Configuring an Object ACL
Functions
By default, only the object creator has the read and write permissions on the object. You can also use this API to configure an ACL for an existing object. For example, you can configure a public access policy for an object to allow all users to read the object. If an object is encrypted with SSE-KMS, the ACL configured for it is not in effect in the cross-tenant case.
For more information about configuring an object ACL, see Configuring an Object ACL.
Versioning
By default, this operation modifies the ACL of the latest version of an object. To set the ACL of a specific object version, the request can include the versionId parameter.
Constraints
You are the object owner or you have the permission to write the object ACL.
An object owner is the account that uploads the object and is not necessarily the owner of the bucket that stores the object. For example, account B is granted the permission to access a bucket of account A, and account B uploads a file to the bucket. In that case, account B, instead of the bucket owner account A, is the owner of the object. By default, account A is not allowed to access this object and cannot read or modify the object ACL.
An object ACL supports a maximum of 100 grants.
Authorization Information
To call this API, you must be the object owner or have the permissions to configure an object ACL. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.
- If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:
- If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:object:PutObjectAcl (versioning disabled) and obs:object:PutObjectVersionAcl (versioning enabled or suspended) permissions. For details, see Creating a Custom IAM Policy.
- If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:object:putObjectAcl (versioning disabled) and obs:object:putObjectVersionAcl (versioning enabled or suspended) permissions, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.
Action
Access Level
Resource Type (*: Required)
Dependencies
obs:object:PutObjectAcl (versioning disabled)
obs:object:PutObjectVersionAcl (versioning enabled or suspended)
Permission_management
object *
-
-
-
- obs:EpochTime
- obs:SourceIp
- obs:TlsVersion
- obs:CustomDomain
- obs:x-obs-acl
- If you use bucket policies for authorization, you need to grant the obs:object:PutObjectAcl (versioning disabled) and obs:object:PutObjectVersionAcl (versioning enabled or suspended) permissions. For details, see Creating a Custom Bucket Policy.
Request Syntax
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
PUT /ObjectName?acl HTTP/1.1 Host: bucketname.obs.region.myhuaweicloud.com Date: date Authorization: authorization <AccessControlPolicy> <Owner> <ID>ID</ID> </Owner> <Delivered>true</Delivered> <AccessControlList> <Grant> <Grantee> <ID>ID</ID> </Grantee> <Permission>permission</Permission> </Grant> </AccessControlList> </AccessControlPolicy> |
URI Parameters
Table 1 describes the request parameters.
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
versionId |
No |
String |
Definition: Object version ID The ACL of the specified object version is to be changed. For details about how to obtain the version ID of an object, see Listing Objects in a Bucket. Constraints: None Range: The value must contain 32 characters. Default value: None. If this parameter is not configured, the latest version of the object is specified. |
Request Headers
This request uses common headers. For details, see Table 3.
Request Body
The request message carries the ACL information of the object by using message elements. For the meanings of the elements, see Table 2.
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
AccessControlList |
Yes |
XML |
Definition: Access control list. AccessControlList is the parent node of Grant, Grantee, and Permission. Constraints: None Range: For details, see Table 3. Default value: None |
|
Owner |
Yes |
XML |
Definition: Owner information of a bucket. Owner is a parent node of ID. Constraints: None Range: For details, see Table 4. Default value: None |
|
Canned |
No |
String |
Definition: Grants permissions to all users. Constraints: None Range: Everyone Default value: None |
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
Grant |
No |
XML |
Definition: Used to identify users and their permissions. Grant is the parent node of Grantee and Delivered. Constraints: An ACL of an object can contain a maximum of 100 grants. Range: For details, see Table 5. Default value: None |
|
Grantee |
No |
XML |
Definition: Grantee information Constraints: None Range: None Default value: None |
|
Permission |
No |
String |
Definition: Granted permissions Constraints: None Range:
Default value: None |
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
ID |
Yes |
String |
Definition: Account ID of the authorized user. Constraints: None Range: For details about how to obtain the domain ID of a user, see Obtaining Account, IAM User, Project, User Group, Region, and Agency Information. Default value: None |
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
Grantee |
No |
XML |
Definition: Grantee information Constraints: None Range: None Default value: None |
|
Delivered |
No |
Boolean |
Definition: Whether an object ACL inherits the ACL of a bucket. Constraints: None Range:
Default value: true |
Response Syntax
1 2 3 |
HTTP/1.1 status_code Content-Length: length Content-Type: application/xml |
Response Headers
This response uses common headers. For details, see Table 1.
In addition to the common response headers, the headers listed in Table 6 may be used.
Response Body
This response contains no elements.
Error Responses
No special error responses are returned. For details about error responses, see Table 2.
Sample Request
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
PUT /obj2?acl HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.com Accept: */* Date: WED, 01 Jul 2015 04:42:34 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:8xAODun1ofjkwHm8YhtN0QEcy9M= Content-Length: 727 <AccessControlPolicy xmlns="http://obs.ap-southeast-1.myhuaweicloud.com/doc/2015-06-30/"> <Owner> <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> </Owner> <Delivered>false</Delivered> <AccessControlList> <Grant> <Grantee> <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> </Grantee> <Permission>FULL_CONTROL</Permission> </Grant> <Grant> <Grantee> <ID>783fc6652cf246c096ea836694f71855</ID> </Grantee> <Permission>READ</Permission> </Grant> <Grant> <Grantee> <Canned>Everyone</Canned> </Grantee> <Permission>READ</Permission> </Grant> </AccessControlList> </AccessControlPolicy> |
Sample Response
1 2 3 4 5 6 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: 8DF400000163D3F0FD2A03D2D30B0542 x-obs-id-2: 32AAAUgAIAABAAAQAAEAABAAAQAAEAABCTjCqTmsA1XRpIrmrJdvcEWvZyjbztdd Date: WED, 01 Jul 2015 04:42:34 GMT Content-Length: 0 |
Sample Request: Configuring the ACL for a Specific Object Version
PUT /object01?acl&versionId=G001118A6803675AFFFFD3043F7F91D0 HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml
<AccessControlPolicy xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
<Owner>
<ID>d029cb567d46458sp0x75800575ee4cf</ID>
</Owner>
<Delivered>false</Delivered>
<AccessControlList>
<Grant>
<Grantee>
<ID>f98sx63gg849422e8f330af1349c588f</ID>
</Grantee>
<Permission>FULL_CONTROL</Permission>
</Grant>
<Grant>
<Grantee>
<ID>fa558a82a84946sn98u30af195as3hi5</ID>
</Grantee>
<Permission>READ</Permission>
</Grant>
<Grant>
<Grantee>
<Canned>Everyone</Canned>
</Grantee>
<Permission>READ</Permission>
</Grant>
</AccessControlList>
</AccessControlPolicy>
Sample Response: Configuring the ACL for a Specific Object Version
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSmpL2dv6zZLM2HmUrXKTAi258MPqmrp x-obs-request-id: 0000018A2A73AF59D3085C8F8ABF0C65 Server: OBS Content-Length: 0 Date: WED, 01 Jul 2015 02:37:22 GMT x-obs-version-id: G001118A6803675AFFFFD3043F7F91D0
Using SDKs to Call APIs
You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.
Helpful Links
- For more information about configuring an object ACL, see Configuring an Object ACL.
- For details about the billing items involved in API operations, see Billing Items.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
