Help Center/ Object Storage Service/ SDK Reference/ Java/ Buckets (SDK for Java)/ Configuring a Bucket Policy (SDK for Java)
Updated on 2024-06-18 GMT+08:00
View PDF
Share

Configuring a Bucket Policy (SDK for Java)

Function

OBS provides access control over buckets. You can use an access policy to define whether a user can perform certain operations on a specific bucket. OBS access control can be implemented using IAM permissions, bucket policies, and ACLs. For more information, see Introduction to OBS Access Control.

A bucket policy applies to both the bucket and objects therein. You can use a bucket policy to grant permissions for a bucket and objects therein to IAM users or other accounts. If you want IAM users to have different permissions for a bucket, you need to configure different bucket policies for each user.

If you have any questions during development, post them on the Issues page of GitHub.

Besides bucket ACLs, bucket owners can use bucket policies to centrally control access to buckets and objects in buckets.

You can call ObsClient.setBucketPolicy to configure a bucket policy.

For more information, see Bucket Policy.

Restrictions

  • Permissions for creating a bucket and obtaining a bucket list are service level and should be granted using IAM Permissions.
  • Due to data caching, after a bucket policy is configured, it takes 5 minutes at most for the policy to take effect.
  • To configure a bucket policy, you must be the bucket owner or have the required permission (obs:bucket:PutBucketPolicy in IAM or PutBucketPolicy in a bucket policy). For details, see Introduction to OBS Access Control, IAM Custom Policies, and Creating a Custom Bucket Policy.
  • The mapping between OBS regions and endpoints must comply with what is listed in Regions and Endpoints.
  • The latest policy configurations will overwrite the preceding configurations when you call the API for configuring a bucket policy. For example, if you have configured bucket policies A, B, C, and D and you want to add a new bucket policy E, you must add policy E to the file containing the existing four policies and then upload the file with all policies contained. Likewise, if you want to delete bucket policy D, you must remove it from the file containing policies A, B, C, and D, and then upload the file without policy D contained.
  • For details about the bucket policy format (JSON), see the Object Storage Service API Reference.
  • OBS returns 404 NoSuchBucketPolicy when you call this API in the following scenarios:
    • The specified bucket policy does not exist.
    • The standard policy of the specified bucket is set to Private and no advanced policies are configured.

Method

obsClient.setBucketPolicy(String bucketName, String policy)

Request Parameters

Table 1 List of request parameters

Parameter

Type

Mandatory (Yes/No)

Description

bucketName

String

Yes

Explanation:

Bucket name.

Restrictions:

  • A bucket name must be unique across all accounts and regions.
  • A bucket name:
    • Must be 3 to 63 characters long and start with a digit or letter. Lowercase letters, digits, hyphens (-), and periods (.) are allowed.
    • Cannot be formatted as an IP address.
    • Cannot start or end with a hyphen (-) or period (.).
    • Cannot contain two consecutive periods (..), for example, my..bucket.
    • Cannot contain periods (.) and hyphens (-) adjacent to each other, for example, my-.bucket or my.-bucket.
  • If you repeatedly create buckets of the same name in the same region, no error will be reported and the bucket attributes comply with those set in the first creation request.

Default value:

None

policy

String

Yes

Explanation:

Policy information in JSON format

Restrictions:

  • The bucket name contained in the Resource parameter of the policy must be the same as the one specified for the current bucket policy.
  • For details about the policy format, see Bucket Policy Parameters.

Default value:

None

Responses

Table 2 Common response headers

Parameter

Type

Description

statusCode

int

Explanation:

HTTP status code.

Value range:

A status code is a group of digits that can be 2xx (indicating successes) or 4xx or 5xx (indicating errors). It indicates the status of a response.

For more information, see Status Code.

Default value:

None

responseHeaders

Map<String, Object>

Explanation:

HTTP response header list, composed of tuples. In a tuple, the String key indicates the name of the header, and the Object value indicates the value of the header.

Default value:

None

Code Examples

This example configures a policy for bucket exampleBucket.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
import com.obs.services.ObsClient;
import com.obs.services.exception.ObsException;
public class SetBucketPolicy001 {
    public static void main(String[] args) {
        // Obtain an AK/SK pair using environment variables or import the AK/SK pair in other ways. Using hard coding may result in leakage.
        // Obtain an AK/SK pair on the management console.
        String ak = System.getenv("ACCESS_KEY_ID");
        String sk = System.getenv("SECRET_ACCESS_KEY_ID");
        // (Optional) If you are using a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding, which may result in information leakage.
        // Obtain an AK/SK pair and a security token using environment variables or import them in other ways.
        // String securityToken = System.getenv("SECURITY_TOKEN");
        // Enter the endpoint corresponding to the bucket. CN-Hong Kong is used here as an example. Replace it with the one in your actual situation.
        String endPoint = "https://obs.ap-southeast-1.myhuaweicloud.com";
        // Obtain an endpoint using environment variables or import it in other ways.
        //String endPoint = System.getenv("ENDPOINT");
        
        // Create an ObsClient instance.
        // Use the permanent AK/SK pair to initialize the client.
        ObsClient obsClient = new ObsClient(ak, sk,endPoint);
        // Use the temporary AK/SK pair and security token to initialize the client.
        // ObsClient obsClient = new ObsClient(ak, sk, securityToken, endPoint);

        try {
            // Example bucket name
            String exampleBucket = "examplebucket";
            // Example bucket policy
            String examplePolicy =
                    "{\"Statement\":[{\"Principal\":\"*\",\"Effect\":\"Allow\",\"Action\":\"ListBucket\",\"Resource\":\""
                            + exampleBucket
                            + "\"}]}";
            obsClient.setBucketPolicy(exampleBucket, examplePolicy);
            System.out.println("SetBucketAcl successfully");
        } catch (ObsException e) {
            System.out.println("SetBucketAcl failed");
            // Request failed. Print the HTTP status code.
            System.out.println("HTTP Code:" + e.getResponseCode());
            // Request failed. Print the server-side error code.
            System.out.println("Error Code:" + e.getErrorCode());
            // Request failed. Print the error details.
            System.out.println("Error Message:" + e.getErrorMessage());
            // Request failed. Print the request ID.
            System.out.println("Request ID:" + e.getErrorRequestId());
            System.out.println("Host ID:" + e.getErrorHostId());
            e.printStackTrace();
        } catch (Exception e) {
            System.out.println("SetBucketAcl failed");
            // Print other error information.
            e.printStackTrace();
        }
    }
}

Helpful Links

Parent topic: Buckets (SDK for Java)