str	No	Explanation: Object version ID, for example, G001117FCE89978B0000401205D5DC9A Value range: The value must contain 32 characters. Default value: None
aclControl	HeadPermission	No	Explanation: Pre-defined ACL For details, see Table 3. Default value: None

acl and aclControl are mutually exclusive.

**Table 2** ACL
Parameter	Type	Mandatory (Yes/No)	Description
owner	Owner	Yes if used as a request parameter	Explanation: Bucket owner For details, see Table 4. Restrictions: Owner and Grants must be used together and they cannot be used with aclControl. Default value: None
grants	list of Grant	Yes if used as a request parameter	Explanation: List of grantees' permission information. For details, see Table 5. Restrictions: Owner and Grants must be used together and they cannot be used with aclControl. Default value: None
delivered	bool	No if used as a request parameter	Explanation: Whether the bucket ACL is applied to objects in the bucket. This parameter is valid only when you configure the object ACL. Value range: True: The bucket ACL is applied to objects in the bucket. False: The bucket ACL is not applied to objects in the bucket. Default value: False

**Table 3** HeadPermission
Constant	Default Value	Description
HeadPermission.PRIVATE	private	Private read/write A bucket or object can only be accessed by its owner.
HeadPermission.PUBLIC_READ	public-read	Public read and private write If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket. If it is granted on an object, anyone can read the content and metadata of the object.
HeadPermission.PUBLIC_READ_WRITE	public-read-write	Public read/write If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions in the bucket, and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart upload tasks. If it is granted on an object, anyone can read the content and metadata of the object.
HeadPermission.PUBLIC_READ_DELIVERED	public-read-delivered	Public read on a bucket as well as objects in the bucket If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions, and read the content and metadata of objects in the bucket. NOTE: PUBLIC_READ_DELIVERED cannot be applied to objects.
HeadPermission.PUBLIC_READ_WRITE_DELIVERED	public-read-write-delivered	Public read/write on a bucket as well as objects in the bucket If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket, and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart uploads. They can also read the content and metadata of objects in the bucket. NOTE: PUBLIC_READ_WRITE_DELIVERED cannot be applied to objects.
HeadPermission.BUCKET_OWNER_FULL_CONTROL	public-read-write-delivered	If this permission is granted on an object, only the bucket and object owners have the full control over the object. By default, if you upload an object to a bucket of any other user, the bucket owner does not have the permissions on your object. After you grant this policy to the bucket owner, the bucket owner can have full control over your object.

**Table 4** Owner
Parameter	Type	Mandatory (Yes/No)	Description
owner_id	str	Yes if used as a request parameter	Explanation: Account (domain) ID of the owner Value range: To obtain the account ID, see How Do I Get My Account ID and IAM User ID? (SDK for Python) Default value: None
owner_name	str	No if used as a request parameter	Explanation: Account name of the owner Value range: To obtain the account ID, see How Do I Get My Account ID and IAM User ID? (SDK for Python) Default value: None

**Table 5** Grant
Parameter	Type	Mandatory (Yes/No)	Description
grantee	Grantee	Yes if used as a request parameter	Explanation: Grantee Value range: See Table 7. Default value: None
permission	str	Yes if used as a request parameter	Explanation: Granted permission Value range: See Table 6. Default value: None
delivered	bool	No if used as a request parameter	Explanation: Whether the bucket ACL is applied to all objects in the bucket Value range: True: The bucket ACL is applied to all objects in the bucket. False: The bucket ACL is not applied to all objects in the bucket. Default value: False

**Table 6** Permission
Constant	Description
READ	Read permission A grantee with this permission for a bucket can obtain the list of objects, multipart uploads, bucket metadata, and object versions in the bucket. A grantee with this permission for an object can obtain the object content and metadata.
WRITE	Write permission A grantee with this permission for a bucket can upload, overwrite, and delete any object or part in the bucket. Such permission for an object is not applicable.
READ_ACP	Permission to read ACL configurations A grantee with this permission can obtain the ACL of a bucket or object. A bucket or object owner has this permission for the bucket or object permanently.
WRITE_ACP	Permission to modify ACL configurations A grantee with this permission can update the ACL of a bucket or object. A bucket or object owner has this permission for the bucket or object permanently. A grantee with this permission can modify the access control policy and thus the grantee obtains full access permissions.
FULL_CONTROL	Full control access, including read and write permissions for a bucket and its ACL, or for an object and its ACL. A grantee with this permission for a bucket has READ, WRITE, READ_ACP, and WRITE_ACP permissions for the bucket. A grantee with this permission for an object has READ, READ_ACP, and WRITE_ACP permissions for the object.

**Table 7** Grantee
Parameter	Type	Mandatory (Yes/No)	Description
grantee_id	str	Yes if the parameter is used as a request parameter and group is left blank	Explanation: Account (domain) ID of the grantee Value range: To obtain an account ID, see Obtaining the Account ID. Default value: None
grantee_name	str	No if used as a request parameter	Explanation: Account name of the grantee Restrictions: Cannot contain full-width characters. Starts with a letter. Contains 6 to 32 characters. Contains only letters, digits, hyphens (-), and underscores (_). Default value: None
group	str	Yes if the parameter is used as a request parameter and grantee_id is left blank	Explanation: Authorized user group Value range: See Table 8. Default value: None

**Table 8** Group
Constant	Description
ALL_USERS	All users
AUTHENTICATED_USERS	Authorized users. This constant is deprecated.
LOG_DELIVERY	Log delivery group. This constant is deprecated.

Responses

**Table 9** List of returned results
Type	Description
GetResult	Explanation: SDK common results

**Table 10** GetResult
Parameter	Type	Description
status	int	Explanation: HTTP status code Value range: A status code is a group of digits ranging from 2xx (indicating successes) to 4xx or 5xx (indicating errors). It indicates the status of a response. For more information, see Status Code. Default value: None
reason	str	Explanation: Reason description. Default value: None
errorCode	str	Explanation: Error code returned by the OBS server. If the value of status is less than 300, this parameter is left blank. Default value: None
errorMessage	str	Explanation: Error message returned by the OBS server. If the value of status is less than 300, this parameter is left blank. Default value: None
requestId	str	Explanation: Request ID returned by the OBS server Default value: None
indicator	str	Explanation: Error indicator returned by the OBS server. Default value: None
hostId	str	Explanation: Requested server ID. If the value of status is less than 300, this parameter is left blank. Default value: None
resource	str	Explanation: Error source (a bucket or an object). If the value of status is less than 300, this parameter is left blank. Default value: None
header	list	Explanation: Response header list, composed of tuples. Each tuple consists of two elements, respectively corresponding to the key and value of a response header. Default value: None
body	object	Explanation: Result content returned after the operation is successful. If the value of status is larger than 300, this parameter is left blank. The value varies with the API being called. For details, see Bucket-Related APIs (SDK for Python) and Object-Related APIs (SDK for Python). Default value: None

Setting an Object ACL by Specifying acl

This example sets the ACL for object objectname to read and write for an IAM user (userid).

    
     
       
       
         from obs import ObsClient
import os
from obs import ACL
from obs import Owner
from obs import Grant, Permission
from obs import Grantee
import traceback

# Obtain an AK and SK pair using environment variables or import the AK and SK pair in other ways. Using hard coding may result in leakage.
# Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
ak = os.getenv("AccessKeyID")
sk = os.getenv("SecretAccessKey")
# (Optional) If you use a temporary AK and SK pair and a security token to access OBS, obtain them from environment variables.
security_token = os.getenv("SecurityToken")
# Set server to the endpoint corresponding to the bucket. Here uses CN-Hong Kong as an example. Replace it with the one in use.
server = "https://obs.ap-southeast-1.myhuaweicloud.com"

# Create an obsClient instance.
# If you use a temporary AK and SK pair and a security token to access OBS, you must specify security_token when creating an instance.
obsClient = ObsClient(access_key_id=ak, secret_access_key=sk, server=server)
try:
    # Specify the account ID of the bucket owner (ownerid as an example).
    owner = Owner(owner_id='ownerid')
    # Grant the read and write permissions to an IAM user (userid).
    grantee = Grantee(grantee_id='userid')
    grant0 = Grant(grantee=grantee, permission=Permission.READ)
    grant0 = Grant(grantee=grantee, permission=Permission.WRITE)
    # Set the ACL.
    acl = ACL(owner=owner, grants=[grant0])
    bucketName = "examplebucket"
    objectKey = "objectname"
    # Configure the object ACL by specifying acl.
    resp = obsClient.setObjectAcl(bucketName, objectKey, acl)

    # If status code 2xx is returned, the API is called successfully. Otherwise, the API call fails.
    if resp.status < 300:
        print('Set Object Acl Succeeded')
        print('requestId:', resp.requestId)
    else:
        print('Set Object Acl Failed')
        print('requestId:', resp.requestId)
        print('errorCode:', resp.errorCode)
        print('errorMessage:', resp.errorMessage)
except:
    print('Set Object Acl Failed')
    print(traceback.format_exc())

        

      

    
   

Setting an Object ACL by Specifying aclControl

This example sets a pre-defined object ACL to private read and write.

    
     
       
       
         from obs import ObsClient
import os
from obs import HeadPermission
import traceback

# Obtain an AK and SK pair using environment variables or import the AK and SK pair in other ways. Using hard coding may result in leakage.
# Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
ak = os.getenv("AccessKeyID")
sk = os.getenv("SecretAccessKey")
# (Optional) If you use a temporary AK and SK pair and a security token to access OBS, obtain them from environment variables.
security_token = os.getenv("SecurityToken")
# Set server to the endpoint corresponding to the bucket. Here uses CN-Hong Kong as an example. Replace it with the one in use.
server = "https://obs.ap-southeast-1.myhuaweicloud.com" 

# Create an obsClient instance.
# If you use a temporary AK and SK pair and a security token to access OBS, you must specify security_token when creating an instance.
obsClient = ObsClient(access_key_id=ak, secret_access_key=sk, server=server)
try:
    # Set the pre-defined ACL to PRIVATE to ensure high security.
    aclControl = HeadPermission.PRIVATE
    bucketName = "examplebucket"
    objectKey = "objectname"
    # Configure the object ACL by specifying acl.
    resp = obsClient.setObjectAcl(bucketName, objectKey, aclControl=aclControl)

    # If status code 2xx is returned, the API is called successfully. Otherwise, the API call fails.
    if resp.status < 300:
        print('Set Object Acl Succeeded')
        print('requestId:', resp.requestId)
    else:
        print('Set Object Acl Failed')
        print('requestId:', resp.requestId)
        print('errorCode:', resp.errorCode)
        print('errorMessage:', resp.errorMessage)
except:
    print('Set Object Acl Failed')
    print(traceback.format_exc())

        

      

    
   