Configuring an Object ACL

Functions

OBS supports the control of access permission for objects. By default, only the object creator has the read and write permissions for the object. However, the creator can set a public access policy to assign the read permission to all other users. Even if the ACL is configured for an object encrypted in the SSE-KMS mode, the inter-tenant access is unavailable.

You can set an access control policy when uploading an object or make a call of an API operation to modify or obtain the object ACL. An object ACL supports a maximum of 100 grants.

This section explains how to modify an object ACL and change access permission on an object.

Versioning

By default, this operation modifies the ACL of the latest version of an object. To specify a specified version, the request can carry the versionId parameter.

Request Syntax

    
     
       
       
         PUT /ObjectName?acl HTTP/1.1 
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization

<AccessControlPolicy> 
    <Owner> 
        <ID>ID</ID> 
    </Owner> 
    <Delivered>true</Delivered>
    <AccessControlList> 
        <Grant> 
            <Grantee>
               <ID>ID</ID>
            </Grantee> 
            <Permission>permission</Permission> 
        </Grant> 
    </AccessControlList> 
</AccessControlPolicy>

        

      

    
   

Request Parameters

Table 1 describes the request parameters.

**Table 1** Request parameters
Parameter	Mandatory (Yes/No)	Type	Description
versionId	No	String	Definition: Object version ID The ACL of the specified object version is to be changed. For details about how to obtain the version ID of an object, see Listing Objects in a Bucket. Constraints: None Range: The value must contain 32 characters. Default value: None. If this parameter is not configured, the latest version of the object is specified.

Request Headers

This request uses common headers. For details, see Table 3.

Request Elements

The request message carries the ACL information of the object by using message elements. For the meanings of the elements, see Table 2.

**Table 2** Request elements
Parameter	Mandatory (Yes/No)	Type	Description
AccessControlList	Yes	XML	Definition: Access control list. AccessControlList is the parent node of Grant, Grantee, and Permission. Constraints: None Range: For details, see Table 3. Default value: None
Owner	Yes	XML	Definition: Owner information of a bucket. Owner is the parent node of ID. Constraints: None Range: For details, see Table 4. Default value: None
Canned	No	String	Definition: Grants permissions to all users. Constraints: None Range: Everyone Default value: None

**Table 3** AccessControlList parameters
Parameter	Mandatory (Yes/No)	Type	Description
Grant	No	XML	Definition: Used to identify users and their permissions. Grant is the parent node of Grantee and Delivered. Constraints: An ACL of an object can contain a maximum of 100 grants. Range: For details, see Table 5. Default value: None
Grantee	No	XML	Definition: Grantee information Constraints: None Range: None Default value: None
Permission	No	String	Definition: Granted permissions Constraints: None Range: READ: Allows the grantee to obtain the object content and metadata. READ_ACP: Allows the grantee to read the ACL attributes of an object. WRITE_ACP: Allows the grantee to update the ACL of an object. FULL_CONTROL: The grantee has the READ, READ_ACP, and WRITE_ACP permissions on the object. Default value: None

**Table 4** Owner parameters
Parameter	Mandatory (Yes/No)	Type	Description
ID	Yes	String	Definition: Account ID of the authorized user. Constraints: None Range: For details about how to obtain the domain ID of a user, see Obtaining Account, IAM User, Project, User Group, Region, and Agency Information. Default value: None

**Table 5** Grant parameters
Parameter	Mandatory (Yes/No)	Type	Description
Grantee	No	XML	Definition: Grantee information Constraints: None Range: None Default value: None
Delivered	No	Boolean	Definition: Whether an object ACL inherits the ACL of a bucket. Constraints: None Range: true: The object inherits the bucket ACL. false: The object does not inherit the bucket ACL. Default value: true

Response Syntax

    
         HTTP/1.1 status_code
Content-Length: length
Content-Type: application/xml

Response Headers

The response to the request uses common headers. For details, see Table 1.

In addition to the common response headers, the headers listed in Table 6 may be used.

**Table 6** Additional response headers
Parameter	Type	Description
x-obs-version-id	String	Definition: Version ID of the object whose ACL is modified. Range: The value must contain 32 characters.

Response Elements

This response contains no elements.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request

    
     
       
       
         PUT /obj2?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: WED, 01 Jul 2015 04:42:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:8xAODun1ofjkwHm8YhtN0QEcy9M=
Content-Length: 727

<AccessControlPolicy xmlns="http://obs.ap-southeast-1.myhuaweicloud.com/doc/2015-06-30/">
  <Owner> 
    <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
  </Owner>  
  <Delivered>false</Delivered>
  <AccessControlList> 
    <Grant> 
      <Grantee> 
        <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
      </Grantee>  
      <Permission>FULL_CONTROL</Permission> 
    </Grant>  
    <Grant> 
      <Grantee> 
        <ID>783fc6652cf246c096ea836694f71855</ID> 
      </Grantee>  
      <Permission>READ</Permission>
    </Grant>  
    <Grant> 
      <Grantee> 
        <Canned>Everyone</Canned> 
      </Grantee>  
      <Permission>READ</Permission> 
    </Grant> 
  </AccessControlList> 
</AccessControlPolicy>

        

      

    
   

Sample Response

    
         HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: 8DF400000163D3F0FD2A03D2D30B0542
x-obs-id-2: 32AAAUgAIAABAAAQAAEAABAAAQAAEAABCTjCqTmsA1XRpIrmrJdvcEWvZyjbztdd
Date: WED, 01 Jul 2015 04:42:34 GMT
Content-Length: 0

Sample Request: Configuring the ACL for a Specific Object Version

PUT /object01?acl&versionId=G001118A6803675AFFFFD3043F7F91D0 HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml
 
<AccessControlPolicy  xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
    <Owner>
        <ID>d029cb567d46458sp0x75800575ee4cf</ID>
    </Owner>
    <Delivered>false</Delivered>
    <AccessControlList>
        <Grant>
            <Grantee>
                <ID>f98sx63gg849422e8f330af1349c588f</ID>
            </Grantee>
            <Permission>FULL_CONTROL</Permission>
        </Grant>
        <Grant>
            <Grantee>
                <ID>fa558a82a84946sn98u30af195as3hi5</ID>
            </Grantee>
            <Permission>READ</Permission>
        </Grant>
        <Grant>
            <Grantee>
                <Canned>Everyone</Canned>
            </Grantee>
            <Permission>READ</Permission>
        </Grant>
    </AccessControlList>
</AccessControlPolicy>

Sample Response: Configuring the ACL for a Specific Object Version

x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSmpL2dv6zZLM2HmUrXKTAi258MPqmrp
x-obs-request-id: 0000018A2A73AF59D3085C8F8ABF0C65
Server: OBS
Content-Length: 0
Date: WED, 01 Jul 2015 02:37:22 GMT
x-obs-version-id: G001118A6803675AFFFFD3043F7F91D0

Parent topic: Operations on Objects

Previous topic: Appending an Object

Next topic: Obtaining Object ACL Configuration