diff --git a/docs/obs/perms-cfg/ALL_META.TXT.json b/docs/obs/perms-cfg/ALL_META.TXT.json index 8a537316..ffad1a61 100644 --- a/docs/obs/perms-cfg/ALL_META.TXT.json +++ b/docs/obs/perms-cfg/ALL_META.TXT.json @@ -1,411 +1,742 @@ [ + { + "dockw":"Permission Configuration Guide" + }, { "uri":"obs_40_0001.html", + "node_id":"obs_40_0001.xml", "product_code":"obs", "code":"1", - "des":"By default, OBS resources (buckets and objects) are private. Only resource owners can access their OBS resources. Without authorization, other users cannot access OBS. OB", + "des":"By default, OBS resources (buckets and objects) are private. Only resource owners can access their OBS resources. Other users cannot access such resources without authori", "doc_type":"perms-cfg", - "kw":"Introduction to OBS Access Control,Permission Configuration Guide", - "title":"Introduction to OBS Access Control", + "kw":"Differences Between OBS Permissions Control Methods,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Differences Between OBS Permissions Control Methods", "githuburl":"" }, { "uri":"obs_40_0002.html", + "node_id":"obs_40_0002.xml", "product_code":"obs", "code":"2", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"perms-cfg", - "kw":"Permission Control Mechanisms", - "title":"Permission Control Mechanisms", + "kw":"Permission Control Methods", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Permission Control Methods", "githuburl":"" }, { "uri":"obs_40_0003.html", + "node_id":"obs_40_0003.xml", "product_code":"obs", "code":"3", "des":"By default, newly created IAM users do not have any permissions. You need to add the user to one or more groups, and attach permission policies or roles to these groups. ", "doc_type":"perms-cfg", - "kw":"IAM Permissions,Permission Control Mechanisms,Permission Configuration Guide", + "kw":"IAM Permissions,Permission Control Methods,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"IAM Permissions", "githuburl":"" }, { "uri":"obs_40_0004.html", + "node_id":"obs_40_0004.xml", "product_code":"obs", "code":"4", - "des":"A bucket policy applies to an OBS bucket and objects in the bucket. By leveraging bucket policies, the owner of a bucket can authorize IAM users or other accounts the per", + "des":"A bucket policy applies to an OBS bucket and the objects in the bucket. Bucket policies let a bucket owner grant IAM users or other accounts permissions on the bucket and", "doc_type":"perms-cfg", - "kw":"Bucket Policies,Permission Control Mechanisms,Permission Configuration Guide", + "kw":"Bucket Policies,Permission Control Methods,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Bucket Policies", "githuburl":"" }, { "uri":"obs_40_0005.html", + "node_id":"obs_40_0005.xml", "product_code":"obs", "code":"5", - "des":"An ACL is a list that defines grantees and their granted permissions.Bucket and object ACLs are attached to accounts. By default, an ACL is created when a bucket or objec", + "des":"An access control list (ACL) is a list of rules that specifies which users or systems are granted or denied access to a particular bucket or object.Bucket and object ACLs", "doc_type":"perms-cfg", - "kw":"ACLs,Permission Control Mechanisms,Permission Configuration Guide", + "kw":"ACLs,Permission Control Methods,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"ACLs", "githuburl":"" }, { "uri":"obs_40_0006.html", + "node_id":"obs_40_0006.xml", "product_code":"obs", "code":"6", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"perms-cfg", "kw":"Access Requests", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Access Requests", "githuburl":"" }, { "uri":"obs_40_0007.html", + "node_id":"obs_40_0007.xml", "product_code":"obs", "code":"7", - "des":"OBS provides REST APIs that supports authenticated requests and anonymous requests. Anonymous requests are typically used for scenarios that require public access, such a", + "des":"OBS REST APIs support authenticated requests and anonymous requests. Anonymous requests are typically used for public access, such as accessing hosted static websites. In", "doc_type":"perms-cfg", "kw":"Accessing OBS Using Permanent Access Keys,Access Requests,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Accessing OBS Using Permanent Access Keys", "githuburl":"" }, { "uri":"obs_40_0008.html", + "node_id":"obs_40_0008.xml", "product_code":"obs", "code":"8", - "des":"OBS can be accessed through temporary access keys and the security token, which can be obtained on IAM. You can assign the temporary access keys (including the security t", + "des":"You can assign temporary security credentials (including an AK, an SK, and a security token) to a third-party application or an IAM user, so that they can access OBS only", "doc_type":"perms-cfg", "kw":"Accessing OBS Using Temporary Access Keys,Access Requests,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Accessing OBS Using Temporary Access Keys", "githuburl":"" }, { "uri":"obs_40_0009.html", + "node_id":"obs_40_0009.xml", "product_code":"obs", "code":"9", - "des":"You can use a temporary URL to access OBS and perform operations such as bucket creation or object upload and download. This section describes how to share objects using ", + "des":"You can share a temporary URL to allow other users to access OBS to create buckets and upload and download objects. This section describes how to share a temporary URL to", "doc_type":"perms-cfg", "kw":"Accessing OBS Using a Temporary URL,Access Requests,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Accessing OBS Using a Temporary URL", "githuburl":"" }, { "uri":"obs_40_0010.html", + "node_id":"obs_40_0010.xml", "product_code":"obs", "code":"10", - "des":"The IAM agency is a function of Identity and Access Management (IAM). In some OBS application scenarios (such as CDN private bucket retrieval and cross-region replication", + "des":"The IAM agency is a function of Identity and Access Management (IAM). In scenarios such as CDN private bucket retrieval and cross-region replication, IAM agencies are req", "doc_type":"perms-cfg", "kw":"Accessing OBS Using an IAM Agency,Access Requests,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Accessing OBS Using an IAM Agency", "githuburl":"" }, { - "uri":"obs_40_0011.html", + "uri":"obs_40_0012.html", + "node_id":"obs_40_0012.xml", "product_code":"obs", "code":"11", - "des":"The following typical scenarios are provided to help you better configure OBS permission control.Factors to consider before configuring permission control:Who are granted", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"perms-cfg", - "kw":"Typical Permission Control Scenarios,Permission Configuration Guide", - "title":"Typical Permission Control Scenarios", + "kw":"Permission Configuration in Typical Scenarios", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Permission Configuration in Typical Scenarios", "githuburl":"" }, { - "uri":"obs_40_0012.html", + "uri":"obs_40_0011.html", + "node_id":"obs_40_0011.xml", "product_code":"obs", "code":"12", - "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "des":"The permissions settings for typical scenarios are provided to facilitate permissions management.You need to consider the following factors before configuring permissions", "doc_type":"perms-cfg", - "kw":"Configuration Cases in Typical Permission Control Scenarios", - "title":"Configuration Cases in Typical Permission Control Scenarios", + "kw":"Typical Permissions Scenarios,Permission Configuration in Typical Scenarios,Permission Configuration", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Typical Permissions Scenarios", "githuburl":"" }, { "uri":"obs_40_0013.html", + "node_id":"obs_40_0013.xml", "product_code":"obs", "code":"13", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"perms-cfg", "kw":"Granting Permissions to an IAM User Under the Account", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Granting Permissions to an IAM User Under the Account", "githuburl":"" }, { "uri":"obs_40_0014.html", + "node_id":"obs_40_0014.xml", "product_code":"obs", "code":"14", - "des":"This topic describes how to grant an IAM user the permissions required to create and list buckets. An IAM user with this permission can create buckets. The created bucket", + "des":"This topic describes how to grant an IAM user the permissions to create and list buckets. An IAM user with this permission can create and list buckets. The created bucket", "doc_type":"perms-cfg", - "kw":"Granting an IAM User the Permissions Required to List and Create Buckets,Granting Permissions to an ", - "title":"Granting an IAM User the Permissions Required to List and Create Buckets", + "kw":"Granting an IAM User the Permissions to Create and List Buckets,Granting Permissions to an IAM User ", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting an IAM User the Permissions to Create and List Buckets", "githuburl":"" }, { "uri":"obs_40_0015.html", + "node_id":"obs_40_0015.xml", "product_code":"obs", "code":"15", - "des":"This topic describes how to grant an IAM user the read and write permissions on an OBS bucket.You are advised to use bucket policies to grant resource-level permissions t", + "des":"This topic describes how to grant an IAM user the read/write permission on an OBS bucket.To grant resource-level permissions to an IAM user, use a bucket policy.After con", "doc_type":"perms-cfg", - "kw":"Granting an IAM User the Read and Write Permissions on a Bucket,Granting Permissions to an IAM User ", - "title":"Granting an IAM User the Read and Write Permissions on a Bucket", + "kw":"Granting an IAM User the Read/Write Permission on a Bucket,Granting Permissions to an IAM User Under", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting an IAM User the Read/Write Permission on a Bucket", "githuburl":"" }, { "uri":"obs_40_0016.html", + "node_id":"obs_40_0016.xml", "product_code":"obs", "code":"16", - "des":"This topic describes how to grant an IAM user the permissions required to perform specific operations on an OBS bucket. Below describes how to grant the bucket deletion p", + "des":"This topic describes how to grant an IAM user the permissions required to delete a bucket.To grant other permissions, select required actions from Action Name in the buck", "doc_type":"perms-cfg", - "kw":"Granting an IAM User the Permissions Required to Perform Specific Operations on a Specific Bucket,Gr", - "title":"Granting an IAM User the Permissions Required to Perform Specific Operations on a Specific Bucket", + "kw":"Granting an IAM User the Specified Permissions for a Bucket,Granting Permissions to an IAM User Unde", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting an IAM User the Specified Permissions for a Bucket", "githuburl":"" }, { "uri":"obs_40_0017.html", + "node_id":"obs_40_0017.xml", "product_code":"obs", "code":"17", - "des":"This topic describes how to grant an IAM user the read permission on an object or a set of objects in an OBS bucket.You are advised to use bucket policies to grant resour", + "des":"This topic describes how to grant an IAM user the read permissions on an object or a set of objects in an OBS bucket.To grant resource-level permissions to an IAM user, u", "doc_type":"perms-cfg", - "kw":"Granting an IAM User the Read Permission on a Specific Object,Granting Permissions to an IAM User Un", - "title":"Granting an IAM User the Read Permission on a Specific Object", + "kw":"Granting an IAM User the Read Permissions on Specific Objects,Granting Permissions to an IAM User Un", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting an IAM User the Read Permissions on Specific Objects", "githuburl":"" }, { "uri":"obs_40_0018.html", + "node_id":"obs_40_0018.xml", "product_code":"obs", "code":"18", - "des":"This topic describes how to grant an IAM user certain permissions on specific objects in a bucket. Below explains how to grant the object download permission.If you need ", + "des":"This topic describes how to grant an IAM user the permissions to download specific objects from a bucket.To grant other permissions, select required actions from Action N", "doc_type":"perms-cfg", - "kw":"Granting an IAM User the Permissions Required to Perform Specific Operations on Certain Objects,Gran", - "title":"Granting an IAM User the Permissions Required to Perform Specific Operations on Certain Objects", + "kw":"Granting an IAM User the Specific Permissions on Specific Objects,Granting Permissions to an IAM Use", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting an IAM User the Specific Permissions on Specific Objects", "githuburl":"" }, { "uri":"obs_40_0019.html", + "node_id":"obs_40_0019.xml", "product_code":"obs", "code":"19", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"perms-cfg", "kw":"Granting Permissions to Multiple IAM Users or User Groups Under the Account", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Granting Permissions to Multiple IAM Users or User Groups Under the Account", "githuburl":"" }, { "uri":"obs_40_0020.html", + "node_id":"obs_40_0020.xml", "product_code":"obs", "code":"20", - "des":"This topic describes how to grant multiple IAM users or user groups all permissions on all OBS resources. Users with this permission can perform any OBS operation.IAM cus", + "des":"This topic describes how to grant multiple IAM users or user groups all permissions on all OBS resources. Users with this permission can perform any operations on OBS.Use", "doc_type":"perms-cfg", "kw":"Granting IAM User Groups All Permissions on All OBS Resources,Granting Permissions to Multiple IAM U", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Granting IAM User Groups All Permissions on All OBS Resources", "githuburl":"" }, { "uri":"obs_40_0021.html", + "node_id":"obs_40_0021.xml", "product_code":"obs", "code":"21", - "des":"This topic describes how to use the OBS-related system roles and policies preset in IAM to grant basic operation permissions on all OBS resources to multiple IAM users or", + "des":"This topic describes how to use OBS system roles and policies preset in IAM to grant basic operation permissions for all OBS resources to multiple IAM users or user group", "doc_type":"perms-cfg", "kw":"Granting IAM User Groups Basic Permissions on All OBS Resources,Granting Permissions to Multiple IAM", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Granting IAM User Groups Basic Permissions on All OBS Resources", "githuburl":"" }, { "uri":"obs_40_0022.html", + "node_id":"obs_40_0022.xml", "product_code":"obs", "code":"22", - "des":"This topic describes how to grant multiple IAM users or user groups specific permissions on all OBS resources.IAM custom policiesAfter the configuration is complete, you ", + "des":"This topic describes how to grant multiple IAM users or user groups specified permissions for all OBS resources.Use an IAM custom policy to configure the permissions.Afte", "doc_type":"perms-cfg", - "kw":"Granting IAM User Groups Specified Permissions on All OBS Resources,Granting Permissions to Multiple", - "title":"Granting IAM User Groups Specified Permissions on All OBS Resources", + "kw":"Granting IAM User Groups Specific Permissions for All OBS Resources,Granting Permissions to Multiple", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting IAM User Groups Specific Permissions for All OBS Resources", "githuburl":"" }, { "uri":"obs_40_0023.html", + "node_id":"obs_40_0023.xml", "product_code":"obs", "code":"23", - "des":"This topic describes how to grant certain operation permissions on specific OBS resources (can be a bucket or an object) to multiple IAM users or user groups.IAM custom p", + "des":"This topic describes how to grant specific operation permissions on specific OBS resources (a bucket or an object) to multiple IAM users or user groups.Use an IAM custom ", "doc_type":"perms-cfg", - "kw":"Granting IAM User Groups Specified Permissions on Certain OBS Resources,Granting Permissions to Mult", - "title":"Granting IAM User Groups Specified Permissions on Certain OBS Resources", + "kw":"Granting IAM User Groups Specific Permissions on Specific OBS Resources,Granting Permissions to Mult", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting IAM User Groups Specific Permissions on Specific OBS Resources", "githuburl":"" }, { "uri":"obs_40_0044.html", + "node_id":"obs_40_0044.xml", "product_code":"obs", "code":"24", - "des":"This topic describes how to grant certain operation permissions on specific folders in an OBS bucket to multiple IAM users or user groups.IAM custom policiesAfter the con", + "des":"This topic describes how to grant specified permissions for a folder in an OBS bucket to multiple IAM users or user groups.Use an IAM custom policy to configure the permi", "doc_type":"perms-cfg", - "kw":"Granting IAM User Groups Specified Permissions on Certain OBS Folders,Granting Permissions to Multip", - "title":"Granting IAM User Groups Specified Permissions on Certain OBS Folders", + "kw":"Granting IAM User Groups Specific Permissions on a Folder,Granting Permissions to Multiple IAM Users", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting IAM User Groups Specific Permissions on a Folder", "githuburl":"" }, { "uri":"obs_40_0024.html", + "node_id":"obs_40_0024.xml", "product_code":"obs", "code":"25", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"perms-cfg", "kw":"Granting Permissions to Other Accounts", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Granting Permissions to Other Accounts", "githuburl":"" }, { "uri":"obs_40_0025.html", + "node_id":"obs_40_0025.xml", "product_code":"obs", "code":"26", - "des":"This topic describes how to grant other accounts (excluding the IAM users under them) the read and write permissions on OBS buckets. For details about how to grant permis", + "des":"This topic describes how to grant other accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permission", "doc_type":"perms-cfg", - "kw":"Granting an Account the Read and Write Permissions on a Bucket,Granting Permissions to Other Account", - "title":"Granting an Account the Read and Write Permissions on a Bucket", + "kw":"Granting Other Accounts the Read/Write Permission for a Bucket,Granting Permissions to Other Account", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting Other Accounts the Read/Write Permission for a Bucket", "githuburl":"" }, { "uri":"obs_40_0026.html", + "node_id":"obs_40_0026.xml", "product_code":"obs", "code":"27", - "des":"This topic describes how to grant other accounts (excluding the IAM users under them) specific operation permissions on OBS buckets. For details about how to grant permis", + "des":"This topic describes how to grant other accounts (excluding the IAM users under them) specific permissions for OBS buckets. For details about how to grant permissions to ", "doc_type":"perms-cfg", - "kw":"Granting an Account the Specified Permissions on a Bucket,Granting Permissions to Other Accounts,Per", - "title":"Granting an Account the Specified Permissions on a Bucket", + "kw":"Granting Other Accounts the Specified Permissions for a Bucket,Granting Permissions to Other Account", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting Other Accounts the Specified Permissions for a Bucket", "githuburl":"" }, { "uri":"obs_40_0027.html", + "node_id":"obs_40_0027.xml", "product_code":"obs", "code":"28", "des":"This topic describes how to grant IAM users the permissions to access OBS buckets and resources in them.The following describes how to grant the permissions to upload and", "doc_type":"perms-cfg", - "kw":"Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket,Granting Perm", - "title":"Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket", + "kw":"Granting IAM Users Under an Account the Access to a Bucket and the Resources in It,Granting Permissi", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting IAM Users Under an Account the Access to a Bucket and the Resources in It", "githuburl":"" }, { "uri":"obs_40_0028.html", + "node_id":"obs_40_0028.xml", "product_code":"obs", "code":"29", "des":"This case describes how to grant other accounts (excluding IAM users under the account) the read permission for an object or a type of objects in an OBS bucket. For detai", "doc_type":"perms-cfg", - "kw":"Granting an Account Read Permissions on Certain Objects,Granting Permissions to Other Accounts,Permi", - "title":"Granting an Account Read Permissions on Certain Objects", + "kw":"Granting Other Accounts the Read Permission for Certain Objects,Granting Permissions to Other Accoun", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting Other Accounts the Read Permission for Certain Objects", "githuburl":"" }, { "uri":"obs_40_0029.html", + "node_id":"obs_40_0029.xml", "product_code":"obs", "code":"30", - "des":"This case describes how to grant other accounts the specified operation permission on a specified object in an OBS bucket. The following describes how to grant the permis", + "des":"This section describes how to grant other accounts the permissions to download an object from a bucket.To grant other permissions, select required actions from Action Nam", "doc_type":"perms-cfg", - "kw":"Granting an Account the Specified Permissions on Certain Objects,Granting Permissions to Other Accou", - "title":"Granting an Account the Specified Permissions on Certain Objects", + "kw":"Granting Other Accounts Specific Permissions for Specific Objects,Granting Permissions to Other Acco", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting Other Accounts Specific Permissions for Specific Objects", "githuburl":"" }, { "uri":"obs_40_0030.html", + "node_id":"obs_40_0030.xml", "product_code":"obs", "code":"31", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"perms-cfg", "kw":"Granting Permissions to Anonymous Users", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Granting Permissions to Anonymous Users", "githuburl":"" }, { "uri":"obs_40_0031.html", + "node_id":"obs_40_0031.xml", "product_code":"obs", "code":"32", "des":"If a bucket needs to be accessed by anonymous users, you can configure a bucket policy and bucket ACL to grant the access permission to anonymous users. The following use", "doc_type":"perms-cfg", - "kw":"Granting Anonymous Users Public Read Permissions on a Bucket,Granting Permissions to Anonymous Users", - "title":"Granting Anonymous Users Public Read Permissions on a Bucket", + "kw":"Granting Anonymous Users the Public Read Permission for a Bucket,Granting Permissions to Anonymous U", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting Anonymous Users the Public Read Permission for a Bucket", "githuburl":"" }, { "uri":"obs_40_0032.html", + "node_id":"obs_40_0032.xml", "product_code":"obs", "code":"33", - "des":"If all objects in a folder need to be accessible to anonymous users, you can configure a bucket policy to grant anonymous users the permission to access the folder.The pr", + "des":"If all objects in a folder need to be accessible to anonymous users, you can configure a bucket policy to grant anonymous users the permission to access the folder.After ", "doc_type":"perms-cfg", - "kw":"Granting Anonymous Users Public Read Permissions on a Directory,Granting Permissions to Anonymous Us", - "title":"Granting Anonymous Users Public Read Permissions on a Directory", + "kw":"Granting Anonymous Users the Read Permission for a Directory,Granting Permissions to Anonymous Users", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting Anonymous Users the Read Permission for a Directory", "githuburl":"" }, { "uri":"obs_40_0033.html", + "node_id":"obs_40_0033.xml", "product_code":"obs", "code":"34", "des":"Enterprise A stores a large volume of map data in OBS, and offers the data for public query. This enterprise sets a read permission for anonymous users, and provides the ", "doc_type":"perms-cfg", - "kw":"Granting Anonymous Users Public Read Permissions on Certain Objects,Granting Permissions to Anonymou", - "title":"Granting Anonymous Users Public Read Permissions on Certain Objects", + "kw":"Granting Anonymous Users the Read Permission for Certain Objects,Granting Permissions to Anonymous U", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Granting Anonymous Users the Read Permission for Certain Objects", "githuburl":"" }, { "uri":"obs_40_0034.html", + "node_id":"obs_40_0034.xml", "product_code":"obs", "code":"35", "des":"If you want to open an object to all users for a limited period of time, you can use the object sharing function.Once the Share File dialog box is opened, the URL is effe", "doc_type":"perms-cfg", "kw":"Temporarily Sharing Objects with Anonymous Users,Granting Permissions to Anonymous Users,Permission ", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Temporarily Sharing Objects with Anonymous Users", "githuburl":"" }, { "uri":"obs_40_0037.html", + "node_id":"obs_40_0037.xml", "product_code":"obs", "code":"36", - "des":"This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS in temporary authorization mode.Assume that you want to enable an ", + "des":"This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS.Assume that you want to enable an IAM user (user name: APPServer) ", "doc_type":"perms-cfg", - "kw":"Granting Temporary Access to OBS,Configuration Cases in Typical Permission Control Scenarios,Permiss", + "kw":"Granting Temporary Access to OBS,Permission Configuration in Typical Scenarios,Permission Configurat", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Granting Temporary Access to OBS", "githuburl":"" }, { "uri":"obs_40_0036.html", + "node_id":"obs_40_0036.xml", "product_code":"obs", "code":"37", "des":"This case describes how to restrict the source IP addresses that can access an OBS bucket. The following shows how to deny a client access whose source IP address is with", "doc_type":"perms-cfg", - "kw":"Preventing Specific IP Addresses from Accessing a Bucket,Configuration Cases in Typical Permission C", - "title":"Preventing Specific IP Addresses from Accessing a Bucket", + "kw":"Restricting Access to a Bucket for Specific IP Addresses,Permission Configuration in Typical Scenari", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Restricting Access to a Bucket for Specific IP Addresses", "githuburl":"" }, { "uri":"obs_40_0042.html", + "node_id":"obs_40_0042.xml", "product_code":"obs", "code":"38", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"perms-cfg", "kw":"Appendix", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Appendix", "githuburl":"" }, { "uri":"obs_40_0041.html", + "node_id":"obs_40_0041.xml", "product_code":"obs", "code":"39", - "des":"A policy in JSON format is described as follows:Example:{ \n\"Statement\" : [{\n \"Sid\": \"ExampleStatementID1\",\n \"Principal\": \"*\",\n \"Effect\": \"Allow\", \n \"Act", + "des":"A bucket policy in JSON format:Example:{ \n\"Statement\" : [{\n \"Sid\": \"ExampleStatementID1\",\n \"Principal\": \"*\",\n \"Effect\": \"Allow\", \n \"Action\": [\"ListBucke", "doc_type":"perms-cfg", "kw":"Bucket Policy Parameters,Appendix,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Bucket Policy Parameters", "githuburl":"" }, { "uri":"obs_40_0043.html", + "node_id":"obs_40_0043.xml", "product_code":"obs", "code":"40", - "des":"Bucket ACLs are used to control basic read and write access to buckets. Custom settings of bucket policies support more actions that can be performed on buckets. Bucket A", + "des":"Bucket ACLs control read and write permissions on buckets. Custom bucket policies can control more actions on buckets. Bucket ACLs are a supplement to bucket policies, bu", "doc_type":"perms-cfg", - "kw":"Relationship Between Bucket Policies and Bucket ACLs,Appendix,Permission Configuration Guide", - "title":"Relationship Between Bucket Policies and Bucket ACLs", + "kw":"Relationship Between Bucket ACLs and Bucket Policies,Appendix,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], + "title":"Relationship Between Bucket ACLs and Bucket Policies", "githuburl":"" }, { "uri":"obs_40_0039.html", + "node_id":"obs_40_0039.xml", "product_code":"obs", "code":"41", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"perms-cfg", "kw":"Change History,Permission Configuration Guide", + "search_title":"", + "metedata":[ + { + "prodname":"obs", + "documenttype":"perms-cfg" + } + ], "title":"Change History", "githuburl":"" } diff --git a/docs/obs/perms-cfg/CLASS.TXT.json b/docs/obs/perms-cfg/CLASS.TXT.json index 67210c45..5f7be312 100644 --- a/docs/obs/perms-cfg/CLASS.TXT.json +++ b/docs/obs/perms-cfg/CLASS.TXT.json @@ -1,8 +1,8 @@ [ { - "desc":"By default, OBS resources (buckets and objects) are private. Only resource owners can access their OBS resources. Without authorization, other users cannot access OBS. OB", + "desc":"By default, OBS resources (buckets and objects) are private. Only resource owners can access their OBS resources. Other users cannot access such resources without authori", "product_code":"obs", - "title":"Introduction to OBS Access Control", + "title":"Differences Between OBS Permissions Control Methods", "uri":"obs_40_0001.html", "doc_type":"perms-cfg", "p_code":"", @@ -11,7 +11,7 @@ { "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "product_code":"obs", - "title":"Permission Control Mechanisms", + "title":"Permission Control Methods", "uri":"obs_40_0002.html", "doc_type":"perms-cfg", "p_code":"", @@ -27,7 +27,7 @@ "code":"3" }, { - "desc":"A bucket policy applies to an OBS bucket and objects in the bucket. By leveraging bucket policies, the owner of a bucket can authorize IAM users or other accounts the per", + "desc":"A bucket policy applies to an OBS bucket and the objects in the bucket. Bucket policies let a bucket owner grant IAM users or other accounts permissions on the bucket and", "product_code":"obs", "title":"Bucket Policies", "uri":"obs_40_0004.html", @@ -36,7 +36,7 @@ "code":"4" }, { - "desc":"An ACL is a list that defines grantees and their granted permissions.Bucket and object ACLs are attached to accounts. By default, an ACL is created when a bucket or objec", + "desc":"An access control list (ACL) is a list of rules that specifies which users or systems are granted or denied access to a particular bucket or object.Bucket and object ACLs", "product_code":"obs", "title":"ACLs", "uri":"obs_40_0005.html", @@ -54,7 +54,7 @@ "code":"6" }, { - "desc":"OBS provides REST APIs that supports authenticated requests and anonymous requests. Anonymous requests are typically used for scenarios that require public access, such a", + "desc":"OBS REST APIs support authenticated requests and anonymous requests. Anonymous requests are typically used for public access, such as accessing hosted static websites. In", "product_code":"obs", "title":"Accessing OBS Using Permanent Access Keys", "uri":"obs_40_0007.html", @@ -63,7 +63,7 @@ "code":"7" }, { - "desc":"OBS can be accessed through temporary access keys and the security token, which can be obtained on IAM. You can assign the temporary access keys (including the security t", + "desc":"You can assign temporary security credentials (including an AK, an SK, and a security token) to a third-party application or an IAM user, so that they can access OBS only", "product_code":"obs", "title":"Accessing OBS Using Temporary Access Keys", "uri":"obs_40_0008.html", @@ -72,7 +72,7 @@ "code":"8" }, { - "desc":"You can use a temporary URL to access OBS and perform operations such as bucket creation or object upload and download. This section describes how to share objects using ", + "desc":"You can share a temporary URL to allow other users to access OBS to create buckets and upload and download objects. This section describes how to share a temporary URL to", "product_code":"obs", "title":"Accessing OBS Using a Temporary URL", "uri":"obs_40_0009.html", @@ -81,7 +81,7 @@ "code":"9" }, { - "desc":"The IAM agency is a function of Identity and Access Management (IAM). In some OBS application scenarios (such as CDN private bucket retrieval and cross-region replication", + "desc":"The IAM agency is a function of Identity and Access Management (IAM). In scenarios such as CDN private bucket retrieval and cross-region replication, IAM agencies are req", "product_code":"obs", "title":"Accessing OBS Using an IAM Agency", "uri":"obs_40_0010.html", @@ -90,21 +90,21 @@ "code":"10" }, { - "desc":"The following typical scenarios are provided to help you better configure OBS permission control.Factors to consider before configuring permission control:Who are granted", + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "product_code":"obs", - "title":"Typical Permission Control Scenarios", - "uri":"obs_40_0011.html", + "title":"Permission Configuration in Typical Scenarios", + "uri":"obs_40_0012.html", "doc_type":"perms-cfg", "p_code":"", "code":"11" }, { - "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "desc":"The permissions settings for typical scenarios are provided to facilitate permissions management.You need to consider the following factors before configuring permissions", "product_code":"obs", - "title":"Configuration Cases in Typical Permission Control Scenarios", - "uri":"obs_40_0012.html", + "title":"Typical Permissions Scenarios", + "uri":"obs_40_0011.html", "doc_type":"perms-cfg", - "p_code":"", + "p_code":"11", "code":"12" }, { @@ -113,49 +113,49 @@ "title":"Granting Permissions to an IAM User Under the Account", "uri":"obs_40_0013.html", "doc_type":"perms-cfg", - "p_code":"12", + "p_code":"11", "code":"13" }, { - "desc":"This topic describes how to grant an IAM user the permissions required to create and list buckets. An IAM user with this permission can create buckets. The created bucket", + "desc":"This topic describes how to grant an IAM user the permissions to create and list buckets. An IAM user with this permission can create and list buckets. The created bucket", "product_code":"obs", - "title":"Granting an IAM User the Permissions Required to List and Create Buckets", + "title":"Granting an IAM User the Permissions to Create and List Buckets", "uri":"obs_40_0014.html", "doc_type":"perms-cfg", "p_code":"13", "code":"14" }, { - "desc":"This topic describes how to grant an IAM user the read and write permissions on an OBS bucket.You are advised to use bucket policies to grant resource-level permissions t", + "desc":"This topic describes how to grant an IAM user the read/write permission on an OBS bucket.To grant resource-level permissions to an IAM user, use a bucket policy.After con", "product_code":"obs", - "title":"Granting an IAM User the Read and Write Permissions on a Bucket", + "title":"Granting an IAM User the Read/Write Permission on a Bucket", "uri":"obs_40_0015.html", "doc_type":"perms-cfg", "p_code":"13", "code":"15" }, { - "desc":"This topic describes how to grant an IAM user the permissions required to perform specific operations on an OBS bucket. Below describes how to grant the bucket deletion p", + "desc":"This topic describes how to grant an IAM user the permissions required to delete a bucket.To grant other permissions, select required actions from Action Name in the buck", "product_code":"obs", - "title":"Granting an IAM User the Permissions Required to Perform Specific Operations on a Specific Bucket", + "title":"Granting an IAM User the Specified Permissions for a Bucket", "uri":"obs_40_0016.html", "doc_type":"perms-cfg", "p_code":"13", "code":"16" }, { - "desc":"This topic describes how to grant an IAM user the read permission on an object or a set of objects in an OBS bucket.You are advised to use bucket policies to grant resour", + "desc":"This topic describes how to grant an IAM user the read permissions on an object or a set of objects in an OBS bucket.To grant resource-level permissions to an IAM user, u", "product_code":"obs", - "title":"Granting an IAM User the Read Permission on a Specific Object", + "title":"Granting an IAM User the Read Permissions on Specific Objects", "uri":"obs_40_0017.html", "doc_type":"perms-cfg", "p_code":"13", "code":"17" }, { - "desc":"This topic describes how to grant an IAM user certain permissions on specific objects in a bucket. Below explains how to grant the object download permission.If you need ", + "desc":"This topic describes how to grant an IAM user the permissions to download specific objects from a bucket.To grant other permissions, select required actions from Action N", "product_code":"obs", - "title":"Granting an IAM User the Permissions Required to Perform Specific Operations on Certain Objects", + "title":"Granting an IAM User the Specific Permissions on Specific Objects", "uri":"obs_40_0018.html", "doc_type":"perms-cfg", "p_code":"13", @@ -167,11 +167,11 @@ "title":"Granting Permissions to Multiple IAM Users or User Groups Under the Account", "uri":"obs_40_0019.html", "doc_type":"perms-cfg", - "p_code":"12", + "p_code":"11", "code":"19" }, { - "desc":"This topic describes how to grant multiple IAM users or user groups all permissions on all OBS resources. Users with this permission can perform any OBS operation.IAM cus", + "desc":"This topic describes how to grant multiple IAM users or user groups all permissions on all OBS resources. Users with this permission can perform any operations on OBS.Use", "product_code":"obs", "title":"Granting IAM User Groups All Permissions on All OBS Resources", "uri":"obs_40_0020.html", @@ -180,7 +180,7 @@ "code":"20" }, { - "desc":"This topic describes how to use the OBS-related system roles and policies preset in IAM to grant basic operation permissions on all OBS resources to multiple IAM users or", + "desc":"This topic describes how to use OBS system roles and policies preset in IAM to grant basic operation permissions for all OBS resources to multiple IAM users or user group", "product_code":"obs", "title":"Granting IAM User Groups Basic Permissions on All OBS Resources", "uri":"obs_40_0021.html", @@ -189,27 +189,27 @@ "code":"21" }, { - "desc":"This topic describes how to grant multiple IAM users or user groups specific permissions on all OBS resources.IAM custom policiesAfter the configuration is complete, you ", + "desc":"This topic describes how to grant multiple IAM users or user groups specified permissions for all OBS resources.Use an IAM custom policy to configure the permissions.Afte", "product_code":"obs", - "title":"Granting IAM User Groups Specified Permissions on All OBS Resources", + "title":"Granting IAM User Groups Specific Permissions for All OBS Resources", "uri":"obs_40_0022.html", "doc_type":"perms-cfg", "p_code":"19", "code":"22" }, { - "desc":"This topic describes how to grant certain operation permissions on specific OBS resources (can be a bucket or an object) to multiple IAM users or user groups.IAM custom p", + "desc":"This topic describes how to grant specific operation permissions on specific OBS resources (a bucket or an object) to multiple IAM users or user groups.Use an IAM custom ", "product_code":"obs", - "title":"Granting IAM User Groups Specified Permissions on Certain OBS Resources", + "title":"Granting IAM User Groups Specific Permissions on Specific OBS Resources", "uri":"obs_40_0023.html", "doc_type":"perms-cfg", "p_code":"19", "code":"23" }, { - "desc":"This topic describes how to grant certain operation permissions on specific folders in an OBS bucket to multiple IAM users or user groups.IAM custom policiesAfter the con", + "desc":"This topic describes how to grant specified permissions for a folder in an OBS bucket to multiple IAM users or user groups.Use an IAM custom policy to configure the permi", "product_code":"obs", - "title":"Granting IAM User Groups Specified Permissions on Certain OBS Folders", + "title":"Granting IAM User Groups Specific Permissions on a Folder", "uri":"obs_40_0044.html", "doc_type":"perms-cfg", "p_code":"19", @@ -221,22 +221,22 @@ "title":"Granting Permissions to Other Accounts", "uri":"obs_40_0024.html", "doc_type":"perms-cfg", - "p_code":"12", + "p_code":"11", "code":"25" }, { - "desc":"This topic describes how to grant other accounts (excluding the IAM users under them) the read and write permissions on OBS buckets. For details about how to grant permis", + "desc":"This topic describes how to grant other accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permission", "product_code":"obs", - "title":"Granting an Account the Read and Write Permissions on a Bucket", + "title":"Granting Other Accounts the Read/Write Permission for a Bucket", "uri":"obs_40_0025.html", "doc_type":"perms-cfg", "p_code":"25", "code":"26" }, { - "desc":"This topic describes how to grant other accounts (excluding the IAM users under them) specific operation permissions on OBS buckets. For details about how to grant permis", + "desc":"This topic describes how to grant other accounts (excluding the IAM users under them) specific permissions for OBS buckets. For details about how to grant permissions to ", "product_code":"obs", - "title":"Granting an Account the Specified Permissions on a Bucket", + "title":"Granting Other Accounts the Specified Permissions for a Bucket", "uri":"obs_40_0026.html", "doc_type":"perms-cfg", "p_code":"25", @@ -245,7 +245,7 @@ { "desc":"This topic describes how to grant IAM users the permissions to access OBS buckets and resources in them.The following describes how to grant the permissions to upload and", "product_code":"obs", - "title":"Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket", + "title":"Granting IAM Users Under an Account the Access to a Bucket and the Resources in It", "uri":"obs_40_0027.html", "doc_type":"perms-cfg", "p_code":"25", @@ -254,16 +254,16 @@ { "desc":"This case describes how to grant other accounts (excluding IAM users under the account) the read permission for an object or a type of objects in an OBS bucket. For detai", "product_code":"obs", - "title":"Granting an Account Read Permissions on Certain Objects", + "title":"Granting Other Accounts the Read Permission for Certain Objects", "uri":"obs_40_0028.html", "doc_type":"perms-cfg", "p_code":"25", "code":"29" }, { - "desc":"This case describes how to grant other accounts the specified operation permission on a specified object in an OBS bucket. The following describes how to grant the permis", + "desc":"This section describes how to grant other accounts the permissions to download an object from a bucket.To grant other permissions, select required actions from Action Nam", "product_code":"obs", - "title":"Granting an Account the Specified Permissions on Certain Objects", + "title":"Granting Other Accounts Specific Permissions for Specific Objects", "uri":"obs_40_0029.html", "doc_type":"perms-cfg", "p_code":"25", @@ -275,22 +275,22 @@ "title":"Granting Permissions to Anonymous Users", "uri":"obs_40_0030.html", "doc_type":"perms-cfg", - "p_code":"12", + "p_code":"11", "code":"31" }, { "desc":"If a bucket needs to be accessed by anonymous users, you can configure a bucket policy and bucket ACL to grant the access permission to anonymous users. The following use", "product_code":"obs", - "title":"Granting Anonymous Users Public Read Permissions on a Bucket", + "title":"Granting Anonymous Users the Public Read Permission for a Bucket", "uri":"obs_40_0031.html", "doc_type":"perms-cfg", "p_code":"31", "code":"32" }, { - "desc":"If all objects in a folder need to be accessible to anonymous users, you can configure a bucket policy to grant anonymous users the permission to access the folder.The pr", + "desc":"If all objects in a folder need to be accessible to anonymous users, you can configure a bucket policy to grant anonymous users the permission to access the folder.After ", "product_code":"obs", - "title":"Granting Anonymous Users Public Read Permissions on a Directory", + "title":"Granting Anonymous Users the Read Permission for a Directory", "uri":"obs_40_0032.html", "doc_type":"perms-cfg", "p_code":"31", @@ -299,7 +299,7 @@ { "desc":"Enterprise A stores a large volume of map data in OBS, and offers the data for public query. This enterprise sets a read permission for anonymous users, and provides the ", "product_code":"obs", - "title":"Granting Anonymous Users Public Read Permissions on Certain Objects", + "title":"Granting Anonymous Users the Read Permission for Certain Objects", "uri":"obs_40_0033.html", "doc_type":"perms-cfg", "p_code":"31", @@ -315,21 +315,21 @@ "code":"35" }, { - "desc":"This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS in temporary authorization mode.Assume that you want to enable an ", + "desc":"This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS.Assume that you want to enable an IAM user (user name: APPServer) ", "product_code":"obs", "title":"Granting Temporary Access to OBS", "uri":"obs_40_0037.html", "doc_type":"perms-cfg", - "p_code":"12", + "p_code":"11", "code":"36" }, { "desc":"This case describes how to restrict the source IP addresses that can access an OBS bucket. The following shows how to deny a client access whose source IP address is with", "product_code":"obs", - "title":"Preventing Specific IP Addresses from Accessing a Bucket", + "title":"Restricting Access to a Bucket for Specific IP Addresses", "uri":"obs_40_0036.html", "doc_type":"perms-cfg", - "p_code":"12", + "p_code":"11", "code":"37" }, { @@ -342,7 +342,7 @@ "code":"38" }, { - "desc":"A policy in JSON format is described as follows:Example:{ \n\"Statement\" : [{\n \"Sid\": \"ExampleStatementID1\",\n \"Principal\": \"*\",\n \"Effect\": \"Allow\", \n \"Act", + "desc":"A bucket policy in JSON format:Example:{ \n\"Statement\" : [{\n \"Sid\": \"ExampleStatementID1\",\n \"Principal\": \"*\",\n \"Effect\": \"Allow\", \n \"Action\": [\"ListBucke", "product_code":"obs", "title":"Bucket Policy Parameters", "uri":"obs_40_0041.html", @@ -351,9 +351,9 @@ "code":"39" }, { - "desc":"Bucket ACLs are used to control basic read and write access to buckets. Custom settings of bucket policies support more actions that can be performed on buckets. Bucket A", + "desc":"Bucket ACLs control read and write permissions on buckets. Custom bucket policies can control more actions on buckets. Bucket ACLs are a supplement to bucket policies, bu", "product_code":"obs", - "title":"Relationship Between Bucket Policies and Bucket ACLs", + "title":"Relationship Between Bucket ACLs and Bucket Policies", "uri":"obs_40_0043.html", "doc_type":"perms-cfg", "p_code":"38", diff --git a/docs/obs/perms-cfg/en-us_image_0000001436265909.png b/docs/obs/perms-cfg/en-us_image_0000001436265909.png deleted file mode 100644 index e6587d49..00000000 Binary files a/docs/obs/perms-cfg/en-us_image_0000001436265909.png and /dev/null differ diff --git a/docs/obs/perms-cfg/en-us_image_0000001335934590.png b/docs/obs/perms-cfg/en-us_image_0000001664558420.png similarity index 100% rename from docs/obs/perms-cfg/en-us_image_0000001335934590.png rename to docs/obs/perms-cfg/en-us_image_0000001664558420.png diff --git a/docs/obs/perms-cfg/obs_40_0001.html b/docs/obs/perms-cfg/obs_40_0001.html index 306635ff..54c0c78c 100644 --- a/docs/obs/perms-cfg/obs_40_0001.html +++ b/docs/obs/perms-cfg/obs_40_0001.html @@ -1,11 +1,11 @@ -

Introduction to OBS Access Control

-

By default, OBS resources (buckets and objects) are private. Only resource owners can access their OBS resources. Without authorization, other users cannot access OBS. OBS permission control refers to granting permissions to other accounts or IAM users by editing access policies. For example, if you have a bucket, you can authorize another IAM user to upload objects to your bucket. You can also open buckets to non-public cloud users, so that anyone can access your buckets as public resources over the Internet. OBS offers different methods to help resource owners grant resource permissions to others as required, keeping data secure.

-

OBS Permission Control Model

OBS provides multiple permission control mechanisms, including IAM permissions, bucket policies, object ACLs, and bucket ACLs. Table 1 describes the mechanisms and application scenarios.

-
Figure 1 OBS permission control mechanisms
+

Differences Between OBS Permissions Control Methods

+

By default, OBS resources (buckets and objects) are private. Only resource owners can access their OBS resources. Other users cannot access such resources without authorization. OBS permission control helps you control access from other accounts or IAM users. For example, you can authorize another IAM user to upload objects to your bucket. You can also grant permissions to non-public cloud users, so that they can access your bucket over the Internet. OBS provides different methods for resource owners to grant permissions to others as needed.

+

OBS Permission Control Methods

OBS provides multiple permission control methods, including IAM permissions, bucket policies, object ACLs, and bucket ACLs. Table 1 describes the methods and their application scenarios.

+
Figure 1 OBS permission control methods
-
- - @@ -198,7 +198,7 @@

Configuring a Bucket Policy

-

Bucket Policy Example

  • Example 1: grant an IAM user the specified operation permission on all objects in a specified bucket.

    The following example policy grants the PutObject and PutObjectAcl permissions to the IAM user whose ID is 71f3901173514e6988115ea2c26d1999 under account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID).

    +

    Bucket Policy Example

    • Example 1: Grant an IAM user the specified operation permission on all objects in a specified bucket.

      The following policy grants the PutObject and PutObjectAcl permissions to the IAM user 71f3901173514e6988115ea2c26d1999 under account b4bf1b36d9ca43d984fbcb9491b6fce9.

      {
     "Statement":[
     {
@@ -210,7 +210,7 @@
     }
   ]
 }
      -
    • Example 2: Grant all permissions for a specified bucket to an IAM user.

      The following example policy grants all operation permissions (including bucket operations and object operations) of examplebucket to the user whose ID is 71f3901173514e6988115ea2c26d1999 in account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID).

      +
    • Example 2: Grant all permissions for a specified bucket to an IAM user.

      The following policy grants all permissions for bucket examplebucket and its objects to the user 71f3901173514e6988115ea2c26d1999 in account b4bf1b36d9ca43d984fbcb9491b6fce9.

      {
     "Statement":[
     {
@@ -225,7 +225,7 @@
     }
   ]
 }
      -
    • Example 3: Grant all permissions except the object deletion permission to an OBS user.

      The following example policy grants a user (user ID 71f3901173514e6988115ea2c26d1999) of an account (ID b4bf1b36d9ca43d984fbcb9491b6fce9) all permissions for the examplebucket bucket, excluding the permission to delete objects.

      +
    • Example 3: Grant all permissions except the object deletion permission to an OBS user.

      The following policy grants the user 71f3901173514e6988115ea2c26d1999 under the account b4bf1b36d9ca43d984fbcb9491b6fce9 all permissions for the examplebucket bucket, excluding the permission to delete objects.

      {
     "Statement":[
     {
@@ -244,7 +244,7 @@
     }
   ]
 }
      -
    • Example 4: Grant the read-only permission on a specified object to anonymous users.

      The following example policy grants the GetObject (download object) permission of exampleobject in bucket examplebucket to anonymous users, allowing everyone to read data of the exampleobject object.

      +
    • Example 4: Grant the read-only permission on a specified object to anonymous users.

      The following policy grants anonymous users the GetObject permissions to download object exampleobject from bucket examplebucket, allowing everyone to read data of the exampleobject object.

      {
     "Statement":[
     {
@@ -256,8 +256,8 @@
     }
   ]
 }
      -
    • Example 5: Restrict access to a specific IP address.

      The following policy grants all users the permission to perform any OBS operation. However, the requests must be from the specified IP address range. The IP address range that is allowed by the statement is 192.168.0.* with an exception of 192.168.0.1.

      -

      Use IpAddress and NotIpAddress conditions, and use the SourceIp (in OBS range) condition key. The value of SourceIp is the CIDR notation described in RFC 4632.

      +
    • Example 5: Allow access only from a specific IP address.

      The following policy grants the permission to allow users to access from the specific IP address range to perform any operations on OBS. The range is 192.168.0.*, excluding 192.168.0.1.

      +

      You can use IpAddress and NotIpAddress conditions, and the SourceIp (in OBS range) condition key. The value of SourceIp is a CIDR notation described in RFC 4632.

      {
   "Statement": [
     {
@@ -278,7 +278,7 @@
    diff --git a/docs/obs/perms-cfg/obs_40_0005.html b/docs/obs/perms-cfg/obs_40_0005.html index ad27949c..a721ef90 100644 --- a/docs/obs/perms-cfg/obs_40_0005.html +++ b/docs/obs/perms-cfg/obs_40_0005.html @@ -1,37 +1,37 @@

    ACLs

    -

    An ACL is a list that defines grantees and their granted permissions.

    +

    An access control list (ACL) is a list of rules that specifies which users or systems are granted or denied access to a particular bucket or object.

    Bucket and object ACLs are attached to accounts. By default, an ACL is created when a bucket or object is created, authorizing the owner the full control over the bucket or object.

    -

    To implement simple and practical authorization for users, the OBS ACL has the following features:

    -
    • The ACL takes effect for both the account and the users under the account.
    • When the owner of a bucket is the same as the owner of an object, the ACL configured on the bucket takes effect on the bucket and objects in the bucket by default.
    • An ACL can be carried when a bucket is created, or an ACL can be configured after a bucket is created. An object can carry an ACL when it is uploaded. You can also configure the ACL after the object is uploaded successfully.
    -

    ACLs are write and read control rules attached to accounts, whose permission granularity is not as fine as bucket policies and IAM policies. Generally, it is recommended that you use IAM permissions and bucket policies for access control.

    -

    Table 1 lists users to whom you can grant bucket access permissions by configuring an ACL.

    +

    To implement simple and practical authorization for users, OBS ACL has the following features:

    +
    • An ACL applies to both the account and the users under the account.
    • If a bucket and its objects have the same owner, the ACL configured on the bucket also applies to the objects in the bucket by default.
    • An ACL can be created together with a bucket or its object. You can also configure one after the bucket or object is created.
    +

    ACLs are write and read permissions attached to accounts, and are not as fine-grained as bucket policies and IAM policies. It is recommended that you use IAM permissions and bucket policies for access control.

    +

    You can grant bucket access permissions to users or user groups listed in Table 1 by configuring an ACL.

    -
Table 1 OBS permission control mechanisms and application scenarios

Method

+
@@ -15,7 +15,7 @@ - @@ -24,101 +24,101 @@ - - - - -
Table 1 OBS permission control methods and application scenarios

Method

Description

IAM permissions

IAM permissions define the actions that can be performed on your cloud resources. In other words, IAM permissions specify what actions are allowed or denied. After an IAM user is created, the administrator needs to add the user to a group. IAM can grant the user group required OBS access permissions, and then all users in the group automatically inherit the permissions of the user group.

+

IAM permissions define the actions that can be performed on your cloud resources. In other words, IAM permissions specify what actions are allowed or denied. After an IAM user is created, the administrator needs to add the user to a group. IAM can grant the user group required permissions so that all users in the group automatically inherit the permissions of the user group.
  • Controlling access to all OBS buckets under an account
  • Controlling access to all OBS objects under an account
  • Controlling access to specified OBS resources under an account

A bucket policy is attached to a bucket and objects in the bucket. Bucket owners can use bucket policies to grant IAM users or other accounts the permissions to operate buckets and objects in the buckets. ACLs of buckets and objects supplement bucket policies, and in many cases, bucket policies replace ACLs.

  • Granting other accounts the permissions to access OBS resources
  • Configuring bucket policies to grant IAM users various access permissions to different buckets
+
  • Granting other accounts the permissions to access buckets
  • Granting IAM users the permissions to access buckets

Object ACLs

Controls access to objects for accounts or user groups. Object owners can configure the object access control list (ACL) to grant basic read and write permissions to specified accounts or user groups.

-
NOTE:
  • By default, an object ACL is created upon the creation of the object. The object owner has full control over the object.
  • An object owner is the account that uploads the object, but may not be the owner of the bucket that stores the object. For example, account B is granted the permission to access a bucket of account A, and account B uploads a file to the bucket. In that case, instead of the bucket owner account A, account B is the owner of the object. By default, account A is not allowed to access this object and cannot read or modify the object ACL.
+

Object owners can configure object access control lists (ACLs) to grant read and write permissions to specified accounts or user groups.

+
NOTE:
  • By default, an object ACL is created when the object is uploaded, granting the object owner the full control over the object.
  • An object owner is the account that uploads the object and is not necessarily the owner of the bucket that stores the object. For example, account B is granted the permission to access a bucket of account A, and account B uploads a file to the bucket. In that case, account B is the owner of the object. By default, account A is not allowed to access this object and cannot read or modify the object ACL.
  • If object-level access control is required, a bucket policy can be used to grant the access permission to an object or a set of objects. After the access permission is granted to an object set, it is not practical to configure a bucket policy to grant the access permission to an object in the object set separately. Then the object ACL is recommended for easier access control over single objects.
  • An object is accessed through a URL. Generally, if you want to grant anonymous users the permission to read an object through a URL, use the object ACL.
+
  • If object-level access control is required, you can configure a bucket policy to grant the permissions to an object or a set of objects. If you have configured the permissions for a set of objects, it is not practical to configure a bucket policy to control access to each object separately. Instead, you can configure the object ACL to control access to each object.
  • An object can be accessed through a URL. If you want to grant anonymous users the permission to read an object through a URL, you can configure an object ACL.

Bucket ACLs

Controls access to buckets for accounts or user groups. Bucket owners can configure the bucket ACL to grant basic read and write permissions to specified accounts or user groups.

-
NOTE:
  • By default, a bucket ACL is created upon the creation of the bucket. The bucket owner has full control over the bucket.
  • Bucket ACLs do not provide fine-grained permission control. Generally, IAM permissions and bucket policies are recommended.
+

Bucket owners can configure bucket ACLs to grant read and write permissions to specified accounts or user groups.

+
NOTE:
  • By default, a bucket ACL is created when the bucket is created, granting the bucket owner the full control over the bucket.
  • Bucket ACLs do not provide fine-grained permission control. Generally, IAM permissions and bucket policies are recommended.
  • Granting an account the read and write access to a bucket, so that data in the bucket can be shared or external buckets can be added. For example, after account A grants account B the read and write access to a bucket, account B can access the bucket by adding an external bucket through OBS Browser+ or using APIs and SDKs.
  • Grant the log delivery user group with the write access to the target bucket, so that access logs can be delivered to the target bucket.
+
  • Granting an account the read and write permissions to a bucket for sharing data in the bucket or adding external buckets. For example, after account A grants account B the read and write permissions to a bucket, account B can access the bucket by adding an external bucket through OBS Browser+ or using APIs and SDKs.
  • Granting the log delivery user write permissions to the bucket that stores access logs.
-

Relationship Between OBS Permissions and IAM Permissions

OBS provides multiple permission control mechanisms, including time-limited access to objects, object ACLs, bucket ACLs, and bucket policies. Some service-level permissions (for example, creating a bucket and listing all buckets) cannot be configured through OBS and can only be configured on IAM. OBS permissions apply only to resources (buckets and objects). To grant both OBS service-level and resource-level permissions, you must use IAM permissions or both IAM and OBS permissions.

-
Figure 2 Relationship between OBS permissions and IAM permissions
+

Relationships Between OBS Permissions and IAM Permissions

OBS provides multiple permission control methods, including time-limited access to objects, object ACLs, bucket ACLs, and bucket policies. Some service-level permissions (for example, creating a bucket and listing all buckets) cannot be configured through OBS and can only be configured on IAM. OBS permissions apply only to resources (buckets and objects). To grant both OBS service-level and resource-level permissions, you must use IAM permissions or both IAM and OBS permissions.

+
Figure 2 Relationships between OBS permissions and IAM permissions
-

OBS Permission Control Elements

The following factors determine the authorization result:

-
  • Principal (authorized user)
  • Effect
  • Resource
  • Action
  • Condition
-

For details about elements, see Bucket Policy Parameters.

-

Table 2 describes elements in different permission control mechanisms.

+

OBS Permission Control Elements

Authorization is determined by:

+
  • Principal (authorized user)
  • Effect
  • Resource
  • Action
  • Condition
+

For details about these elements, see Bucket Policy Parameters.

+

Table 2 describes the elements in different permission control methods.

-
- @@ -32,7 +32,7 @@ - @@ -50,7 +50,7 @@ - @@ -59,7 +59,7 @@ - @@ -70,7 +70,7 @@ - @@ -82,9 +82,9 @@
Table 2 OBS permission control elements in different permission control mechanisms

Method

+
- - - - - - - - - - - - - - - @@ -127,40 +127,40 @@
Table 2 Elements in different OBS permission control methods

Method

Principal

Supported Effect

+

Effect

Authorized Resource

+

Resource

Authorized Action

+

Action

Condition Configuration

+

Condition

IAM Permissions

IAM user

+

IAM users
  • Allow
  • Deny

All or specified OBS resources

All permissions to access OBS

+

Access OBS

Supported

Bucket Policy

+

Bucket Policies

  • Account
  • IAM user
  • Anonymous users
+
  • Accounts
  • IAM users
  • Anonymous users
  • Allow
  • Deny

Specified bucket and resources in the bucket

All permissions to access OBS

+

Access OBS

Supported

Object ACL

+

Object ACLs

  • Account
  • Anonymous users
+
  • Accounts
  • Anonymous users

Allow

Specified object

  • Obtains the content and metadata of a specified object.
  • Obtains the content and metadata of an object with a specified version.
  • Obtains information about an object ACL.
  • Obtains information about the ACL for an object of a specified version.
  • Configures an object ACL.
  • Configures the ACL for an object of a specified version.
+
  • Obtain the content and metadata of a specified object.
  • Obtain the content and metadata of an object of a specified version.
  • Obtain information about an object ACL.
  • Obtain information about the ACL for an object of a specified version.
  • Configure an ACL for an object.
  • Configure an ACL for an object of a specified version.

Not supported

Bucket ACL

+

Bucket ACLs

  • Account
  • Anonymous users
  • Log delivery user groups
+
  • Accounts
  • Anonymous users
  • Log delivery user groups

Allow

Specified bucket

  • Identifies whether a bucket exists.
  • Lists objects in a bucket, and gets the bucket metadata.
  • Lists versioned objects in a bucket.
  • Lists multipart uploads.
  • Performs PUT upload, POST upload, multipart upload, initialization of uploaded parts, and merging of parts.
  • Deletes an Object.
  • Deletes an object of a specified version.
  • Obtains bucket ACL information.
  • Configures a bucket ACL.
  • Obtains object content.
  • Obtains object metadata.
+
  • Identify whether a bucket exists.
  • List objects in a bucket, and obtain the bucket metadata.
  • List versioned objects in a bucket.
  • List multipart uploads.
  • Upload using PUT and POST, upload multiparts, and initialize and merge uploaded parts.
  • Delete an object.
  • Delete an object of a specified version.
  • Obtain bucket ACL information.
  • Configure a bucket ACL.
  • Obtain object content.
  • Obtain object metadata.

Not supported

-

How to Select IAM Permissions, Bucket Policies, and ACLs

Based on the advantages and disadvantages of the three elements, you are advised to preferentially use IAM permissions and bucket policies.

-
  • Select IAM permissions in the following scenarios:
    • Grant the same permissions to numerous IAM users under the same account.
    • Grant the same permissions to all OBS resources or multiple buckets.
    • Configure OBS service-level permissions, such as creating and listing buckets.
    • Restrict the permissions of temporary access keys used for temporarily authorized access to OBS.
    -
  • Select bucket policies in the following scenarios:
    • Grant permissions across accounts or grant permissions to anonymous users.
    • Grant different permissions to different IAM users under the same account.
    -
  • Still do not know what to select?

    Identify the problem you are most concerned with:

    -
    • What the user can do - IAM permissions recommended

      You can search for an IAM user and check the permissions of the user group to which the user belongs to know what the user can do.

      -
    • Who can access an OBS bucket - Bucket policies recommended

      You can query the bucket and check the bucket policy to know who can access the bucket.

      +

      Which Permissions Should I Select?

      Considering the advantages and disadvantages of the elements, you are advised to use IAM permissions and bucket policies.

      +
      • Select IAM permissions to:
        • Grant the same permissions to numerous IAM users under the same account.
        • Grant the same permissions to all OBS resources or multiple buckets.
        • Configure OBS service-level permissions, such as creating and listing buckets.
        • Restrict the permissions of temporary access keys used for OBS access.
        +
      • Select bucket policies to:
        • Grant permissions across accounts or to anonymous users.
        • Grant different permissions to different IAM users under the same account.
        +
      • Are you still unsure what to select?

        Identify what you are most concerned about:

        +
        • If you want to control what a user can do, choose IAM permissions.

          You can search for an IAM user and check the permissions of the user group to which the user belongs to see what the user can do.

          +
        • If you want to control access to a bucket, choose bucket policies.

          You can query the bucket and check the bucket policy to know who can access the bucket.

      -

      It is better for you to use the same method for access control, because as the number of IAM permissions and bucket policies increase, access maintenance will become increasingly difficult.

      +

      To ensure easier permission maintenance, it is recommended to use the same method for permission control, especially as the number of IAM permissions and bucket policies grows.

      -

      When to Select an ACL?

      -
      • As a supplement to IAM permissions and bucket policies:

        IAM permissions and bucket policies have granted access permissions to an object set, but you want to grant access permissions to a single object.

        -
      • To allow an object to be accessible to all anonymous Internet users, configuring object ACL operations is more convenient.

        When uploading an object, you can use the ACL header to specify the read and write permissions of the object.

        +

        Configure an ACL if you want to:

        +
        • Grant permissions to a single object:

          If you already have IAM permissions and bucket policies configured for a set of objects, you can use an ACL to grant permissions to a single object in the set.

          +
        • Allow an object to be accessible to all anonymous Internet users:

          You can use an ACL header to specify read and write permissions on an object during upload.

        -

        Relationship Between Bucket ACLs and Bucket Policies

        Bucket ACLs are used to control basic read and write access to buckets. Custom settings of bucket policies support more actions that can be performed on buckets. Bucket ACLs supplement bucket policies. In many cases, bucket policies can replace bucket ACLs to manage access to buckets. Relationship Between Bucket Policies and Bucket ACLs shows the mapping between bucket ACL access permissions and bucket policy actions.

        +

        Relationships Between Bucket ACLs and Bucket Policies

        Bucket ACLs control read and write permissions on buckets. Custom bucket policies allow a more refined control over more actions on buckets. In many cases, bucket policies can replace bucket ACLs to manage access to buckets more precisely. Relationship Between Bucket ACLs and Bucket Policies shows the mapping between bucket ACLs and bucket policies.

        -

        OBS Permission Control Principles

        • Least privilege

          Never grant IAM users more than the minimum level of access needed to complete a task. For example, if an IAM user only needs to upload and download objects to a directory, you do not need to assign the user the read and write permissions for the entire bucket.

          -
        • Separation of duties

          Management of resources or of permissions can be assigned to different IAM users. For example, you can let one IAM user assign permissions, and let other IAM users manage OBS resources.

          -
        • Restriction by condition

          To enhance the security of the resources in a bucket, specific conditions can be configured to control when a permission is applied. For example, a bucket policy with conditions contained can be configured for OBS to accept requests only from a specific IP address.

          +

          OBS Permission Control Principles

          • Least privilege

            Grant IAM users only the minimum permissions needed to complete a task. For example, if an IAM user only needs to upload and download objects to a directory, grant this user only the permissions to do so.

            +
          • Separation of duties

            Assign different IAM users to manage resources and permissions. For example, you can let one IAM user assign permissions, and let another IAM user manage OBS resources.

            +
          • Restriction by condition

            To enhance the security of the resources in a bucket, you can configure specific conditions to control when a permission is applied. For example, you can configure a bucket policy for OBS to accept requests only from a specific IP address.

          -

          How Do Access Control Mechanisms Work When They Conflict?

          In the OBS permission control elements, there are allow and deny effects, which indicate the permission to allow or deny an operation.

          -

          Based on the least-privilege principle, decisions default to deny, and an explicit deny statement always takes precedence over an allow statement. For example, IAM permissions grant a user access to an object, a bucket policy denies the user's access to that object, and there is no ACL. Then access will be denied.

          +

          Which Permissions Apply When They Conflict?

          In the OBS permission control elements, there are allow and deny effects, which indicate the permission to allow or deny an action.

          +

          Following the least-privilege principle, the permission is defaulted to deny, and an explicit deny statement always takes precedence over an allow statement. For example, if IAM permissions grant a user access to an object, a bucket policy denies the user's access to that object, and there is no ACL, this user's access will be denied.

          If no method specifies an allow statement, then the request will be denied by default. Only if no method specifies a deny statement and one or more methods specify an allow statement, will the request be allowed. For example, if a bucket has multiple bucket policies with allow statements, adding such a new bucket policy applies the allowed permissions to the bucket, but adding a new bucket policy with a deny statement will make the permissions work differently. The deny statement will take precedence over allow statements, even if the denied permissions are allowed in other bucket policies.

          -
          Figure 3 Authorization process
          -

          Figure 4 describes how bucket policies, IAM permissions, and ACLs work (allow or deny) when you grant the IAM users of your account the access to OBS buckets and resources in the buckets. ACLs are applied to accounts and do not control IAM users' read and write permissions for the buckets and the sources in the buckets under their account.

          -
          Figure 4 Working mechanisms (allow or deny) of bucket policies and IAM permissions in the same account
          -

          Figure 5 describes how bucket policies, IAM permissions, and ACLs work (allow or deny) when you grant any other account and the IAM users of this account the access to OBS buckets and resources in the buckets.

          -
          Figure 5 Working mechanisms (allow or deny) of bucket policies, IAM permissions, and ACLs in cross-account access grant scenarios
          +
          Figure 3 Authorization process
          +

          Figure 4 describes which action (allow or deny) to take when bucket policies, IAM permissions, and ACLs for the IAM users of your account conflict. ACLs are applied to accounts and do not control IAM users' read and write permissions for the buckets and their objects.

          +
          Figure 4 Action (allow or deny) to take when bucket policies and IAM permissions for IAM users conflict under an account
          +

          Figure 5 describes which action (allow or deny) to take when bucket policies, IAM permissions, and ACLs for any other account and the IAM users of this account conflict.

          +
          Figure 5 Action (allow or deny) to take when bucket policies, IAM permissions, and ACLs conflict in cross-account scenarios
          • If both the bucket policy and IAM policy are set to Default Deny, but the ACL is set to Allow, the final result is Deny. ACLs are used to supplement bucket policies.
          • If both the bucket policy and ACL are set to Default Deny and the IAM policy is set to Allow, the final result is Deny. IAM policies are applied to users, while bucket policies are applied to resources. Even if the Allow permission is granted to users, they still cannot access the resources if the resources have the Deny permission configured.
          -

          Concepts

          • Domain: An account that is automatically created during your registration. This account has full access control over its resources and IAM users.
          • IAM user: A user created by the administrator in IAM. An IAM user may be an employee, a system, or an application. An IAM user has access permissions to specified resources. IAM users have identity credentials (passwords and access keys) and can log in to the management console or call APIs.
          • Anonymous user: A common visitor who has not registered.
          • A log delivery user group: A user group who only delivers access logs of buckets and objects to the specified target bucket. OBS does not create or upload any file to a bucket automatically. If you want to record access logs for a bucket, you must grant the log delivery user group required permissions, so that OBS can write the access logs to the specified bucket. This user group is only used to record internal logs of OBS.
          +

          Concepts

          • Domain: An account that is automatically created during your registration. This account has full access control over its resources and IAM users.
          • IAM user: A user created by the administrator in IAM. An IAM user may be an employee, a system, or an application. An IAM user is usually granted the permissions to access specified resources. IAM users have identity credentials (passwords and access keys) and can log in to the management console or call APIs.
          • Anonymous user: A visitor who has not registered.
          • A log delivery user group: A user group that delivers access logs of buckets and objects to a specified bucket. OBS does not create or upload any file to a bucket automatically. If you want to record access logs for a bucket, you must grant the log delivery user group required permissions, so that OBS can write the access logs to the specified bucket. This user group is only used to record internal logs of OBS.
          diff --git a/docs/obs/perms-cfg/obs_40_0002.html b/docs/obs/perms-cfg/obs_40_0002.html index 5a67199a..13b7d488 100644 --- a/docs/obs/perms-cfg/obs_40_0002.html +++ b/docs/obs/perms-cfg/obs_40_0002.html @@ -1,6 +1,6 @@ -

          Permission Control Mechanisms

          +

          Permission Control Methods

            diff --git a/docs/obs/perms-cfg/obs_40_0003.html b/docs/obs/perms-cfg/obs_40_0003.html index aded9c60..efca434a 100644 --- a/docs/obs/perms-cfg/obs_40_0003.html +++ b/docs/obs/perms-cfg/obs_40_0003.html @@ -2,11 +2,11 @@

            IAM Permissions

            IAM Permissions Overview

            By default, newly created IAM users do not have any permissions. You need to add the user to one or more groups, and attach permission policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

            -

            IAM permissions take effect on all OBS buckets and objects. To grant an IAM user the permission to operate OBS resources, you need to assign one or more OBS permission sets to the user group to which the user belongs.

            -

            OBS is a global service because it is available for all physical regions. IAM permissions are assigned to users in the global project, and users do not need to switch regions when accessing OBS.

            +

            IAM permissions apply to all OBS buckets and objects. To grant an IAM user the permission to operate OBS resources, you need to assign one or more OBS permission sets to the user group that the user belongs to.

            +

            OBS is a global service because it is available in all physical regions. If users in the global project are assigned IAM permissions, they do not need to switch regions to access OBS.

            You can grant permissions to users by roles and policies.

            -
            • Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
            • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant OBS users only the permissions for managing a certain type of OBS resources.
            -

            Due to data caching, a role and policy involving OBS actions will take effect 10 to 15 minutes after it is attached to a user, an enterprise project, and user group.

            +
            • Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism only provides a limited number of service-level roles for authorization. When using roles to grant permissions, you also need to assign other dependency roles. However, roles are not the best choice for fine-grained authorization and secure access control.
            • Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant OBS users only the permissions to manage a certain type of OBS resources.
            +

            Due to data caching, a role and policy involving OBS actions will take effect 10 to 15 minutes after it is attached to a user, an enterprise project, or a user group.

            IAM presets system permissions for each cloud service so that you can quickly configure basic permissions. Table 1 describes all system permissions of OBS.

            Custom policies can be created to supplement the system-defined policies of OBS.

            @@ -23,7 +23,7 @@

Tenant Administrator

Users with this permission can perform all operations on all services except IAM.

+

Users with this permission can perform all operations on all services except IAM.

System-defined role

Tenant Guest

Users with this permission can perform read-only operations on all services except IAM.

+

Users with this permission can perform read-only operations on all services except IAM.

System-defined role

OBS Buckets Viewer

Users with this permission can list buckets, obtain basic bucket information, and obtain bucket metadata.

+

Users with this permission can list buckets, obtain basic information about buckets, and obtain bucket metadata.

System-defined role

OBS ReadOnlyAccess

Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects (not the objects that have been versioned).

+

Users with this permission can list buckets, obtain basic information about buckets, obtain bucket metadata, and list objects (not the objects that have been versioned).

NOTE:

If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console.

OBS OperateAccess

Users with this permission can perform all OBS ReadOnlyAccess operations and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.

+

Users with this permission can perform all OBS ReadOnlyAccess operations and perform basic operations on objects, such as uploading, downloading, and deleting objects, and obtaining object ACLs.

NOTE:

If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console.
-

The following table lists the common operations supported by each system-defined policy or role of OBS. Select the policies or roles as required.

+

The following table lists the common operations supported by system-defined permissions for OBS. You can refer to this table to select the permissions as required.

-
- -
Table 2 Permissions and the allowed operations on OBS resources

Operation

+
@@ -145,7 +145,7 @@ - @@ -400,7 +400,7 @@ - @@ -580,6 +580,21 @@ + + + + + + + + - @@ -625,7 +640,7 @@ - @@ -685,14 +700,44 @@ + + + + + + + + + + + + + + + +
Table 2 Permissions and allowed operations on OBS resources

Operation

Tenant Administrator

No

Obtaining basic bucket information

+

Obtaining basic information about buckets

Yes

Yes

Controlling object access

+

Controlling access to objects

Yes

No

Managing cross-region replication

+

Yes

+

No

+

Yes

+

No

+

No

+

No

+

Configuring an object ACL

Yes

@@ -595,7 +610,7 @@

No

Configuring the ACL for an object of a specified version

+

Configuring ACL for an object of a specified version

Yes

Yes

Obtaining the ACL of a specified object version

+

Obtaining the ACL of a specific object version

Yes

Yes

Configuring requester-pays

+

Yes

+

No

+

Yes

+

No

+

No

+

No

+

Obtaining requester-pays configuration information

+

Yes

+

Yes

+

Yes

+

No

+

No

+

No

+
-

Application Scenarios of IAM Permissions

IAM permissions are used to authorize IAM users under an account.

-
  • Controlling access to cloud resources as a whole under an account
  • Controlling access to all OBS buckets and objects under an account
  • Controlling access to specified OBS resources under an account
+

Application Scenarios of IAM Permissions

IAM permissions control IAM users under an account to access:

+
  • All cloud resources.
  • All OBS buckets and objects.
  • Specified OBS resources.
-

Policy Structure and Syntax

A policy consists of a version and statements. Each policy can have multiple statements.

+

Policy Structure and Syntax

A policy consists of a version and one or more statements.

Figure 1 Policy structure

Policy syntax example:

{
@@ -728,23 +773,23 @@

Version

The version number of a policy.
  • 1.0: RBAC policies. An RBAC policy consists of permissions for an entire service. Users in a group with such a policy assigned are granted all of the permissions required for that service.
  • 1.1: Fine-grained policies. A fine-grained policy consists of API-based permissions for operations on specific resource types. Fine-grained policies, as the name suggests, allow for more fine-grained control on specific operations and resources than RBAC policies. For example: You can restrict an IAM user to access only the objects in a specific directory of an OBS bucket.
+
The version number of a policy.
  • 1.0: RBAC policy. An RBAC policy consists of permissions for an entire service. Users in a group with such a policy assigned are granted all of the permissions required for that service.
  • 1.1: Fine-grained policy. A fine-grained policy consists of API-based permissions for operations on specific resource types. Fine-grained policies, as the name suggests, allow for more fine-grained control on specific operations and resources than RBAC policies. For example, you can restrict an IAM user to access only the objects in a specific directory of an OBS bucket.

Statement

Detailed descriptions of a policy, including Effect, Action, Resource, and Condition. Resource and Condition are optional.
  • Effect

    The valid values for Effect are Allow and Deny. System policies contain only Allow statements. For custom policies containing both Allow and Deny statements, the Deny statements take precedence.

    -
  • Action

    Actions allowed on resources. An action is in the format of Service name:Resource type:Action. A policy can contain one or more actions. You can use a wildcard (*) to indicate all of the services, resource types, or actions depending on their location in the action. There are two types of OBS resources: buckets and objects.

    -
  • Resource

    Resources on which the policy takes effect. A resource is in the format of Service name:Region:Domain ID:Resource type:Resource path. You can use a wildcard (*) to indicate all of the services, regions, domain IDs, resource types, or resource paths depending on their location in the resource. In the JSON view, if Resource is not specified, the policy takes effect for all resources.

    -

    The value of Resource supports uppercase (A to Z), lowercase (a to z) letters, digits (0 to 9), and the following characters: -_*./\. If the value contains invalid characters, use the wildcard character (*).

    -

    OBS is a global service. Therefore, set Region to *. Domain ID indicates the ID of the resource owner. Set it to * to indicate the ID of the account to which the resources belong.

    +
Descriptions of a policy, including Effect, Action, Resource (optional), and Condition (optional).
  • Effect

    The value of Effect can be Allow or Deny. System policies contain only Allow statements. For custom policies containing both Allow and Deny statements, Deny statements take precedence over Allow statements.

    +
  • Action

    Actions allowed on resources. An action is in the format of Service name:Resource type:Action. A policy can contain one or more actions. You can use a wildcard (*) to indicate all services, resource types, or actions. There are two types of OBS resources: buckets and objects.

    +
  • Resource

    Resources on which the policy takes effect. A resource is in the format of Service name:Region:Domain ID:Resource type:Resource path. You can use a wildcard (*) to indicate all services, regions, domain IDs, resource types, or resource paths. In the JSON view, if Resource is not specified, the policy applies to all resources.

    +

    The value of Resource can only contain uppercase (A to Z), lowercase (a to z) letters, digits (0 to 9), and the following characters: -_*./\. If you want to specify unsupported characters, use the wildcard character (*).

    +

    OBS is a global service. Therefore, set Region to *. Domain ID indicates the ID of the resource owner. Set it to * to indicate the ID of the account that the resources belong to.

    Examples:

    -
    • obs:*:*:bucket:*: all OBS buckets
    • obs:*:*:object:my-bucket/my-object/*: all objects in the my-object directory of the my-bucket bucket
    -
  • Condition

    When creating a custom policy, you can add condition elements to control when the policy takes effect. A condition consists of a condition key and an operator. Condition keys are either global or service-level and are used in the condition elements of a policy statement. Global condition keys (starting with g:) are available for actions of all services, while service-level condition keys (starting with a service name acronym like obs:) are available only for actions of a specific service. An operator is used together with a condition key to form a complete condition statement.

    -

    OBS has a group of predefined condition keys that can be used in IAM. For example, to define an allow permission, you can use the condition key obs:SourceIp to filter matching requesters by IP address.

    -

    The condition keys and operators supported by OBS are the same as those in the bucket policy. When configuring condition keys in IAM, start the condition keys and operators with obs:. For detailed condition information, see Bucket Policy Parameters.

    -

    The value of Condition can contain only uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and the following characters: -,./_@#$%&. If the value contains unsupported characters, consider using the condition operators (such as StringLike and StringStartWith) for fuzzy match.

    +
    • obs:*:*:bucket:*: all OBS buckets
    • obs:*:*:object:my-bucket/my-object/*: all objects in the my-object directory of bucket my-bucket
    +
  • Condition

    When creating a custom policy, you can add conditions to control when the policy takes effect. A condition consists of a condition key and an operator. Condition keys are either global or service-level. Global condition keys (starting with g:) are available for actions on all services, while service-level condition keys (starting with a service name acronym like obs:) are available only for actions on a specific service. An operator is used together with a condition key to form a complete condition statement.

    +

    OBS has predefined a group of condition keys for use in IAM. For example, you can use the condition key obs:SourceIp to allow access from a specific IP address.

    +

    The condition keys and operators supported by OBS are the same as those in the bucket policy. When configuring condition keys in IAM, start the condition keys and operators with obs:. For detailed conditions, see Bucket Policy Parameters.

    +

    The value of Condition can only contain uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and the following characters: -,./_@#$%&. If you want to specify unsupported characters, use the condition operators (like StringMatch) for fuzzy match.

    Examples:

    • StringEndWithIfExists":{"g:UserName":["specialCharacter"]}: The statement is valid for users whose names end with specialCharacter.
    • "StringLike":{"obs:prefix":["private/"]}: When listing objects in a bucket, you need to set prefix to private/ or include private/.
@@ -755,10 +800,10 @@
-

Configuring IAM Permissions

+

Configuring IAM Permissions

-

Example Custom Policies

  • Example 1: Grant all OBS permissions to users.

    This policy allows users to perform any operation on OBS using the API, SDKs, OBS Console, or tools.

    -
    When a user logs in to OBS Console, the user accesses resources of other services, such as audit information in CTS, acceleration domain names in CDN, and keys in KMS. Therefore, in addition to the OBS permissions, you need to grant users the permissions for other services. CDN is a global service, while CTS, SMN, and KMS are regional ones. You need to configure the Tenant Guest permission for the global project and regional projects based on the services and regions that you use.
    {
+
    Example Custom Policies
    • Example 1: Grant permissions that allow full access to OBS.
      This policy allows users to perform any operation on OBS using the API, SDKs, OBS Console, or tools.
      
+
      If a user logs in to OBS Console and also accesses resources of other services, such as audit information in CTS, acceleration domain names in CDN, and keys in KMS, in addition to the OBS permissions, you need to grant users the permissions to access these services. CDN is a global service. CTS, SMN, and KMS are regional services. You need to configure the Tenant Guest permission for the global project and regional projects based on the services and regions that you use.
      {
     "Version": "1.1",
     "Statement": [
         {
@@ -770,7 +815,7 @@
     ]
 }
      
 
      
-
    • Example 2: Grant the read-only permission on a bucket to users (any directory).
      This policy allows users to list and download all objects in bucket obs-example.
      {
+
    • Example 2: Grant permissions that allow read-only access to a bucket (any directory).
      This policy allows users to list and download all objects from bucket obs-example.
      {
     "Version": "1.1",
     "Statement": [
         {
@@ -787,7 +832,7 @@
     ]
 }
      
 
      
-
    • Example 3: Grant the read-only permission on a bucket to users (specified directory).
      This policy allows users to only download objects in the my-project/ directory of bucket obs-example. Objects in other directories can be listed but cannot be downloaded.
      {
+
    • Example 3: Grant permissions that allow read-only access to a bucket (a specified directory).
      This policy allows users to download objects only from the my-project/ directory of bucket obs-example. Objects in other directories can be listed but cannot be downloaded.
      {
     "Version": "1.1",
     "Statement": [
         {
@@ -804,7 +849,7 @@
     ]
 }
      
 
      
-
    • Example 4: Grant the read and write permissions on a bucket to users (specified directory).
      This policy allows users to list, download, upload, and delete objects in the my-project directory of bucket obs-example.
      {
+
    • Example 4: Grant permissions that allow read and write access to a bucket (a specified directory).
      This policy allows users to list, download, upload, and delete objects in the my-project directory of bucket obs-example.
      {
     "Version": "1.1",
     "Statement": [
         {
@@ -824,7 +869,7 @@
     ]
 }
      
 
      
-
    • Example 5: Grant all permissions on a bucket to users.
      This policy allows users to perform any operation on bucket obs-example.
      {
+
    • Example 5: Grant permissions that allow full access to a bucket.
      This policy allows users to perform any operation on bucket obs-example.
      {
     "Version": "1.1",
     "Statement": [
         {
@@ -840,20 +885,20 @@
     ]
 }
      
 
      
-
    • Example 6: Deny a user the permission to upload objects.
      A policy with only "Deny" permissions must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
      
-
      The following method can be used if you need to assign permissions of the OBS OperateAccess policy to a user but also forbid the user from uploading objects. Create a custom policy for denying object upload, and assign both policies to the user. Then the user can perform all OBS OperateAccess permissions except uploading objects. The following is an example of a deny policy:
      
-
      { 
-         "Version": "1.1", 
-         "Statement": [ 
-                 {
-                         "Effect": "Deny", 
-                         "Action": [ 
-                                 "obs:object:PutObject" 
-                         ]
-                 }
-         ]
+
    • Example 6: Deny object upload.
      A policy with only Deny statements must be used together other policies. If the policy assigned to a user contains both Allow and Deny statements, the Deny statement take precedence over the Allow statement.
      
+
      If you need to assign OBS OperateAccess permissions to a user but prevent the user from uploading objects, you can create a custom policy to deny object upload, and assign this custom policy and OBS OperateAccess to the user. Then the user can perform all operations allowed by OBS OperateAccess except for uploading objects. The following is an example of a deny policy:
      
+
      {
+    "Version": "1.1",
+    "Statement": [
+        {
+            "Effect": "Deny",
+            "Action": [
+                "obs:object:PutObject"
+            ]
+        }
+    ]
 }
      
-
    • Example 7: Grant users the permissions required to change a bucket's storage class and to delete certain objects in the bucket.
      This policy allows users to change the storage class of bucket obs-example and to delete object my-object.txt in the bucket.
      
+
    • Example 7: Grant the permissions to change a bucket's storage class and delete certain objects from the bucket.
      This policy allows users to change the storage class of bucket obs-example and to delete object my-object.txt from the bucket.
      
 
      {
     "Version": "1.1",
     "Statement": [
@@ -882,7 +927,7 @@
 
    
 
 
diff --git a/docs/obs/perms-cfg/obs_40_0004.html b/docs/obs/perms-cfg/obs_40_0004.html
index 14b9d91f..c24bb4a1 100644
--- a/docs/obs/perms-cfg/obs_40_0004.html
+++ b/docs/obs/perms-cfg/obs_40_0004.html
@@ -1,8 +1,8 @@
 
 
 
    Bucket Policies
    
-
    Overview
    A bucket policy applies to an OBS bucket and objects in the bucket. By leveraging bucket policies, the owner of a bucket can authorize IAM users or other accounts the permissions to operate the bucket and objects in the bucket.
    
-
     
    • Creating a bucket and obtaining a bucket list are service-level operations. To obtain such operation permissions, you need to configure IAM permissions.
    • Due to data caching, after a bucket policy is configured, it takes 5 minutes at most for the policy to take effect.
    
+
    Overview
    A bucket policy applies to an OBS bucket and the objects in the bucket. Bucket policies let a bucket owner grant IAM users or other accounts permissions on the bucket and its objects.
    
+
     
    • Creating a bucket and obtaining a bucket list are service-level operations. To obtain such operation permissions, you need to configure IAM permissions.
    • Due to data caching, it takes 5 minutes at most for a bucket policy to take effect.
    
 
    
 
    
 
    Bucket Policy Overview
    A bucket policy is attached to a bucket and objects in the bucket. An OBS bucket owner can use bucket policies to grant IAM users, other accounts, or anonymous users the permissions to operate buckets and objects in the buckets. OBS provides standard and advanced bucket policies.
    
@@ -71,11 +71,11 @@
 
    
 
    Custom Bucket Policy:
    
 
    The following three modes are provided to facilitate quick configuration of a custom bucket policy:
    
-
    • Read-only: With the Read-only mode, you only need to specify the Principal (authorized users). Then the authorized users have the read permission for the bucket and objects in the bucket, and can perform all GET operations on these resources.
    • Read and write: With the Read and write mode, you only need to specify the Principal (authorized users). Then the authorized users have the full control permissions for the bucket and objects in the bucket, and can perform any operation on these resources.
    • Customized: With the Customized mode, you can define the specific operation permissions that you want to authorize to users and accounts by configuring the parameters of Effect, Principal, Resources, Actions, and Conditions. For details, see Bucket Policy Parameters.
    
+
    • Read-only: With the Read-only mode, you only need to specify the Principal (authorized users). Then the authorized users have the read permission for the bucket and objects in the bucket, and can perform all GET operations on these resources.
    • Read and write: With the Read and write mode, you only need to specify the Principal (authorized users). Then the authorized users have the full control permissions for the bucket and objects in the bucket, and can perform any operation on these resources.
    • Customized: With the Customized mode, you can define the specific operation permissions that you want to authorize to users and accounts by configuring the parameters of Effect, Principal, Resources, Actions, and Conditions. For details, see Bucket Policy Parameters.
    
 
     
    On OBS Console, when you use the custom bucket policy to authorize other users with resource operation permissions, you also need to authorize the users with the bucket read permission ListBucket (leave the resource name blank to indicate that the policy takes effect on the entire bucket). Otherwise, the users have no permission to access the bucket.
    
 
    
 
    
-
    Bucket Policy Application Scenarios
    • You can use bucket policies to grant other accounts the permissions to access OBS resources.
    • You can configure bucket policies to grant IAM users various access permissions to different buckets.
    
+
    Application Scenarios of a Bucket Policy
    • Grant other accounts the permissions to access OBS resources.
    • Grant IAM users the permissions to access buckets.
    
 
    
 
    Policy Structure and Syntax
    A bucket policy is in JSON format. The format is as follows:
    { 
 "Statement" : [
@@ -89,33 +89,33 @@
   ]
 }
    
 
    
-
    Example:
    {
-   "Statement":[
-       {
+
    Example:
    {
+   "Statement":[
+       {
            "Sid": "ExampleStatementID1",
-           "Principal":{
-               "ID":[
+           "Principal":{
+               "ID":[
                    "domain/account ID", 
                    "domain/account ID:user/User ID" 
-               ]
-           },
-           "Effect":"Allow",
-           "Action":[
-               "CreateBucket",
-               "DeleteBucket"
-           ],
-           "Resource":"000-02/key01",
-           "Condition":{
-               "NumericNotEquals":{
-                   "Referer":"sdf"
-               },
-               "StringNotLike":{
-                   "Delimiter":"ouio"
-               }
-           }
-       }
-   ]
- }
    
+               ]
+           },
+           "Effect":"Allow",
+           "Action":[
+               "CreateBucket",
+               "DeleteBucket"
+           ],
+           "Resource":"000-02/key01",
+           "Condition":{
+               "NumericNotEquals":{
+                   "Referer":"sdf"
+               },
+               "StringNotLike":{
+                   "Delimiter":"ouio"
+               }
+           }
+       }
+   ]
+ }
    
 
    
 
    A bucket policy comprises one or more statements. Each statement contains the following elements:
    
 
@@ -158,14 +158,14 @@

Action

Actions which a statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. The value supports a wildcard character (*) that indicates all actions, for example, "Action":["List*", "Get*"].

+

Actions which a statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. You can use a wildcard character (*) to indicate all actions, for example, "Action":["List*", "Get*"].

Optional. Select either Action or NotAction.

NotAction

An exception to a list of actions in the statement. All actions are performed except the one specified in NotAction. The value of this element is similar to Action.

+

An exception to a list of actions in the statement. All actions are performed except the ones specified in NotAction. The value of this element is similar to Action.

Optional. Select either Action or NotAction.
Table 1 Authorized users supported by OBS

Principal

+
- - - - @@ -47,9 +47,9 @@
Table 1 Users for whom you can create an ACL to grant bucket access permissions

Principal

Description

Specific User

+

Specific users

ACLs can be used to grant accounts with bucket/object access permissions. Once a specific account is granted with certain bucket/object access permissions, all IAM users who have OBS resource permissions under this account can have the same access permissions to operate the bucket or object.

-

You can configure bucket policies to grant different permissions to different IAM users.

+

ACLs can be used to grant accounts permissions to access buckets and objects. Once a specific account is granted such permissions, all IAM users under this account have the same permissions as this account.

+

If you want to grant different permissions to different IAM users, you can configure bucket policies.

Owner

The owner of a bucket is the account that created the bucket. The bucket owner has all bucket access permissions by default. The read and write permissions to the bucket ACL are permanently available to the bucket owner, and cannot be modified.

-

An object owner is the account that uploads the object, but may not be the owner of the bucket that stores the object. The object owner has all control over the object by default. The read and write permissions to the object ACL are permanently available to the object owner, and cannot be modified.

-
NOTICE:

Do not modify the bucket owner's read and write access permissions for the bucket.

+

The owner of a bucket is the account that created the bucket. The bucket owner has all permissions for the bucket by default. The read and write permissions to the bucket ACL are permanently available to the bucket owner, and cannot be modified.

+

An object owner is the account that uploads the object and is not necessarily the owner of the bucket that stores the object. The object owner has all control over the object by default. The read and write permissions to the object ACL are permanently available to the object owner, and cannot be modified.

+
NOTICE:

Do not modify the bucket owner's read and write permissions for the bucket.

Anonymous users

Visitors who have not registered. If the permissions to access a bucket or an object are granted to anonymous users, everyone can access the object or bucket without identity authentication.

-
NOTICE:

If the permissions to access a bucket or an object are granted to anonymous users, everyone can access the object or bucket without identity authentication.

+

Visitors who have not registered.

+
NOTICE:

If the permissions to access a bucket or an object are granted to anonymous users, everyone can access the bucket or an object without authentication.
-

Bucket ACL

Table 2 lists the access permissions of a bucket ACL.

+

Bucket ACL

Table 2 lists the permissions of a bucket ACL.

-
Table 2 Access permissions controlled by a bucket ACL

Permission Related Concepts

+
@@ -57,43 +57,43 @@ - - - - - - -
Table 2 Bucket ACL permissions

Permission

Option

Access to Bucket

+

Access to bucket

Read

A grantee with the read access to a bucket can obtain the list of objects in the bucket and the metadata of the bucket.

+

A user with this permission can obtain the list of objects in a bucket and the metadata of the bucket.

Object read

+

Read

A grantee with this permission can obtain the object content and metadata.

+

A user with this permission can obtain the object content and metadata.

Write

A grantee with the write access to a bucket can upload, overwrite, and delete any object in the bucket.

+

A user with this permission can upload, overwrite, and delete any object in a bucket.

Access to ACL

Read

A grantee with the read access to a bucket ACL can obtain the ACL of the bucket.

+

A user with this permission can obtain the ACL of the bucket.

The bucket owner has this permission permanently by default.

Write

A grantee with the write access to a bucket ACL can update the ACL of the bucket.

+

A user with this permission can update the ACL of the bucket.

The bucket owner has this permission permanently by default.
-

Table 3 lists the access permissions of an object ACL.

+

Table 3 lists the permissions of an object ACL.

-
Table 3 Access permissions controlled by an object ACL

Permission Related Concepts

+
@@ -101,43 +101,43 @@ - - - -
Table 3 Object ACL permissions

Permission

Option

Access to Object

+

Access to object

Read

A grantee with the read access to an object can obtain the content and the metadata of the object.

+

A user with this permission can obtain the content and metadata of an object.

Access to ACL

Read

A grantee with the read access to an object ACL can obtain the ACL of the object.

+

A user with this permission can obtain the object ACL.

The object owner has this permission permanently by default.

Write

A grantee with the write access to an object ACL can update the ACL of the object.

+

A user with this permission can update the ACL of the object.

The object owner has this permission permanently by default.
-

Every time you change the bucket or object access permission setting in an ACL, it overwrites the existing setting instead of adding a new access permission to the bucket or object.

+

Every time you change the permissions for a bucket or an object in an ACL, it overwrites the existing permissions instead of adding permissions to the bucket or object.

Application Scenarios of Bucket ACLs

You can configure bucket ACLs to:

-
  • Grant an account the read and write access to a bucket, so that data in the bucket can be shared or external buckets can be added. For example, after account A grants account B the read and write access to a bucket, account B can access the bucket by adding an external bucket through OBS Browser+ or using APIs.
  • Grant the log delivery user group with the write access to the target bucket, so that access logs can be delivered to the target bucket.
+
  • Grant an account the read and write permissions to a bucket, so that this account can add the bucket as an external one and access objects in the bucket. For example, if you grant an account the read and write permissions to a bucket, the account can access the bucket by adding it as an external bucket through OBS Browser+ or by using APIs.
  • Grant the log delivery user group the write permissions to a bucket that stores access logs.

Application Scenarios of Object ACLs

You can configure object ACLs to:

-
  • Control access to objects. A bucket policy can control access to a single object or a set of objects. If you want to further separately control access to a single object in the set of objects for which a bucket policy has been configured, the object ACL is recommended.
  • Access an object through a URL. Generally, if you want to grant anonymous users the permission to read an object through a URL, use the object ACL.
+
  • Control access to objects. A bucket policy can control access to a single object or a set of objects. If you want to further control access to a single object in the set of objects for which a bucket policy has been configured, use the object ACL.
  • Access an object through a URL. If you want to grant anonymous users the permission to read an object through a URL, use the object ACL.

Configuring an ACL Using Header Fields

Access Control Policies

-

You can set an access control policy in a header when creating a bucket or uploading an object (for details about the examples, see Creating a Bucket and Uploading Objects - PUT). Only the access control policies predefined in OBS are available. The x-obs-acl is special, which can be configured with six types of permissions. No matter what type of permissions is configured, the owner has full control permission for the buckets or objects. The following table lists the predefined policies.

+

You can set an access control policy in a header when creating a bucket or uploading an object (for details, see Creating a Bucket and Uploading Objects - PUT). Only the access control policies predefined in OBS are available. The x-obs-acl is special, which can be configured with six types of permissions. No matter what type of permissions is configured, the owner has full control permission for the buckets or objects. The following table lists the predefined policies.

-
Table 4 Predefined access control policies in OBS

Policy

+
@@ -145,46 +145,48 @@ - - - - -
Table 4 Predefined permissions in OBS

Permission

Description

private

Indicates that a bucket or object can be accessed only by its owner.

+

A bucket or an object can be accessed only by its owner.

public-read

If this permission is set for a bucket, everyone can obtain the object list, multipart tasks, bucket metadata, and multiple object versions.

+

If this permission is set for a bucket, everyone can obtain its object list, multipart tasks, and metadata.

If this permission is set for an object, everyone can obtain the content and metadata of the object.

public-read-write

If this permission is configured for a bucket, everyone can obtain the object list, multipart uploads, bucket metadata, and object versions, and can upload or delete objects, initiate multipart uploads, upload parts, assemble parts, copy parts, and cancel multipart uploads.

+

If this permission is configured for a bucket, everyone can:

+
  • Obtain its object list, multipart uploads, and metadata.
  • Upload, delete objects.
  • Initiate, cancel multipart uploads, upload, assemble, and copy parts.

If this permission is set for an object, everyone can obtain the content and metadata of the object.

public-read-delivered

If this permission is set for a bucket, everyone can obtain the object list, multipart tasks, bucket metadata, and multiple object versions, and obtain the content and metadata of the objects in the bucket.

+

If this permission is set for a bucket, everyone can obtain its object list, multipart tasks, metadata, and obtain the content and metadata of the objects in the bucket.

This permission does not apply to objects.

public-read-write-delivered

If this permission is configured for a bucket, everyone can obtain the object list, multipart uploads, bucket metadata, and object versions, and can upload or delete objects, initiate multipart uploads, upload parts, assemble parts, copy parts, and cancel multipart uploads. Users can also obtain content and metadata of objects in the bucket.

+

If this permission is configured for a bucket, everyone can:

+
  • Obtain its object list, multipart uploads, and metadata.
  • Upload, delete objects, and obtain content and metadata of objects in the bucket.
  • Initiate, cancel multipart uploads, upload, assemble, and copy parts.

This permission does not apply to objects.

bucket-owner-full-control

If this permission is configured for an object, the bucket and object owners have the full control over the object.

-

By default, if you upload an object to a bucket of any other user, the bucket owner does not have the permissions on your object. After you grant this policy to the bucket owner, the bucket owner can have full control over your object.

+

By default, if you upload an object to a bucket of any other user, the bucket owner does not have the permissions on your object. After you grant this permission to the bucket owner, the bucket owner can have full control over your object.
-

By default, the access control policy is private.

+

By default, the permission is private.

-

You can also use the following header fields to set access control policies when creating a bucket or uploading an object.

+

You can also use the following header fields to set permissions when creating a bucket or uploading an object.

@@ -219,13 +221,13 @@ - - - @@ -236,7 +238,7 @@ diff --git a/docs/obs/perms-cfg/obs_40_0007.html b/docs/obs/perms-cfg/obs_40_0007.html index 28ce3ba9..bef08efc 100644 --- a/docs/obs/perms-cfg/obs_40_0007.html +++ b/docs/obs/perms-cfg/obs_40_0007.html @@ -1,10 +1,10 @@

Accessing OBS Using Permanent Access Keys

-

OBS provides REST APIs that supports authenticated requests and anonymous requests. Anonymous requests are typically used for scenarios that require public access, such as accessing a hosted static website. In most scenarios, accessing OBS resources require authenticated requests. An authenticated request contains a signature value. The signature value is calculated based on the requester's access keys (a pair of AK and SK) as the encryption factor and the specific information carried by the request body. The signature calculation process is included in the SDK. You only need to prepare the access keys when initializing the SDK. Then the signature calculation is implemented automatically. However, if a client uses the REST APIs to develop a program to access OBS, the client needs to calculate the signature based on the signature algorithm defined by the OBS and add the signature to the request.

+

OBS REST APIs support authenticated requests and anonymous requests. Anonymous requests are typically used for public access, such as accessing hosted static websites. In most cases, authenticated requests are required for accessing OBS resources. An authenticated request contains a signature value that is calculated based on the requester's access keys (AK and SK) and the specific information carried in the request body. You only need to prepare the access keys for the SDK. The SDK will then automatically calculate the signature for you. However, if a client uses REST APIs to develop a program to access OBS, the client needs to calculate the signature based on the signature algorithm defined by OBS and add the signature to the request.

Users can create permanent access keys (a pair of AK and SK) on the My Credentials page.

-
  • AK stands for the access key ID. It is the unique ID associated with the secret access key (SK). An AK is used together with an SK to encrypt and sign a request.
  • They can identify a request sender and prevent the request from being modified.
-

An AK is also the unique identifier of an IAM user. OBS identifies a user based on its AK and SK, and then checks the permissions.

+
  • AK: a unique ID of the secret access key (SK). An AK is used together with an SK to encrypt and sign a request.
  • SK: a secret access key used together with its AK to verify a request sender and prevent the request from being tampered with.
+

An AK can also identify an IAM user. OBS identifies an IAM user by their AK and SK, and then checks whether they have the permissions to access the resources they are requesting.

For details about how to obtain the permanent access keys, see Where Can I Obtain Access Keys (AK and SK)?

diff --git a/docs/obs/perms-cfg/obs_40_0008.html b/docs/obs/perms-cfg/obs_40_0008.html index 965e65db..0f515b19 100644 --- a/docs/obs/perms-cfg/obs_40_0008.html +++ b/docs/obs/perms-cfg/obs_40_0008.html @@ -1,28 +1,28 @@

Accessing OBS Using Temporary Access Keys

-

Temporary Access Keys

OBS can be accessed through temporary access keys and the security token, which can be obtained on IAM. You can assign the temporary access keys (including the security token) to a third-party application and an IAM user, so they can access OBS within a specified period of time.

-

You can obtain the temporary access keys and security token by calling the IAM API in Obtaining a Temporary AK/SK.

-

Temporary AK/SK and security token comply with the least privilege principle and can be used to temporarily access OBS. When you use a temporary AK/SK pair to call an API for authentication, you must use the temporary AK/SK and security token at the same time and add the x-obs-security-token field to the request header.

+

Temporary Access Keys

You can assign temporary security credentials (including an AK, an SK, and a security token) to a third-party application or an IAM user, so that they can access OBS only for a specified period of time.

+

You can obtain temporary security credentials by calling an IAM API. For details, see Obtaining a Temporary AK/SK.

+

The least privilege principle is granted for temporary security credentials to ensure security. Both a temporary AK/SK pair and a security token are required to call an API for authentication, which means that the request header needs to include x-obs-security-token field.

Temporary access keys have the following advantages over permanent access keys of IAM users:

-
  • Temporary access keys are valid for 15 minutes to 24 hours. You do not need to expose the permanent access keys of IAM users, reducing security risks.
  • When obtaining temporary access keys, you can pass policy parameters to further restrict the temporary permissions granted to users. This ensures that IAM users can effectively control permissions granted to other users.
+
  • Temporary access keys are valid for 15 minutes to 24 hours. Permanent access keys of IAM users are not exposed, reducing the risk of identity theft or fraud.
  • When obtaining temporary access keys, you can send the policy parameter to request for the least temporary permissions that can be granted to IAM users.

For details, see Authenticating a Request.

-

Permissions of the Temporary Access Keys

When an IAM user calls the IAM API in Obtaining a Temporary AK/SK, the user can specify parameter policy to add a temporary policy for the temporary access keys to further restrict the permissions granted to other users. The format and content of a temporary policy are consistent with those specified in IAM Permissions.

-
  • If policy parameters are not specified, no temporary policies are used. The temporary access keys inherit the IAM user's permissions.
  • If policy parameters are specified, a temporary policy is enabled. Then the temporary access keys confine the granted permissions according to the temporary policy and the IAM user permissions.
-

As shown in the following figure, circle 1 indicates the original permissions of an IAM user, and circle 2 indicates the temporary permissions specified by a temporary policy. The overlapped part 3 is the scope of permissions enabled by the temporary access keys.

+

Permissions of Temporary Access Keys

When an IAM user calls the IAM API for Obtaining a Temporary AK/SK, the user can send the policy parameter to add a temporary policy to further restrict the permissions that can be granted to other users. The format and content of a temporary policy should be consistent with those specified in IAM Permissions.

+
  • If the policy parameter is not specified, the temporary access keys have the IAM user's permissions.
  • If the policy parameter is specified, the temporary access keys' permissions are the overlaps between the temporary policy's permissions and the IAM user's permissions.
+

As shown in the following figure, circle 1 indicates an IAM user's permissions, and circle 2 indicates the temporary policy's permissions. The overlapping part 3 is the permissions of the temporary access keys.

Figure 1 Intersection of IAM user permissions and temporary policy permissions
-

Temporary access keys comply with the least privilege principle. Configure a temporary policy within the original permission scope of an IAM user. Otherwise you may be confused about why permissions enabled by a temporary policy are not effective. As illustrated by the following figure, the finally effective permissions are the authorized temporary permissions.

-
Figure 2 Restricting temporary permissions within the scope of IAM user permissions
-

A temporary policy authentication starts from the Deny statements. Unspecified permissions are denied by default.

-

Therefore, you are advised to specify only the allowed permission.

+

Temporary access keys have the least privilege. You are advised to restrict a temporary policy's permissions within an IAM user's permissions. If a temporary policy's permissions are not all within the IAM user's permissions, the temporary access keys' permissions are definitely not the temporary policy's permissions. As illustrated by the following figure, the finally granted permissions are the temporary policy's permissions.

+
Figure 2 Restricting temporary permissions within IAM user permissions
+

For a temporary policy's permissions, Deny always overrides Allow. Unspecified permissions are all Deny permissions by default.

+

Therefore, you are advised to specify only Allow permissions.

-

Application Scenarios

Temporary access keys are used to authorize third parties to temporarily access OBS. For example, some companies have their user management systems, which manage device app users and local enterprise users. These users do not have IAM user permissions, so IAM users can grant temporary access keys to these users when they need to access OBS.

+

Application Scenarios

Temporary access keys are authorized to third parties to allow them to temporarily access OBS. For example, some companies have user management systems that manage app users and local users. These users do not have IAM user permissions, so IAM can grant temporary access keys to allow these users to temporarily access OBS.

Typical application scenario:

-

A company has a large number of device apps that need to access OBS. Different apps represent different end users who require different access permissions. In this case, temporary access keys can be used to access OBS.

+

A company has a large number of apps that need to access OBS. Different apps require different access permissions. In this case, temporary access keys can be granted to app users to allow them to temporarily access OBS.

Figure 3 Application scenarios of temporary access keys
-
  1. If the customer's server can obtain permanent access keys for IAM users, the server can send requests to IAM to generate different temporary access keys for different apps.

    IAM users can obtain the temporary access keys and security token by calling the IAM API in Obtaining a Temporary AK/SK. When calling this API, pass the policy parameter to set a temporary policy. An example is provided as follows:

    +
    1. The customer server has permanent access keys, so it can request IAM to generate different temporary access keys for different apps.

      IAM users can call the IAM API for Obtaining a Temporary AK/SK. IAM users can also send the policy parameter to request for temporary policy's permissions. An example is provided as follows:

      {
     "auth": {
         "identity": {
@@ -36,7 +36,7 @@
     }
 }

      The policy's syntax and format are the same as those specified in IAM Permissions.

      -
    2. IAM generates temporary access keys with different permissions and validity periods based on the passed policy parameters and returns the access keys to the customer server.
    3. Then the customer server distributes the temporary access keys to device apps that require such permissions.
    4. A device app can use the temporary access keys to access OBS through OBS SDKs or APIs. Temporary access keys are valid for a short period of time. If the device app needs to prolong its use of OBS, it should send a request to the customer server for updating temporary access keys before they expire.
    +
  2. IAM generates temporary access keys with different permissions and validity periods based on the policy parameter and returns the access keys to the customer server.
  3. The customer server distributes the temporary access keys to apps.
  4. Apps can use the temporary access keys to access OBS through OBS SDKs or APIs. Temporary access keys are valid for the specified period of time. If the apps need to prolong the access to OBS, they should request to the customer server to update temporary access keys before they expire.

Configuration Example

For details, see Granting Temporary Access to OBS.

diff --git a/docs/obs/perms-cfg/obs_40_0009.html b/docs/obs/perms-cfg/obs_40_0009.html index cf66b4d4..ae58834d 100644 --- a/docs/obs/perms-cfg/obs_40_0009.html +++ b/docs/obs/perms-cfg/obs_40_0009.html @@ -1,16 +1,16 @@

Accessing OBS Using a Temporary URL

-

You can use a temporary URL to access OBS and perform operations such as bucket creation or object upload and download. This section describes how to share objects using a temporary URL.

-

Sharing Objects

You can share objects (files or folders) stored in OBS with all users within a specified period.

+

You can share a temporary URL to allow other users to access OBS to create buckets and upload and download objects. This section describes how to share a temporary URL to allow other users to temporarily access objects.

+

Sharing Objects

You can share a temporary URL to allow other users to access objects (files or folders) for only a specified period of time.

Sharing a file

-

All URLs generated during file sharing are temporary and remain valid for a limited period of time.

-

A temporary URL uses V4 temporarily authorized requests. The following is a temporary URL sample:

-
https://oss.regionid.example.region.com/bucketname/objectname?X-Amz-Algorithm=xxx&X-Amz-Credential=xxx&X-Amz-Date=xxx&X-Amz-Expires=900&X-Amz-Signature=xxx&X-Amz-SignedHeaders=xxx&response-content-disposition=xxx
-

For details about the temporary authentication and parameters, see V4 Temporarily Authorized Request in the Object Storage Service API Reference. A temporary URL also contains the response-content-disposition parameter that defines whether an object is directly downloaded or previewed in a browser when it is accessed. This is determined by the browser based on the Content-Type of the shared object.

+

All URLs generated during file sharing are temporary and remain valid for a specified period of time.

+

A temporary URL uses V4 temporarily authorized requests. The following is an example:

+
https://oss.regionid.example.region.com/bucketname/objectname?X-Amz-Algorithm=xxx&X-Amz-Credential=xxx&X-Amz-Date=xxx&X-Amz-Expires=900&X-Amz-Signature=xxx&X-Amz-SignedHeaders=xxx&response-content-disposition=xxx
+

For details about the temporary authentication and parameters, see V4 Temporarily Authorized Request in the Object Storage Service API Reference. A temporary URL also contains the response-content-disposition parameter that defines whether an object is to be downloaded or previewed in a browser. The browser obtains the value of response-content-disposition based on the Content-Type of the shared object.

After you share an object by choosing More > Copy Object URL on OBS Console, the system will generate a URL that contains the temporary authentication information, valid for 900 seconds since its generation by default. Each time you click Copy Object URL, OBS will obtain the authentication information again to generate a new sharing URL whose validity period is reset.

-

Limitations and Constraints

  • The validity period of files shared through OBS Console is fixed at 900s. If you want a file to be accessed permanently, you can configure a bucket policy or an object policy.
  • Only buckets 3.0 support file and folder sharing. You can view the bucket version in the Basic Information area on the Overview page of a bucket.
  • To share a cold object, restore it first.
+

Limitations and Constraints

  • The validity period of files shared through OBS Console is fixed at 900s. If you want to allow permanent access to a file, you can configure a bucket policy or an object policy.
  • Only buckets of version 3.0 support file and folder sharing. You can view the bucket version in the Basic Information area on the Overview page of a bucket.
  • To share a cold object, restore it first.
diff --git a/docs/obs/perms-cfg/obs_40_0010.html b/docs/obs/perms-cfg/obs_40_0010.html index d31200b9..0faca685 100644 --- a/docs/obs/perms-cfg/obs_40_0010.html +++ b/docs/obs/perms-cfg/obs_40_0010.html @@ -1,7 +1,7 @@

Accessing OBS Using an IAM Agency

-

The IAM agency is a function of Identity and Access Management (IAM). In some OBS application scenarios (such as CDN private bucket retrieval and cross-region replication), IAM agencies are required to grant other users or cloud services the permission to access OBS and manage OBS resources for the delegating party, thus implementing secure and efficient agent maintenance.

+

The IAM agency is a function of Identity and Access Management (IAM). In scenarios such as CDN private bucket retrieval and cross-region replication, IAM agencies are required to grant other users or cloud services the permissions to access and to securely and efficiently manage OBS resources.

For details about IAM agencies, see Identity and Access Management User Guide.

diff --git a/docs/obs/perms-cfg/obs_40_0011.html b/docs/obs/perms-cfg/obs_40_0011.html index 907378c6..07886dc3 100644 --- a/docs/obs/perms-cfg/obs_40_0011.html +++ b/docs/obs/perms-cfg/obs_40_0011.html @@ -1,34 +1,34 @@ -

Typical Permission Control Scenarios

-

The following typical scenarios are provided to help you better configure OBS permission control.

-

Factors to consider before configuring permission control:

-
  1. Who are granted: Grantees can be a single IAM user, multiple IAM users or user groups, other accounts, and anonymous users.
  2. What resources will be accessed: Such resources can be all OBS resources (requiring service-level permissions), specified buckets, and specified objects.
  3. What permissions are granted: In addition to configure basic permissions, such as read and read/write permissions, you can also customize permissions based on your needs.
-

OBS provides various permission control mechanisms for different scenarios. The following figure can help you quickly find the best method that matches your requirements.

-
Figure 1 Typical permission scenarios
-

The following table lists the permission control cases in typical scenarios for your reference.

+

Typical Permissions Scenarios

+

The permissions settings for typical scenarios are provided to facilitate permissions management.

+

You need to consider the following factors before configuring permissions:

+
  1. Who are granted access: A single IAM user, multiple IAM users or user groups, other accounts, or anonymous users
  2. What resources will be accessed: All OBS resources (service-level permissions), specified buckets, or specified objects
  3. What permissions are granted: Basic permissions, such as read and read/write permissions, or customized permissions
+

OBS provides various permission control methods for different scenarios. The following figure can help you quickly find the best method for your needs.

+
Figure 1 Typical permissions scenarios
+

The following table lists the typical scenarios for your reference.

-
Table 5 Header fields for setting bucket or object ACLs

Header

x-obs-grant-read-delivered

Used to grant the READ permission for buckets and objects in the buckets to all users in a specific account, and objects inherit the permissions of their bucket.

+

Used to grant the READ permission for buckets and their objects to all users in a specific account, and objects inherit the permissions of their bucket.

This permission does not apply to objects.

x-obs-grant- full-control- delivered

+

x-obs-grant-full-control-delivered

Used to grant the FULL_CONTROL permission for buckets and objects in the buckets to all users in a specific account, and objects inherit the permissions of their bucket.

+

Used to grant the FULL_CONTROL permission for buckets and their objects to all users in a specific account, and objects inherit the permissions of their bucket.

This permission does not apply to objects.
Table 1 Configuration cases in typical scenarios

Scenario

+
- - - - - - - - - - - - - - - - - -
Table 1 Typical permission configuration scenarios

Scenario

Configuration Case

+

Quick Links for Permission Configuration

Granting permissions to an IAM user under the current account

+

Granting permissions to a single IAM user under the current account

Granting an IAM User the Permissions Required to List and Create Buckets

+

Granting an IAM User the Permissions to Create and List Buckets

Granting an IAM User the Read and Write Permissions on a Bucket

+

Granting an IAM User the Read/Write Permission on a Bucket

Granting an IAM User the Permissions Required to Perform Specific Operations on a Specific Bucket

+

Granting an IAM User the Specified Permissions for a Bucket

Granting an IAM User the Read Permission on a Specific Object

+

Granting an IAM User the Read Permissions on Specific Objects

Granting an IAM User the Permissions Required to Perform Specific Operations on Certain Objects

+

Granting an IAM User the Specific Permissions on Specific Objects

Granting permissions to multiple IAM users or user groups under the current account

@@ -39,38 +39,38 @@

Granting IAM User Groups Basic Permissions on All OBS Resources

Granting IAM User Groups Specified Permissions on All OBS Resources

+

Granting IAM User Groups Specific Permissions for All OBS Resources

Granting IAM User Groups Specified Permissions on Certain OBS Resources

+

Granting IAM User Groups Specific Permissions on Specific OBS Resources

Granting permissions to other accounts

Granting an Account the Read and Write Permissions on a Bucket

+

Granting Other Accounts the Read/Write Permission for a Bucket

Granting an Account the Specified Permissions on a Bucket

+

Granting Other Accounts the Specified Permissions for a Bucket

Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket

+

Granting IAM Users Under an Account the Access to a Bucket and the Resources in It

Granting an Account Read Permissions on Certain Objects

+

Granting Other Accounts the Read Permission for Certain Objects

Granting an Account the Specified Permissions on Certain Objects

+

Granting Other Accounts Specific Permissions for Specific Objects

Granting permissions to anonymous users

Granting Anonymous Users Public Read Permissions on a Bucket

+

Granting Anonymous Users the Public Read Permission for a Bucket

Granting Anonymous Users Public Read Permissions on a Directory

+

Granting Anonymous Users the Read Permission for a Directory

Granting Anonymous Users Public Read Permissions on Certain Objects

+

Granting Anonymous Users the Read Permission for Certain Objects

Temporarily Sharing Objects with Anonymous Users

@@ -83,11 +83,16 @@

Restricting access to specified IP addresses

Preventing Specific IP Addresses from Accessing a Bucket

+

Restricting Access to a Bucket for Specific IP Addresses
+ diff --git a/docs/obs/perms-cfg/obs_40_0012.html b/docs/obs/perms-cfg/obs_40_0012.html index a934ac23..9d9af89d 100644 --- a/docs/obs/perms-cfg/obs_40_0012.html +++ b/docs/obs/perms-cfg/obs_40_0012.html @@ -1,9 +1,11 @@ -

Configuration Cases in Typical Permission Control Scenarios

+

Permission Configuration in Typical Scenarios

diff --git a/docs/obs/perms-cfg/obs_40_0013.html b/docs/obs/perms-cfg/obs_40_0013.html index 21d4db56..0de7b0b7 100644 --- a/docs/obs/perms-cfg/obs_40_0013.html +++ b/docs/obs/perms-cfg/obs_40_0013.html @@ -4,20 +4,20 @@
-
Parent topic: Configuration Cases in Typical Permission Control Scenarios
+
Parent topic: Permission Configuration in Typical Scenarios
diff --git a/docs/obs/perms-cfg/obs_40_0014.html b/docs/obs/perms-cfg/obs_40_0014.html index 646044aa..cf1010c6 100644 --- a/docs/obs/perms-cfg/obs_40_0014.html +++ b/docs/obs/perms-cfg/obs_40_0014.html @@ -1,11 +1,11 @@ -

Granting an IAM User the Permissions Required to List and Create Buckets

-

Scenario

This topic describes how to grant an IAM user the permissions required to create and list buckets. An IAM user with this permission can create buckets. The created buckets are still owned by the account of the IAM user. The IAM user can view all buckets under the account.

+

Granting an IAM User the Permissions to Create and List Buckets

+

Scenario

This topic describes how to grant an IAM user the permissions to create and list buckets. An IAM user with this permission can create and list buckets. The created buckets are owned by the account of the IAM user. The IAM user can also view all buckets under the account.

-

Recommended Configuration

Permissions to create and list buckets are at OBS service-level, which can be implemented only through IAM. You are advised to use IAM custom policies.

+

Recommended Configuration

To create and list buckets, you need OBS-level permissions, which can be configured on IAM.

-

Procedure

  1. Log in to the management console using a cloud service account.
  2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
  3. In the navigation pane, choose Permissions.
  4. Click Create Custom Policy in the upper right corner.
  5. Configure parameters for a custom policy.

    Figure 1 Configuring a custom policy
    +

    Procedure

    1. Log in to the management console using a cloud service account.
    2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
    3. In the navigation pane, choose Permissions.
    4. Click Create Custom Policy in the upper right corner.
    5. Configure a custom policy.

      Figure 1 Configuring a custom policy
      @@ -15,12 +15,12 @@ - - -
      Table 1 Parameters for configuring a custom policy

      Parameter

      Policy Name

      Name of the custom policy

      +

      Enter a policy name.

      Policy View

      Set this parameter based on your own habits. Visual editor is used here.

      +

      Select one based on your own habits. Visual editor is used here.

      Policy Content

      @@ -30,14 +30,14 @@

      Scope

      The default value is Global services.

      +

      Use the default value Global services.
      -

    6. Click OK. The custom policy is created.
    7. Create a user group and assign permissions.

      Add the created custom policy to the user group by following the instructions in the IAM document.

      -

    8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

      Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

      +

    9. Click OK.
    10. Create a user group and assign permissions.

      Apply the created custom policy to the user group by following the instructions in the IAM document.

      +

    11. Add the IAM user you want to authorize to the created user group.

      Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

    diff --git a/docs/obs/perms-cfg/obs_40_0015.html b/docs/obs/perms-cfg/obs_40_0015.html index 5812676f..09e53476 100644 --- a/docs/obs/perms-cfg/obs_40_0015.html +++ b/docs/obs/perms-cfg/obs_40_0015.html @@ -1,17 +1,16 @@ -

    Granting an IAM User the Read and Write Permissions on a Bucket

    -

    Scenario

    This topic describes how to grant an IAM user the read and write permissions on an OBS bucket.

    +

    Granting an IAM User the Read/Write Permission on a Bucket

    +

    Scenario

    This topic describes how to grant an IAM user the read/write permission on an OBS bucket.

    -

    Recommended Configuration

    You are advised to use bucket policies to grant resource-level permissions to an IAM user.

    +

    Recommended Configuration

    To grant resource-level permissions to an IAM user, use a bucket policy.

    -

    Configuration Precautions

    The preset read/write mode of OBS has the following permissions:

    -
    • GetObject: downloading objects
    • PutObject: uploading objects
    • GetObjectVersion: downloading versioned objects
    • DeleteObjectVersion: deleting objects versions
    • DeleteObject: deleting objects
    -

    After the configuration is complete, read and write operations (uploading, downloading, and deleting all objects in the bucket) can be performed using APIs or SDKs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions. .

    -

    If you want an IAM user to perform read and write operations on OBS Console or OBS Browser+, configure custom IAM policies by referring to Follow-up Procedure.

    -

    After the configuration is complete, the system still displays a message indicating that you do not have the permission to access the bucket. This is normal because the console invokes other advanced configuration APIs, but you can still perform operations allowed in read/write mode.

    +

    Precautions

    +

    After configuration, the IAM user can use APIs or SDKs to upload, download, and delete objects in the bucket. However, if they log in to OBS Console or OBS Browser+ to perform those operations, an error will be reported indicating that they do not have required permissions. .

    +

    If you still want the IAM user to perform read and write operations on OBS Console or OBS Browser+, you need to configure custom IAM policies. For details, see Follow-up Procedure.

    +

    After configuration, the system still displays a message indicating that the IAM user does not have required permissions, because OBS Console also calls other APIs for advanced configurations. However, the IAM user can still perform read/write operations.

    -

    Procedure

    1. In the navigation pane of OBS Console, choose Object Storage.
    2. In the bucket list, click the bucket name you want to go to the Overview page.
    3. In the navigation pane, choose Permissions.
    4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
    5. Configure parameters for a bucket policy.

      Figure 1 Configuring parameters for a bucket policy
      +

      Procedure

      1. In the navigation pane of OBS Console, choose Object Storage.
      2. In the bucket list, click the bucket name you want to go to the Overview page.
      3. In the navigation pane, choose Permissions.
      4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
      5. Configure a bucket policy.

        Figure 1 Configuring a bucket policy
        @@ -37,12 +36,12 @@
        Table 1 Parameters for creating a bucket policy

        Parameter
        -

      6. Click OK. The bucket policy is created.
      +

    6. Click OK.

    Follow-up Procedure

    To perform read and write operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets (for listing buckets) and obs:bucket:ListBucket (for listing objects in a bucket) permissions to the custom IAM policy.

    -

    obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies to the authorized bucket only. Therefore, you need to add two permissions to the policy.

    +

    obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies only to the authorized bucket. Therefore, you need to add these two permissions to the policy.

    -
    1. Log in to the management console using a cloud service account.
    2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
    3. In the navigation pane, choose Permissions.
    4. Click Create Custom Policy in the upper right corner.
    5. Configure parameters for a custom policy.

      Figure 2 Configuring a custom policy
      +
      1. Log in to the management console using a cloud service account.
      2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
      3. In the navigation pane, choose Permissions.
      4. Click Create Custom Policy in the upper right corner.
      5. Configure a custom policy.

        Figure 2 Configuring a custom policy
        @@ -52,12 +51,12 @@ - - -
        Table 2 Parameters for configuring a custom policy

        Parameter

        Policy Name

        Name of the custom policy

        +

        Enter a policy name.

        Policy View

        Set this parameter based on your own habits. Visual editor is used here.

        +

        Select one based on your own habits. Visual editor is used here.

        Policy Content

        @@ -65,19 +64,19 @@

        [Permission 1]

        • Select Allow.
        • Select Object Storage Service (OBS).
        • Select obs:bucket:ListAllMyBuckets from the actions.
        • Select All for resources.

        [Permission 2]

        -
        • Select Allow.
        • Select Object Storage Service (OBS).
        • Select obs:bucket:ListBucket from the actions.
        • For Resources, select Specific, and for bucket, select Specify resource path, and click Add Resource Path. Enter the bucket name in the Path text box, indicating that the policy takes effect only for this bucket.
        +
        • Select Allow.
        • Select Object Storage Service (OBS).
        • Select obs:bucket:ListBucket from the actions.
        • Select Specific for Resources and select Specify resource path for Bucket. Click Add Resource Path. Enter the bucket name in the Path text box for applying the policy only to this bucket.

        Scope

        The default value is Global services.

        +

        Use the default value Global services.
        -

      6. Click OK. The custom policy is created.
      7. Create a user group and assign permissions.

        Add the created custom policy to the user group by following the instructions in the IAM document.

        -

      8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

        Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

        +

      9. Click OK.
      10. Create a user group and assign permissions.

        Apply the created custom policy to the user group by following the instructions in the IAM document.

        +

      11. Add the IAM user you want to authorize to the created user group.

        Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

    diff --git a/docs/obs/perms-cfg/obs_40_0016.html b/docs/obs/perms-cfg/obs_40_0016.html index 426c1ec4..908270d6 100644 --- a/docs/obs/perms-cfg/obs_40_0016.html +++ b/docs/obs/perms-cfg/obs_40_0016.html @@ -1,16 +1,16 @@ -

    Granting an IAM User the Permissions Required to Perform Specific Operations on a Specific Bucket

    -

    Scenario

    This topic describes how to grant an IAM user the permissions required to perform specific operations on an OBS bucket. Below describes how to grant the bucket deletion permission.

    -

    If you need to configure other permissions, select the corresponding actions from the Action Name drop-down list in the bucket policy. For details about the actions supported by OBS, see Action/NotAction.

    +

    Granting an IAM User the Specified Permissions for a Bucket

    +

    Scenario

    This topic describes how to grant an IAM user the permissions required to delete a bucket.

    +

    To grant other permissions, select required actions from Action Name in the bucket policy. For details, see Action/NotAction.

    -

    Recommended Configuration

    You are advised to use bucket policies to grant resource-level permissions to an IAM user.

    +

    Recommended Configuration

    To grant resource-level permissions to an IAM user, use a bucket policy.

    -

    Configuration Precautions

    After the configuration is complete, you can delete buckets using APIs. However, if you log in to OBS Console or OBS Browser+ to delete buckets, an error is reported indicating that you do not have required permissions.

    -

    This is because when you log in to OBS Console or OBS Browser+, more APIs (such as ListAllMyBuckets and ListBucketVersions) are called to load the list of buckets and versioned objects, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.

    -

    If you want an IAM user to delete buckets on OBS Console or OBS Browser+, allow the ListBucketVersions permission in the bucket policy and configure a custom IAM policy to grant the ListAllMyBuckets permission by referring to Follow-up Procedure.

    +

    Precautions

    After configuration, the IAM user can use APIs to delete buckets. However, if they log in to OBS Console or OBS Browser+ to delete buckets, a message will be displayed indicating that they do not have required permissions.

    +

    This is because when they log in to OBS Console or OBS Browser+, more APIs (such as ListAllMyBuckets and ListBucketVersions) will be called to load the list of buckets and versioned objects. In such case, the message is displayed.

    +

    If you want an IAM user to delete buckets on OBS Console or OBS Browser+, you need to allow the ListBucketVersions permission in the bucket policy and configure a custom IAM policy to grant the ListAllMyBuckets permission by referring to Follow-up Procedure.

    -

    Procedure

    1. In the navigation pane of OBS Console, choose Object Storage.
    2. In the bucket list, click the bucket name you want to go to the Overview page.
    3. In the navigation pane, choose Permissions.
    4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
    5. Configure parameters for a bucket policy.

      Figure 1 Configuring parameters for a bucket policy
      +

      Procedure

      1. In the navigation pane of OBS Console, choose Object Storage.
      2. In the bucket list, click the bucket name you want to go to the Overview page.
      3. In the navigation pane, choose Permissions.
      4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
      5. Configure a bucket policy.

        Figure 1 Configuring a bucket policy
        @@ -40,18 +40,18 @@ -
        Table 1 Parameters for creating a bucket policy

        Parameter

        Actions

        • Include
        • Action Name:
          • DeleteBucket
          • ListBucketVersions (required when the authorized user needs to access OBS on OBS Console or OBS Browser+)
          +
        • Include
        • Action Name:
          • DeleteBucket
          • ListBucketVersions (required when an authorized user needs to access OBS from OBS Console or OBS Browser+)
        -

        To configure other permissions, select the corresponding actions. For details about the actions supported by OBS, see Action/NotAction.

        +

        To configure other permissions, select the corresponding actions. For details, see Action/NotAction.
        -

      6. Click OK. The bucket policy is created.
      +

    6. Click OK.
    -

    Follow-up Procedure

    To successfully delete buckets on OBS Console or OBS Browser+, you need to allow the obs:bucket:ListAllMyBuckets (for listing buckets) permission in the IAM policy.

    -
    1. Log in to the management console using a cloud service account.
    2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
    3. In the navigation pane, choose Permissions.
    4. Click Create Custom Policy in the upper right corner.
    5. Configure parameters for a custom policy.

      Figure 2 Configuring a custom policy
      +

      Follow-up Procedure

      To delete buckets on OBS Console or OBS Browser+, you need to allow the obs:bucket:ListAllMyBuckets permission in the IAM policy.

      +
      1. Log in to the management console using a cloud service account.
      2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
      3. In the navigation pane, choose Permissions.
      4. Click Create Custom Policy in the upper right corner.
      5. Configure a custom policy.

        Figure 2 Configuring a custom policy
        @@ -61,12 +61,12 @@ - - -
        Table 2 Parameters for configuring a custom policy

        Parameter

        Policy Name

        Name of the custom policy

        +

        Enter a policy name.

        Policy View

        Set this parameter based on your own habits. Visual editor is used here.

        +

        Select one based on your own habits. Visual editor is used here.

        Policy Content

        @@ -76,14 +76,14 @@

        Scope

        The default value is Global services.

        +

        Use the default value Global services.
        -

      6. Click OK. The custom policy is created.
      7. Create a user group and assign permissions.

        Add the created custom policy to the user group by following the instructions in the IAM document.

        -

      8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

        Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

        +

      9. Click OK.
      10. Create a user group and assign permissions.

        Apply the created custom policy to the user group by following the instructions in the IAM document.

        +

      11. Add the IAM user you want to authorize to the created user group.

        Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

      diff --git a/docs/obs/perms-cfg/obs_40_0017.html b/docs/obs/perms-cfg/obs_40_0017.html index 98d99036..838c3fb6 100644 --- a/docs/obs/perms-cfg/obs_40_0017.html +++ b/docs/obs/perms-cfg/obs_40_0017.html @@ -1,17 +1,15 @@ -

      Granting an IAM User the Read Permission on a Specific Object

      -

      Scenario

      This topic describes how to grant an IAM user the read permission on an object or a set of objects in an OBS bucket.

      +

      Granting an IAM User the Read Permissions on Specific Objects

      +

      Scenario

      This topic describes how to grant an IAM user the read permissions on an object or a set of objects in an OBS bucket.

      -

      Recommended Configuration

      You are advised to use bucket policies to grant resource-level permissions to an IAM user.

      +

      Recommended Configuration

      To grant resource-level permissions to an IAM user, use a bucket policy.

      -

      Configuration Precautions

      The preset read-only mode of OBS has the following permissions:

      -
      • GetObject: downloading objects
      • GetObjectVersion: downloading versioned objects
      -

      After the configuration is complete, you can read (download) specific objects using APIs. However, if you download an object from OBS Console or OBS Browser+, an error is reported indicating that you do not have required permissions.

      -

      This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.

      -

      If you want an IAM user to perform read operations on OBS Console or OBS Browser+, configure custom IAM policies by referring to Follow-up Procedure.

      +

      Precautions

      After configuration, the IAM user can download specific objects using APIs. However, if they download an object from OBS Console or OBS Browser+, a message will be displayed, indicating that they do not have required permissions.

      +

      This is because when they log in to OBS Console or OBS Browser+, the ListAllMyBuckets API is called to load the bucket list and some other APIs will also be called on other pages. In such case, the message is displayed.

      +

      If you want an IAM user to perform read operations on OBS Console or OBS Browser+, you need to configure custom IAM policies by referring to Follow-up Procedure.

      -

      Procedure

      1. In the navigation pane of OBS Console, choose Object Storage.
      2. In the bucket list, click the bucket name you want to go to the Overview page.
      3. In the navigation pane, choose Permissions.
      4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
      5. Configure parameters for a bucket policy.

        Figure 1 Configuring parameters for a bucket policy
        +

        Procedure

        1. In the navigation pane of OBS Console, choose Object Storage.
        2. In the bucket list, click the bucket name you want to go to the Overview page.
        3. In the navigation pane, choose Permissions.
        4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
        5. Configure a bucket policy.

          Figure 1 Configuring a bucket policy
          @@ -39,12 +37,12 @@
          Table 1 Parameters for creating a bucket policy

          Parameter
          -

        6. Click OK. The bucket policy is created.
        +

      6. Click OK.

      Follow-up Procedure

      To perform read operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets (for listing buckets) and obs:bucket:ListBucket (for listing objects in a bucket) permissions to the custom IAM policy.

      -

      obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies to the authorized bucket only. Therefore, you need to add two permissions to the policy.

      +

      obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies only to the authorized bucket. Therefore, you need to add these two permissions to the policy.

      -
      1. Log in to the management console using a cloud service account.
      2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
      3. In the navigation pane, choose Permissions.
      4. Click Create Custom Policy in the upper right corner.
      5. Configure parameters for a custom policy.

        Figure 2 Configuring a custom policy
        +
        1. Log in to the management console using a cloud service account.
        2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
        3. In the navigation pane, choose Permissions.
        4. Click Create Custom Policy in the upper right corner.
        5. Configure a custom policy.

          Figure 2 Configuring a custom policy
          @@ -54,12 +52,12 @@ - - -
          Table 2 Parameters for configuring a custom policy

          Parameter

          Policy Name

          Name of the custom policy

          +

          Enter a policy name.

          Policy View

          Set this parameter based on your own habits. Visual editor is used here.

          +

          Select one based on your own habits. Visual editor is used here.

          Policy Content

          @@ -67,19 +65,19 @@

          [Permission 1]

          • Select Allow.
          • Select Object Storage Service (OBS).
          • Select obs:bucket:ListAllMyBuckets from the actions.
          • Select All for resources.

          [Permission 2]

          -
          • Select Allow.
          • Select Object Storage Service (OBS).
          • Select obs:bucket:ListBucket from the actions.
          • For Resources, select Specific, and for bucket, select Specify resource path, and click Add Resource Path. Enter the bucket name in the Path text box, indicating that the policy takes effect only for this bucket.
          +
          • Select Allow.
          • Select Object Storage Service (OBS).
          • Select obs:bucket:ListBucket from the actions.
          • Select Specific for Resources and select Specify resource path for Bucket. Click Add Resource Path. Enter the bucket name in the Path text box for applying the policy only to this bucket.

          Scope

          The default value is Global services.

          +

          Use the default value Global services.
          -

        6. Click OK. The custom policy is created.
        7. Create a user group and assign permissions.

          Add the created custom policy to the user group by following the instructions in the IAM document.

          -

        8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

          Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

          +

        9. Click OK.
        10. Create a user group and assign permissions.

          Apply the created custom policy to the user group by following the instructions in the IAM document.

          +

        11. Add the IAM user you want to authorize to the created user group.

          Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

      diff --git a/docs/obs/perms-cfg/obs_40_0018.html b/docs/obs/perms-cfg/obs_40_0018.html index adcc98de..7d369a3f 100644 --- a/docs/obs/perms-cfg/obs_40_0018.html +++ b/docs/obs/perms-cfg/obs_40_0018.html @@ -1,16 +1,16 @@ -

      Granting an IAM User the Permissions Required to Perform Specific Operations on Certain Objects

      -

      Scenario

      This topic describes how to grant an IAM user certain permissions on specific objects in a bucket. Below explains how to grant the object download permission.

      -

      If you need to configure other permissions, select the corresponding actions from the Action Name drop-down list in the bucket policy. For details about the actions supported by OBS, see Action/NotAction.

      +

      Granting an IAM User the Specific Permissions on Specific Objects

      +

      Scenario

      This topic describes how to grant an IAM user the permissions to download specific objects from a bucket.

      +

      To grant other permissions, select required actions from Action Name in the bucket policy. For details, see Action/NotAction.

      -

      Recommended Configuration

      You are advised to use bucket policies to grant resource-level permissions to an IAM user.

      +

      Recommended Configuration

      To grant resource-level permissions to an IAM user, use a bucket policy.

      -

      Configuration Precautions

      After the configuration is complete, you can download objects using APIs. However, if you log in to OBS Console or OBS Browser+ to download an object, an error is reported indicating that you do not have required permissions.

      -

      This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.

      -

      If you want an IAM user to successfully download objects on OBS Console or OBS Browser+, configure custom IAM policies by referring to Follow-up Procedure.

      +

      Precautions

      After configuration, the IAM user can download objects using APIs. However, if they download objects using OBS Console or OBS Browser+, a message will be displayed indicating that they do not have required permissions.

      +

      When they log in to OBS Console or OBS Browser+, APIs such as ListAllMyBuckets and ListBucket are called. ListAllMyBuckets loads the bucket list while ListBucket loads the object list. Some other APIs are also called on other pages. In such case, the message is displayed.

      +

      To allow an IAM user to download objects on OBS Console or OBS Browser+, you need to configure custom IAM policies. For details, see Follow-up Procedure.

      -

      Procedure

      1. In the navigation pane of OBS Console, choose Object Storage.
      2. In the bucket list, click the bucket name you want to go to the Overview page.
      3. In the navigation pane, choose Permissions.
      4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
      5. Configure parameters for a bucket policy.

        Figure 1 Configuring parameters for a bucket policy
        +

        Procedure

        1. In the navigation pane of OBS Console, choose Object Storage.
        2. In the bucket list, click the bucket name you want to go to the Overview page.
        3. In the navigation pane, choose Permissions.
        4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
        5. Configure a bucket policy.

          Figure 1 Configuring a bucket policy
          @@ -43,18 +43,18 @@
          Table 1 Parameters for creating a bucket policy

          Parameter

          Actions
          • Include
          • Action Name: Select GetObject.
          -

          To configure other permissions, select the corresponding actions. For details about the actions supported by OBS, see Action/NotAction.

          +

          To configure other permissions, select the corresponding actions. For details, see Action/NotAction.
          -

        6. Click OK. The bucket policy is created.
        +

      6. Click OK.
      -

      Follow-up Procedure

      To perform specific operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets (for listing buckets) and obs:bucket:ListBucket (for listing objects in a bucket) permissions to the custom IAM policy.

      -

      obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies to the authorized bucket only. Therefore, you need to add two permissions to the policy.

      +

      Follow-up Procedure

      To perform specific operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions to the custom IAM policy. obs:bucket:ListAllMyBuckets lists buckets while obs:bucket:ListBucket lists objects in a bucket.

      +

      obs:bucket:ListAllMyBuckets applies to all resources while obs:bucket:ListBucket applies only to the authorized bucket, so you need to add the two permissions to the policy.

      -
      1. Log in to the management console using a cloud service account.
      2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
      3. In the navigation pane, choose Permissions.
      4. Click Create Custom Policy in the upper right corner.
      5. Configure parameters for a custom policy.

        Figure 2 Configuring a custom policy
        +
        1. Log in to the management console using a cloud service account.
        2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
        3. In the navigation pane, choose Permissions.
        4. Click Create Custom Policy in the upper right corner.
        5. Configure a custom policy.

          Figure 2 Configuring a custom policy
          @@ -64,12 +64,12 @@ - - -
          Table 2 Parameters for configuring a custom policy

          Parameter

          Policy Name

          Name of the custom policy

          +

          Enter a policy name.

          Policy View

          Set this parameter based on your own habits. Visual editor is used here.

          +

          Select one based on your own habits. Visual editor is used here.

          Policy Content

          @@ -77,19 +77,19 @@

          [Permission 1]

          • Select Allow.
          • Select Object Storage Service (OBS).
          • Select obs:bucket:ListAllMyBuckets from the actions.
          • Select All for resources.

          [Permission 2]

          -
          • Select Allow.
          • Select Object Storage Service (OBS).
          • Select obs:bucket:ListBucket from the actions.
          • For Resources, select Specific, and for bucket, select Specify resource path, and click Add Resource Path. Enter the bucket name in the Path text box, indicating that the policy takes effect only for this bucket.
          +
          • Select Allow.
          • Select Object Storage Service (OBS).
          • Select obs:bucket:ListBucket from the actions.
          • Select Specific for Resources and select Specify resource path for Bucket. Click Add Resource Path. Enter the bucket name in the Path text box for applying the policy only to this bucket.

          Scope

          The default value is Global services.

          +

          Use the default value Global services.
          -

        6. Click OK. The custom policy is created.
        7. Create a user group and assign permissions.

          Add the created custom policy to the user group by following the instructions in the IAM document.

          -

        8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

          Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

          +

        9. Click OK.
        10. Create a user group and assign permissions.

          Apply the created custom policy to the user group by following the instructions in the IAM document.

          +

        11. Add the IAM user you want to authorize to the created user group.

          Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

      diff --git a/docs/obs/perms-cfg/obs_40_0019.html b/docs/obs/perms-cfg/obs_40_0019.html index 92b9745a..38eb346b 100644 --- a/docs/obs/perms-cfg/obs_40_0019.html +++ b/docs/obs/perms-cfg/obs_40_0019.html @@ -8,16 +8,16 @@
    6. Granting IAM User Groups Basic Permissions on All OBS Resources
      7. -
    7. Granting IAM User Groups Specified Permissions on All OBS Resources
      +
    8. Granting IAM User Groups Specific Permissions for All OBS Resources
      9. -
    9. Granting IAM User Groups Specified Permissions on Certain OBS Resources
      +
    10. Granting IAM User Groups Specific Permissions on Specific OBS Resources
      11. -
    11. Granting IAM User Groups Specified Permissions on Certain OBS Folders
      +
    12. Granting IAM User Groups Specific Permissions on a Folder
      13. -
      Parent topic: Configuration Cases in Typical Permission Control Scenarios
      +
      Parent topic: Permission Configuration in Typical Scenarios
    diff --git a/docs/obs/perms-cfg/obs_40_0020.html b/docs/obs/perms-cfg/obs_40_0020.html index 77391b54..6db826bd 100644 --- a/docs/obs/perms-cfg/obs_40_0020.html +++ b/docs/obs/perms-cfg/obs_40_0020.html @@ -1,11 +1,11 @@

    Granting IAM User Groups All Permissions on All OBS Resources

    -

    Scenario

    This topic describes how to grant multiple IAM users or user groups all permissions on all OBS resources. Users with this permission can perform any OBS operation.

    +

    Scenario

    This topic describes how to grant multiple IAM users or user groups all permissions on all OBS resources. Users with this permission can perform any operations on OBS.

    -

    Recommended Configuration

    IAM custom policies

    +

    Recommended Configuration

    Use an IAM custom policy to configure the permissions.

    -

    Procedure

    1. Log in to the management console using a cloud service account.
    2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
    3. In the navigation pane, choose Permissions.
    4. Click Create Custom Policy in the upper right corner.
    5. Configure parameters for a custom policy.

      Figure 1 Configuring a custom policy
      +

      Procedure

      1. Log in to the management console using a cloud service account.
      2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
      3. In the navigation pane, choose Permissions.
      4. Click Create Custom Policy in the upper right corner.
      5. Configure a custom policy.

        Figure 1 Configuring a custom policy
        @@ -15,12 +15,12 @@ - -
        Table 1 Parameters for configuring a custom policy

        Parameter

        Policy Name

        Name of the custom policy

        +

        Enter a policy name.

        Policy View

        Set this parameter based on your own habits. Visual editor is used here.

        +

        Select one based on your own habits. Visual editor is used here.

        Policy Content

        @@ -36,8 +36,8 @@
        -

      6. Click OK. The custom policy is created.
      7. Create a user group and assign permissions.

        Add the created custom policy to the user group by following the instructions in the IAM document.

        -

      8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

        Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

        +

      9. Click OK.
      10. Create a user group and assign permissions.

        Apply the created custom policy to the user group by following the instructions in the IAM document.

        +

      11. Add the IAM user you want to authorize to the created user group.

        Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

      diff --git a/docs/obs/perms-cfg/obs_40_0021.html b/docs/obs/perms-cfg/obs_40_0021.html index 99eb4141..5b86e986 100644 --- a/docs/obs/perms-cfg/obs_40_0021.html +++ b/docs/obs/perms-cfg/obs_40_0021.html @@ -1,7 +1,7 @@

      Granting IAM User Groups Basic Permissions on All OBS Resources

      -

      Scenario

      This topic describes how to use the OBS-related system roles and policies preset in IAM to grant basic operation permissions on all OBS resources to multiple IAM users or user groups. The following table lists the permissions supported by preset system roles and policies.

      +

      Scenario

      This topic describes how to use OBS system roles and policies preset in IAM to grant basic operation permissions for all OBS resources to multiple IAM users or user groups. The following table lists the permissions supported by preset system roles and policies.

      @@ -41,7 +41,7 @@ - @@ -50,7 +50,7 @@ - @@ -63,12 +63,12 @@

      Recommended Configuration

      IAM system roles and policies

      -

      Configuration Precautions

      After a system role or policy is configured according to this case, if you log in to the system using OBS Console or OBS Browser+, a message may be displayed indicating that you do not have the permission.

      -

      Authorized permissions are valid, though operations on the console or client are restricted. You can call the APIs directly.

      -

      With OBS OperateAccess configured, you can upload or download objects on OBS Console or OBS Browser+.

      +

      Precautions

      After a system role or policy is configured according to this case, if you log in to the system using OBS Console or OBS Browser+, a message may be displayed indicating that you do not have the permission.

      +

      Although the error message is displayed, the IAM users can still call the APIs to perform authorized operations.

      +

      When OBS OperateAccess is allowed, they can upload or download objects on OBS Console or OBS Browser+.

      -

      Procedure

      1. Log in to the management console using a cloud service account.
      2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
      3. Create a user group and assign permissions.

        Add system roles or policies that meet the service scenario requirements to the user group by following the instructions provided in the IAM document.

        -

      4. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

        Due to data caching, it takes about 10 to 15 minutes for the configured permissions to take effect.

        +

        Procedure

        1. Log in to the management console using a cloud service account.
        2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
        3. Create a user group and assign permissions.

          Apply system roles or policies that meet requirements to the user group by following the instructions provided in the IAM document.

          +

        4. Add the IAM user you want to authorize to the created user group.

          Due to data caching, it takes about 10 to 15 minutes for the configured permissions to take effect.

        diff --git a/docs/obs/perms-cfg/obs_40_0022.html b/docs/obs/perms-cfg/obs_40_0022.html index 7837be65..2235fe11 100644 --- a/docs/obs/perms-cfg/obs_40_0022.html +++ b/docs/obs/perms-cfg/obs_40_0022.html @@ -1,15 +1,15 @@ -

        Granting IAM User Groups Specified Permissions on All OBS Resources

        -

        Scenario

        This topic describes how to grant multiple IAM users or user groups specific permissions on all OBS resources.

        +

        Granting IAM User Groups Specific Permissions for All OBS Resources

        +

        Scenario

        This topic describes how to grant multiple IAM users or user groups specified permissions for all OBS resources.

        -

        Recommended Configuration

        IAM custom policies

        +

        Recommended Configuration

        Use an IAM custom policy to configure the permissions.

        -

        Configuration Precautions

        After the configuration is complete, you can perform allowed operations using APIs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.

        -

        This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.

        +

        Precautions

        After configuration, IAM user groups can perform allowed operations using APIs. If they log in to OBS Console or OBS Browser+ to perform those operations, a message will be displayed indicating that they do not have required permissions.

        +

        This is because when they log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is diplayed.

        To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions to the custom policy.

        -

        Procedure

        1. Log in to the management console using a cloud service account.
        2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
        3. In the navigation pane, choose Permissions.
        4. Click Create Custom Policy in the upper right corner.
        5. Configure parameters for a custom policy.

          Figure 1 Configuring a custom policy
          +

          Procedure

          1. Log in to the management console using a cloud service account.
          2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
          3. In the navigation pane, choose Permissions.
          4. Click Create Custom Policy in the upper right corner.
          5. Configure a custom policy.

            Figure 1 Configuring a custom policy
      Table 1 OBS system permissions

      Role/Policy Name

      OBS ReadOnlyAccess

      Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects (not the objects that have been versioned).

      +

      Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects (excluding the objects that have been versioned).

      NOTE:

      If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console.

      OBS OperateAccess

      Users with this permission can perform all OBS ReadOnlyAccess operations and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.

      +

      Users with this permission can perform all ReadOnlyAccess operations on OBS and perform basic operations on objects, such as uploading, downloading, deleting objects, and obtaining object ACLs.

      NOTE:

      If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console.
      @@ -19,17 +19,17 @@ - - -
      Table 1 Parameters for configuring a custom policy

      Parameter

      Policy Name

      Name of the custom policy

      +

      Enter a policy name.

      Policy View

      Set this parameter based on your own habits. Visual editor is used here.

      +

      Select one based on your own habits. Visual editor is used here.

      Policy Content

      • Select Allow.
      • Select Object Storage Service (OBS).
      • Select the actions to be authorized.
      • Select All for resources.
      +
      • Select Allow.
      • Select Object Storage Service (OBS).
      • Select the actions to be allowed.
      • Select All for resources.

      Scope

      @@ -40,8 +40,8 @@
      -

    6. Click OK. The custom policy is created.
    7. Create a user group and assign permissions.

      Add the created custom policy to the user group by following the instructions in the IAM document.

      -

    8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

      Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

      +

    9. Click OK.
    10. Create a user group and assign permissions.

      Apply the created custom policy to the user group by following the instructions in the IAM document.

      +

    11. Add the IAM user you want to authorize to the created user group.

      Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

    diff --git a/docs/obs/perms-cfg/obs_40_0023.html b/docs/obs/perms-cfg/obs_40_0023.html index ea7dcc69..b863a483 100644 --- a/docs/obs/perms-cfg/obs_40_0023.html +++ b/docs/obs/perms-cfg/obs_40_0023.html @@ -1,18 +1,18 @@ -

    Granting IAM User Groups Specified Permissions on Certain OBS Resources

    -

    Scenario

    This topic describes how to grant certain operation permissions on specific OBS resources (can be a bucket or an object) to multiple IAM users or user groups.

    +

    Granting IAM User Groups Specific Permissions on Specific OBS Resources

    +

    Scenario

    This topic describes how to grant specific operation permissions on specific OBS resources (a bucket or an object) to multiple IAM users or user groups.

    -

    Recommended Configuration

    IAM custom policies

    +

    Recommended Configuration

    Use an IAM custom policy to configure the permissions.

    -

    Configuration Precautions

    After the configuration is complete, you can perform allowed operations using APIs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.

    -

    This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.

    +

    Precautions

    After configuration, IAM user groups can perform allowed operations using APIs. If they log in to OBS Console or OBS Browser+ to perform those operations, a message will be displayed indicating that they do not have required permissions.

    +

    When they log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is diplayed.

    To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions to the custom policy.

    obs:bucket:ListAllMyBuckets applies to all resources. You need to select all resources.

    obs:bucket:ListBucket applies only to the authorized bucket. You can select all resources or a specified bucket as needed.

    -

    Procedure

    1. Log in to the management console using a cloud service account.
    2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
    3. In the navigation pane, choose Permissions.
    4. Click Create Custom Policy in the upper right corner.
    5. Configure parameters for a custom policy.

      Figure 1 Configuring a custom policy
      +

      Procedure

      1. Log in to the management console using a cloud service account.
      2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
      3. In the navigation pane, choose Permissions.
      4. Click Create Custom Policy in the upper right corner.
      5. Configure a custom policy.

        Figure 1 Configuring a custom policy
        @@ -22,12 +22,12 @@ - - @@ -59,8 +60,8 @@
        Table 1 Parameters for configuring a custom policy

        Parameter

        Policy Name

        Name of the custom policy

        +

        Enter a policy name.

        Policy View

        Set this parameter based on your own habits. Visual editor is used here.

        +

        Select one based on your own habits. Visual editor is used here.

        Policy Content

        @@ -35,19 +35,20 @@

        [Permission 1] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.

        • Select Allow.
        • Select Object Storage Service (OBS).
        • Select obs:bucket:ListAllMyBuckets from the actions.
        • Select All for resources.

        [Permission 2]

        -
        • Select Allow.
        • Select Object Storage Service (OBS).
        • Select the actions to be authorized.
        • Choose Specific resources > Bucket to specify bucket resources.

          [Format]

          +
          • Select Allow.
          • Select Object Storage Service (OBS).
          • Select the actions to be authorized.
          • Choose Specific resources > Bucket to specify bucket resources.

            [Format]

            obs:*:*:bucket:bucket name

            [Note]

            -

            For bucket resources, IAM automatically generates the prefix of the resource path: obs:*:*:bucket:.

            -

            For the path of a specific bucket, add the bucket name to the end. You can also add a wildcard character (*) to indicate any bucket. Example:

            -

            obs:*:*:bucket:*, indicating any OBS bucket.

            +

            For bucket resources, IAM automatically generates the prefix of the resource path: obs:*:*:bucket:.

            +

            For the path of a specific bucket, add the bucket name to the end. You can also add a wildcard character (*) to indicate any bucket. Examples are given as follows:

            +
            • obs:*:*:bucket:* (indicating any OBS bucket)
            • obs:*:*:bucket:examplebucket (indicating that the policy applies to bucket examplebucket)

            To perform operations on OBS Console or OBS Browser+, grant the obs:bucket:ListBucket permission to a specified bucket.

            -
          • Choose Specific resources > Object to specify an object resource.

            [Format]

            -

            obs:*:*:object:bucket name/object name

            +
          • Choose Specific resources > Object to specify an object resource.

            [Format]

            +

            Objects in a specified directory: obs:*:*:object:Bucket name/Prefix/*

            +

            Specified object: obs:*:*:object:Bucket name/Object name

            [Note]

            For object resources, IAM automatically generates the prefix of the resource path: obs:*:*:object:

            -

            For the path of a specific object, add the bucket name/object name to the end. You can also add a wildcard character (*) to indicate any object in a bucket. Example:

            -

            obs:*:*:object:my-bucket/my-object/*: any object in the my-object directory of the my-bucket bucket.

            +

            For the path of a specific object, add the bucket name/object name to the end. You can also add a wildcard character (*) to indicate any object in a bucket. Examples are given as follows:

            +
            • obs:*:*:object:my-bucket/my-object/* (indicating any object in the my-object directory of bucket my-bucket)
            • obs:*:*:object:my-bucket/exampleobject (indicating object exampleobject in bucket my-bucket)
        -

      6. Click OK. The custom policy is created.
      7. Create a user group and assign permissions.

        Add the created custom policy to the user group by following the instructions in the IAM document.

        -

      8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

        Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

        +

      9. Click OK.
      10. Create a user group and assign permissions.

        Apply the created custom policy to the user group by following the instructions in the IAM document.

        +

      11. Add the IAM user you want to authorize to the created user group.

        Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

      diff --git a/docs/obs/perms-cfg/obs_40_0024.html b/docs/obs/perms-cfg/obs_40_0024.html index 548f3bdc..80ec27c7 100644 --- a/docs/obs/perms-cfg/obs_40_0024.html +++ b/docs/obs/perms-cfg/obs_40_0024.html @@ -4,20 +4,20 @@
      -
      Parent topic: Configuration Cases in Typical Permission Control Scenarios
      +
      Parent topic: Permission Configuration in Typical Scenarios
      diff --git a/docs/obs/perms-cfg/obs_40_0025.html b/docs/obs/perms-cfg/obs_40_0025.html index 5be9e88f..bed2153a 100644 --- a/docs/obs/perms-cfg/obs_40_0025.html +++ b/docs/obs/perms-cfg/obs_40_0025.html @@ -1,17 +1,16 @@ -

      Granting an Account the Read and Write Permissions on a Bucket

      -

      Scenario

      This topic describes how to grant other accounts (excluding the IAM users under them) the read and write permissions on OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket.

      +

      Granting Other Accounts the Read/Write Permission for a Bucket

      +

      Scenario

      This topic describes how to grant other accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

      -

      Recommended Configuration

      You are advised to use bucket policies to grant permissions to other accounts.

      +

      Recommended Configuration

      Use bucket policies to grant permissions to other accounts.

      -

      Configuration Precautions

      The preset read/write mode of OBS has the following permissions:
      • GetObject: downloading objects
      • PutObject: uploading objects
      • GetObjectVersion: downloading versioned objects
      • DeleteObjectVersion: deleting objects versions
      • DeleteObject: deleting objects
      +

      Precautions

      +

      After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or by adding external buckets through OBS Browser+. Currently, access to buckets of other accounts is not allowed on OBS Console.

      +

      When you use OBS Browser+ to access the added external bucket, a message may still be displayed indicating that you do not have required permissions.

      +

      Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.

      -

      After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the ListBucket permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.

      -

      After the ListBucket permission is configured, a message may still be displayed indicating that you do not have the permission to access the added external bucket through OBS Browser+.

      -

      Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.

      -
      -

      Procedure

      1. In the navigation pane of OBS Console, choose Object Storage.
      2. In the bucket list, click the bucket name you want to go to the Overview page.
      3. In the navigation pane, choose Permissions.
      4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
      5. Configure parameters for a bucket policy.

        Figure 1 Configuring parameters for a bucket policy
        +

        Procedure

        1. In the navigation pane of OBS Console, choose Object Storage.
        2. In the bucket list, click the bucket name you want to go to the Overview page.
        3. In the navigation pane, choose Permissions.
        4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
        5. Configure a bucket policy.

          Figure 1 Configuring a bucket policy
          @@ -26,7 +25,7 @@ - @@ -39,7 +38,7 @@
          Table 1 Parameters for creating a bucket policy

          Parameter

          Principal

          • Select Include > Other account.
          • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
          • User ID: Enter the account ID, which can be obtained from the My Credentials page of the account.
            NOTE:

            In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

            +
          • Select Include > Other account.
          • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
          • User ID: Enter the account ID. You can obtain it from the My Credentials page of the account.
            NOTE:

            In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.
          -

        6. Click OK. The bucket policy is created.
        7. (Optional) Click Create Bucket Policy again.

          If the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket, you need to add a ListBucket permission.

          +

        8. Click OK.
        9. (Optional) Click Create Bucket Policy again.

          If the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket, you need to add a ListBucket permission.

        10. (Optional) Configure the ListBucket permission.

          Figure 2 Configuring the ListBucket permission
          Table 2 Parameters for creating a bucket policy

          Parameter

          @@ -78,7 +77,7 @@
          -

        11. (Optional) Click OK. The bucket policy is created.
        +

      6. (Optional) Click OK.
      diff --git a/docs/obs/perms-cfg/obs_40_0026.html b/docs/obs/perms-cfg/obs_40_0026.html index 4cc1e96f..43db6284 100644 --- a/docs/obs/perms-cfg/obs_40_0026.html +++ b/docs/obs/perms-cfg/obs_40_0026.html @@ -1,14 +1,14 @@ -

      Granting an Account the Specified Permissions on a Bucket

      -

      Scenario

      This topic describes how to grant other accounts (excluding the IAM users under them) specific operation permissions on OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket.

      -

      The following example explains how to grant the permissions to configure a bucket ACL and obtain the bucket ACL configuration information. If you need to configure other permissions, select the corresponding actions from the Action Name drop-down list in the bucket policy. For details about the actions supported by OBS, see Action/NotAction.

      +

      Granting Other Accounts the Specified Permissions for a Bucket

      +

      Scenario

      This topic describes how to grant other accounts (excluding the IAM users under them) specific permissions for OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

      +

      The following example explains how to grant the permissions to configure a bucket ACL and obtain the bucket ACL configuration information. To grant other permissions, select required actions from Action Name in the bucket policy. For details about the actions supported by OBS, see Action/NotAction.

      -

      Recommended Configuration

      You are advised to use bucket policies to grant permissions to other accounts.

      +

      Recommended Configuration

      Use bucket policies to grant permissions to other accounts.

      -

      Configuration Precautions

      After the configuration is complete, the authorized account can configure and obtain a bucket ACL by using APIs or SDKs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the ListBucket permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.

      +

      Precautions

      After configuration, the authorized account can configure and obtain a bucket ACL by using APIs or SDKs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the ListBucket permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.

      -

      Procedure

      1. In the navigation pane of OBS Console, choose Object Storage.
      2. In the bucket list, click the bucket name you want to go to the Overview page.
      3. In the navigation pane, choose Permissions.
      4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
      5. Configure parameters for a bucket policy.

        Figure 1 Configuring parameters for a bucket policy
        +

        Procedure

        1. In the navigation pane of OBS Console, choose Object Storage.
        2. In the bucket list, click the bucket name you want to go to the Overview page.
        3. In the navigation pane, choose Permissions.
        4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
        5. Configure a bucket policy.

          Figure 1 Configuring a bucket policy
          @@ -28,7 +28,7 @@ - @@ -48,7 +48,7 @@
          Table 1 Parameters for creating a bucket policy

          Parameter

          Principal

          • Select Include > Other account.
          • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
          • User ID: Enter the account ID, which can be obtained from the My Credentials page of the account.
            NOTE:

            In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

            +
          • Select Include > Other account.
          • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
          • User ID: Enter the account ID. You can obtain it from the My Credentials page of the account.
            NOTE:

            In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.
          -

        6. Click OK. The bucket policy is created.
        +

      6. Click OK.
      diff --git a/docs/obs/perms-cfg/obs_40_0027.html b/docs/obs/perms-cfg/obs_40_0027.html index d7c721c1..fa0e970f 100644 --- a/docs/obs/perms-cfg/obs_40_0027.html +++ b/docs/obs/perms-cfg/obs_40_0027.html @@ -1,50 +1,50 @@ -

      Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket

      +

      Granting IAM Users Under an Account the Access to a Bucket and the Resources in It

      Scenario

      This topic describes how to grant IAM users the permissions to access OBS buckets and resources in them.

      The following describes how to grant the permissions to upload and download objects in a bucket. If you need to configure other specified permissions, configure the corresponding permissions in the bucket policy and IAM permissions.

      -

      Recommended Configuration

      To grant permissions to IAM users under other accounts, you need to configure both bucket policies and IAM permissions.

      +

      Recommended Configuration

      To grant permissions to IAM users under an account, you need to configure both bucket policies and IAM permissions.

      For example, to allow IAM user A of account A to access bucket B of account B, you need to:

      -
      1. Configure a bucket policy that allows IAM user A to access bucket B.
      2. Configure IAM permissions for account A to allow IAM user A to access bucket B.
      -

      The permissions allowed by both bucket policies and IAM permissions take effect.

      +
      1. Configure a bucket policy that allows IAM user A to access bucket B.
      2. Configure IAM permissions for account A to allow IAM user A to access bucket B.
      -

      Configuration Precautions

      After the configuration is complete, the authorized IAM user can upload and download objects through APIs. In addition, the user can upload and download objects by mounting external buckets on OBS Browser+. To add external buckets, the ListBucket permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.

      +

      Precautions

      After configuration, the IAM user can upload and download objects through APIs. In addition, the user can upload and download objects by mounting external buckets on OBS Browser+. To add external buckets, the ListBucket permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.

      -

      Configuration Procedure 1: Configure a Bucket Policy That Allows Specified Operations

      The bucket owner or a user who has the permission to configure bucket policies needs to configure a bucket policy that allows specified operations.

      -
      1. In the navigation pane of OBS Console, choose Object Storage.
      2. In the bucket list, click the bucket name you want to go to the Overview page.
      3. In the navigation pane, choose Permissions.
      4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
      5. Configure a bucket policy that allows upload and download.

        Figure 1 Configuring a bucket policy that allows uploads and downloads
        +

        Procedure 1: The Bucket Owner Configures a Bucket Policy.

        The bucket owner or a user who has the permission to configure bucket policies needs to configure a bucket policy that allows IAM users under an account to perform specified operations on the bucket.

        +

        In this example, account B (owner of bucket B) configures a bucket policy that allows IAM user A of account A to upload objects to and download objects from bucket B of account B.

        +
        1. In the navigation pane of OBS Console, choose Object Storage.
        2. In the bucket list, click the bucket name you want to go to the Overview page.
        3. In the navigation pane, choose Permissions.
        4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
        5. Configure a bucket policy that allows uploads and downloads.

          Figure 1 Configuring a bucket policy that allows uploads and downloads
          -
          Table 1 Parameters for creating a bucket policy

          Parameter

          +
          - - - - - - - - - - - @@ -52,69 +52,70 @@
          Table 1 Parameters for creating a bucket policy

          Parameter

          Description

          +

          Description

          Policy Mode

          +

          Policy Mode

          Select Customized.

          +

          Select Customized.

          Effect

          +

          Effect

          Select Allow.

          +

          Select Allow.

          Principal

          +

          Principal

          • Select Include > Other account.
          • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account or the IAM user.
          • User ID: Enter the ID of the IAM user under the authorized account. You can obtain the ID on the My Credentials page of the IAM user. The wildcard character (*) is supported, indicating that the setting takes effect for all IAM users under the account.
          +
          • Select Include > Other account.
          • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account or the IAM user. The ID of account A is used as an example here.
          • User ID: Enter the ID of the IAM user under the authorized account. You can obtain the ID on the My Credentials page of the IAM user. The wildcard character (*) is supported, indicating that the setting takes effect for all IAM users under the account. The ID of IAM user A under account A is used as an example here.

          Resources

          +

          Resources

          • Choose Include > Specific resources.
          • Resource Name: Enter the object or the set of objects that will be accessed.
            • For one object, enter object name.
            • For a set of objects, enter object name prefix + *, * + object name suffix, or *.
            +
          • Choose Include > Specific resources.
          • Resource Name: Enter the object or the set of objects that will be accessed.
            • For one object, enter object name.
            • For a set of objects, enter object name prefix + *, * + object name suffix, or *.

            Set this parameter to * if all objects need to be downloaded.

          Actions

          +

          Actions

          • Include
          • Action Name:
            • GetObject
            • GetObjectVersion
            • PutObject
            • (Optional) ListBucket: Select this operation if you need to use OBS Browser+ to add external buckets.
            +
          • Include
          • Action Name:
            • GetObject
            • GetObjectVersion
            • PutObject
            • (Optional) ListBucket: Select this operation if you need to use OBS Browser+ to add external buckets.

          To configure other specified operation permissions on objects, select the corresponding actions. For details about the actions supported by OBS, see Action/NotAction.
          -

        6. Click OK. The bucket policy that allows upload and download is created.
        7. (Optional) Click Create Bucket Policy again to configure a bucket policy that allows objects in the bucket to be listed. (Perform this step when you need to use OBS Browser+ to add external buckets.)

          Figure 2 Configuring a bucket policy that allows objects to be listed in a bucket
          +

        8. Click OK.
        9. (Optional) Click Create Bucket Policy again to configure a bucket policy that allows objects in the bucket to be listed. (Perform this step when you need to use OBS Browser+ to add external buckets.)

          Figure 2 Configuring a bucket policy that allows objects to be listed in a bucket
          -
          Table 2 Parameters for creating a bucket policy

          Parameter

          +
          - - - - - - - - - - -
          Table 2 Parameters for creating a bucket policy

          Parameter

          Description

          +

          Description

          Policy Mode

          +

          Policy Mode

          Select Customized.

          +

          Select Customized.

          Effect

          +

          Effect

          Select Allow.

          +

          Select Allow.

          Principal

          +

          Principal

          • Select Include > Other account.
          • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account or the IAM user.
          • User ID: Enter the ID of the IAM user under the authorized account. You can obtain the ID on the My Credentials page of the IAM user. The wildcard character (*) is supported, indicating that the setting takes effect for all IAM users under the account.
          +
          • Select Include > Other account.
          • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account or the IAM user. The ID of account A is used as an example here.
          • User ID: Enter the ID of the IAM user under the authorized account. You can obtain the ID on the My Credentials page of the IAM user. The wildcard character (*) is supported, indicating that the setting takes effect for all IAM users under the account. The ID of IAM user A under account A is used as an example here.

          Resources

          +

          Resources

          Select Include > Entire bucket.

          +

          Select Include > Entire bucket.

          Actions

          +

          Actions

          • Include
          • Action Name: ListBucket
          +
          • Include
          • Action Name: ListBucket

          To configure other specified permissions on buckets, select the corresponding actions. For details about the actions supported by OBS, see Action/NotAction.
          -

        10. Click OK. The bucket policy for listing objects in the bucket is created.
          11. +

        11. Click OK.
          12. -

          Configuration Procedure 2: Configure an IAM Permission That Allows Specified Operations

          The account to which the authorized IAM user belongs needs to configure the IAM permission for the IAM user to perform specified operations on the specified bucket. The allowed operations must be the same as those specified in the bucket policy.

          -
          1. Log in to the management console using a cloud service account.
          2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
          3. In the navigation pane, choose Permissions.
          4. Click Create Custom Policy in the upper right corner.
          5. Configure parameters for a custom policy.

            Figure 3 Configuring a custom policy
            +

            Procedure 2: The Account Grants Permissions to IAM Users Under It.

            The account (not the bucket owner) needs to grant permissions to its IAM users to perform specified operations on the bucket. (The allowed operations must be the same as those allowed in the bucket policy.)

            +

            In this example, account A needs to grant IAM user A the permissions to upload objects to and download objects from bucket B of account B.

            +
            1. Log in to the management console using a cloud service account.
            2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
            3. In the navigation pane, choose Permissions.
            4. Click Create Custom Policy in the upper right corner.
            5. Configure a custom policy.

              Figure 3 Configuring a custom policy
              -
              Table 3 Parameters for configuring a custom policy

              Parameter

              +
              - - - - - - - - -
              Table 3 Parameters for configuring a custom policy

              Parameter

              Description

              +

              Description

              Policy Name

              +

              Policy Name

              Name of the custom policy

              +

              Enter a policy name.

              Policy View

              +

              Policy View

              Set this parameter based on your own habits. Visual editor is used here.

              +

              Select one based on your own habits. Visual editor is used here.

              Policy Content

              +

              Policy Content

              • Select Allow.
              • Select Object Storage Service (OBS).
              • Select the actions to be authorized.
                • ReadOnly > obs:bucket:ListBucketVersions and obs:object:GetObjectVersion
                • ReadWrite > obs:object:PutObject
                • ListOnly > obs:bucket:ListBucket (Select this operation if you need to use OBS Browser+ to add external buckets.)
                +
              • Select Allow.
              • Select Object Storage Service (OBS).
              • Select the actions to be authorized.
                • ReadOnly > obs:bucket:ListBucketVersions and obs:object:GetObjectVersion
                • ReadWrite > obs:object:PutObject
                • ListOnly > obs:bucket:ListBucket (Select this operation if you need to use OBS Browser+ to add external buckets.)
              • Choose Specific > object to specify an object resource. The specified object or object set must be consistent with the bucket policy.
                • Select Any if the resource set in the bucket policy is *.
                • If the resource specified in the bucket policy is a specified object or a set of objects, you need to specify the object or the set of objects the same as that in the bucket policy through the resource path.

                  [Format]

                  -

                  obs:*:*:object:bucket name/object name

                  +

                  obs:*:*:object:bucket name/object name

                Select Any as the bucket policy in this example is set to *.

              • Choose Specific > bucket > Specify resource path to specify bucket resources.

                Click Add Resource Path and enter the name of the authorized bucket in the Path text box, for example, example-bucket.

                @@ -122,16 +123,16 @@

              Scope

              +

              Scope

              The default value is Global services.

              +

              The default value is Global services.
              -

            6. Click OK. The custom policy is created.
            7. Create a user group and assign permissions.

              Add the created custom policy to the user group by following the instructions in the IAM document.

              -

            8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

              Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

              +

            9. Click OK.
            10. Create a user group and assign permissions.

              Apply the created custom policy to the user group by following the instructions in the IAM document.

              +

            11. Add the IAM user you want to authorize to the created user group.

              Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

              12. diff --git a/docs/obs/perms-cfg/obs_40_0028.html b/docs/obs/perms-cfg/obs_40_0028.html index 55c1b6ef..012bb849 100644 --- a/docs/obs/perms-cfg/obs_40_0028.html +++ b/docs/obs/perms-cfg/obs_40_0028.html @@ -1,16 +1,14 @@ -

              Granting an Account Read Permissions on Certain Objects

              -

              Scenario

              This case describes how to grant other accounts (excluding IAM users under the account) the read permission for an object or a type of objects in an OBS bucket. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket.

              +

              Granting Other Accounts the Read Permission for Certain Objects

              +

              Scenario

              This case describes how to grant other accounts (excluding IAM users under the account) the read permission for an object or a type of objects in an OBS bucket. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

              -

              Recommended Configuration

              You are advised to use bucket policies to grant permissions to other accounts.

              +

              Recommended Configuration

              Use bucket policies to grant permissions to other accounts.

              -

              Configuration Precautions

              The preset read-only mode of OBS has the following permissions:

              -
              • GetObject: downloading objects
              • GetObjectVersion: downloading versioned objects
              -

              After the configuration is complete, you can read (download) specific objects using APIs. However, if you download an object from OBS Console or OBS Browser+, an error is reported indicating that you do not have required permissions.

              -

              This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.

              +

              Precautions

              After configuration, they can read (download) specific objects using APIs. However, if they download an object from OBS Console or OBS Browser+, a message will be displayed, indicating that they do not have required permissions.

              +

              When they log in to OBS Console or OBS Browser+, the ListAllMyBuckets APi is called to load the bucket list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is displayed.

              -

              Procedure

              1. In the navigation pane of OBS Console, choose Object Storage.
              2. In the bucket list, click the bucket name you want to go to the Overview page.
              3. In the navigation pane, choose Permissions.
              4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
              5. Configure parameters for a bucket policy.

                Figure 1 Configuring parameters for a bucket policy
                +

                Procedure

                1. In the navigation pane of OBS Console, choose Object Storage.
                2. In the bucket list, click the bucket name you want to go to the Overview page.
                3. In the navigation pane, choose Permissions.
                4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
                5. Configure a bucket policy.

                  Figure 1 Configuring a bucket policy
                  @@ -25,7 +23,7 @@ - @@ -40,7 +38,7 @@
                  Table 1 Parameters for creating a bucket policy

                  Parameter

                  Principal

                  • Select Include > Other account.
                  • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
                  • User ID: Enter the account ID, which can be obtained from the My Credentials page of the account.
                    NOTE:

                    In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

                    +
                  • Select Include > Other account.
                  • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
                  • User ID: Enter the account ID. You can obtain it from the My Credentials page of the account.
                    NOTE:

                    In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.
                  -

                6. Click OK. The bucket policy is created.
                +

              6. Click OK.
              diff --git a/docs/obs/perms-cfg/obs_40_0029.html b/docs/obs/perms-cfg/obs_40_0029.html index 51720e6c..448a8a5e 100644 --- a/docs/obs/perms-cfg/obs_40_0029.html +++ b/docs/obs/perms-cfg/obs_40_0029.html @@ -1,16 +1,16 @@ -

              Granting an Account the Specified Permissions on Certain Objects

              -

              Scenario

              This case describes how to grant other accounts the specified operation permission on a specified object in an OBS bucket. The following describes how to grant the permission to download an object.

              -

              If you need to configure other permissions, select the corresponding actions from the Action Name drop-down list in the bucket policy. For details about the actions supported by OBS, see Action/NotAction.

              -

              For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket.

              +

              Granting Other Accounts Specific Permissions for Specific Objects

              +

              Scenario

              This section describes how to grant other accounts the permissions to download an object from a bucket.

              +

              To grant other permissions, select required actions from Action Name in the bucket policy. For details about the actions supported by OBS, see Action/NotAction.

              +

              For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

              -

              Recommended Configuration

              You are advised to use bucket policies to grant permissions to other accounts.

              +

              Recommended Configuration

              Use bucket policies to grant permissions to other accounts.

              -

              Configuration Precautions

              After the configuration is complete, you can download objects using APIs. However, if you log in to OBS Console or OBS Browser+ to download an object, an error is reported indicating that you do not have required permissions.

              -

              This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.

              +

              Precautions

              After configuration, they can download objects using APIs. However, if they download objects using OBS Console or OBS Browser+, a message will be displayed indicating that they do not have required permissions.

              +

              When they log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is displayed.

              -

              Procedure

              1. In the navigation pane of OBS Console, choose Object Storage.
              2. In the bucket list, click the bucket name you want to go to the Overview page.
              3. In the navigation pane, choose Permissions.
              4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
              5. Configure parameters for a bucket policy.

                Figure 1 Configuring parameters for a bucket policy
                +

                Procedure

                1. In the navigation pane of OBS Console, choose Object Storage.
                2. In the bucket list, click the bucket name you want to go to the Overview page.
                3. In the navigation pane, choose Permissions.
                4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
                5. Configure a bucket policy.

                  Figure 1 Configuring a bucket policy
                  @@ -30,7 +30,7 @@ - @@ -51,7 +51,7 @@
                  Table 1 Parameters for creating a bucket policy

                  Parameter

                  Principal

                  • Select Include > Other account.
                  • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
                  • User ID: Enter the account ID, which can be obtained from the My Credentials page of the account.
                    NOTE:

                    In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

                    +
                  • Select Include > Other account.
                  • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
                  • User ID: Enter the account ID. You can obtain it from the My Credentials page of the account.
                    NOTE:

                    In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.
                  -

                6. Click OK. The bucket policy is created.
                +

              6. Click OK.
              diff --git a/docs/obs/perms-cfg/obs_40_0030.html b/docs/obs/perms-cfg/obs_40_0030.html index c47ec130..05fb53f1 100644 --- a/docs/obs/perms-cfg/obs_40_0030.html +++ b/docs/obs/perms-cfg/obs_40_0030.html @@ -4,18 +4,18 @@
              diff --git a/docs/obs/perms-cfg/obs_40_0031.html b/docs/obs/perms-cfg/obs_40_0031.html index d33eddf4..058001ca 100644 --- a/docs/obs/perms-cfg/obs_40_0031.html +++ b/docs/obs/perms-cfg/obs_40_0031.html @@ -1,59 +1,12 @@ -

              Granting Anonymous Users Public Read Permissions on a Bucket

              +

              Granting Anonymous Users the Public Read Permission for a Bucket

              Scenario

              If a bucket needs to be accessed by anonymous users, you can configure a bucket policy and bucket ACL to grant the access permission to anonymous users. The following uses a bucket policy as an example.

              -

              Configuration Precautions

              The Public Read policy allows any user to read objects in a bucket. Public Read has the following permissions:

              -
              • GetObject: downloading objects
              • GetObjectVersion: downloading versioned objects
              • HeadBucket: checking whether a bucket exists
              • ListBucket: listing objects in a bucket and obtaining the bucket metadata

                When you access a bucket through its domain name, the ListBucket permission allows you to list all objects in the bucket. If you want to restrict this permission to specified users under an account, see Related Scenario: Canceling the ListBucket Permission from the Public Read Policy.

                -
                -
              -
              -

              Procedure

              1. In the navigation pane of OBS Console, choose Object Storage.
              2. In the bucket list, click the bucket name you want to go to the Overview page.
              3. In the navigation pane, choose Permissions.
              4. On the Bucket Policies tab page, select the Public Read policy for the bucket in the Standard Bucket Policies area.

                Figure 1 Granting public read permissions on buckets to anonymous users
                +

                Procedure

                1. In the navigation pane of OBS Console, choose Object Storage.
                2. In the bucket list, click the bucket name you want to go to the Overview page.
                3. In the navigation pane, choose Permissions.
                4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
                5. On the Bucket Policies tab page, select the Public Read policy for the bucket in the Standard Bucket Policies area.

                  Figure 1 Granting public read permissions on buckets to anonymous users

                -

                Verification

                1. After the permission is set, in the Basic Information area of the bucket details page, locate Access Domain Name. Share the URL of the access domain name over the Internet so that all Internet users can access the bucket.
                2. On the Objects tab page of the bucket, click the target object name and find the object link. Share the object link over the Internet so that all Internet users can access the object.
                -
                -

                Related Scenario: Canceling the ListBucket Permission from the Public Read Policy

                If you want to restrict the ListBucket permission to specified users under an account, you need to configure another bucket policy.

                -
                1. In the navigation pane of OBS Console, choose Object Storage.
                2. In the bucket list, click the bucket name you want to go to the Overview page.
                3. In the navigation pane, choose Permissions.
                4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
                5. Configure parameters for a bucket policy.

                  Figure 2 Configuring parameters for a bucket policy
                  - -
                  - - - - - - - - - - - - - - - - - - - -
                  Table 1 Parameters for creating a bucket policy

                  Parameter

                  -

                  Description

                  -

                  Policy Mode

                  -

                  Select Customized.

                  -

                  Effect

                  -

                  Select Deny.

                  -

                  Principal

                  -
                  Select Exclude.
                  • Select Cloud service user.
                  • Account ID: Enter * to indicate all anonymous users.
                  • User ID: Enter one or more user IDs separated by a comma (,).
                  -
                  -

                  Resources

                  -

                  Select Include > Entire bucket.

                  -

                  Actions

                  -
                  • Include
                  • Action Name:
                    • ListBucket
                    -
                  -
                  -
                  -

                6. Click OK. The bucket policy is created.
                -

                Verification: After the permission is set, in the Basic Information area of the bucket details page, locate Access Domain Name. Publish the URL on the Internet, and verify that only specified users can list objects in the bucket.

                +

                Verification

                1. After the permission is set, in the Basic Information area of the bucket overview page, locate Access Domain Name. Share the URL of the access domain name over the Internet so that all Internet users can access the bucket.
                2. On the Objects tab page of the bucket, click the target object name and find the object link. Share the object link over the Internet so that all Internet users can access the object.
                diff --git a/docs/obs/perms-cfg/obs_40_0032.html b/docs/obs/perms-cfg/obs_40_0032.html index 6bfedda1..c718a7ca 100644 --- a/docs/obs/perms-cfg/obs_40_0032.html +++ b/docs/obs/perms-cfg/obs_40_0032.html @@ -1,32 +1,29 @@ -

                Granting Anonymous Users Public Read Permissions on a Directory

                +

                Granting Anonymous Users the Read Permission for a Directory

                Scenario

                If all objects in a folder need to be accessible to anonymous users, you can configure a bucket policy to grant anonymous users the permission to access the folder.

                -

                Configuration Precautions

                The preset read-only mode of OBS has the following permissions:

                -
                • GetObject: downloading objects
                • GetObjectVersion: downloading versioned objects
                -
                -

                Procedure

                1. In the navigation pane of OBS Console, choose Object Storage.
                2. In the bucket list, click the bucket name you want to go to the Overview page.
                3. In the navigation pane, choose Permissions.
                4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
                5. Configure parameters according to the following table, so that you can grant anonymous users the permission to access the folder and objects in it.

                  Figure 1 Granting public read permissions on a specific directory for anonymous users
                  +

                  Procedure

                  1. In the navigation pane of OBS Console, choose Object Storage.
                  2. In the bucket list, click the bucket name you want to go to the Overview page.
                  3. In the navigation pane, choose Permissions.
                  4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
                  5. Configure parameters according to the following table, so that you can grant anonymous users the permission to access the folder and objects in it.

                    Figure 1 Granting public read permissions on a specific directory for anonymous users
                    -
                    - - + + + - diff --git a/docs/obs/perms-cfg/obs_40_0041.html b/docs/obs/perms-cfg/obs_40_0041.html index dab7724c..7dc1f83c 100644 --- a/docs/obs/perms-cfg/obs_40_0041.html +++ b/docs/obs/perms-cfg/obs_40_0041.html @@ -1,7 +1,7 @@

                    Bucket Policy Parameters

                    -

                    A policy in JSON format is described as follows:

                    +

                    A bucket policy in JSON format:

                    { 
 "Statement" : [{
      statement1
@@ -17,7 +17,7 @@
      "Sid": "ExampleStatementID1",
      "Principal": "*",
      "Effect": "Allow",   
-     "Action": "ListBucket",
+     "Action": ["ListBucket"],
      "Resource": "examplebucket",
      "Condition": "some conditions"
   },
@@ -25,7 +25,7 @@
      "Sid": "ExampleStatementID2",
      "Principal": "*",
      "Effect": "Allow",   
-     "Action": "PutObject",
+     "Action": ["PutObject"],
      "Resource": "examplebucket",
      "Condition": "some conditions"
   },
@@ -33,9 +33,9 @@
 ]
 }
                    -

                    A policy is comprised of one or more statements. Each statement contains the following elements:

                    +

                    A policy consists of one or more statements. Each statement contains the following elements:

                    -
                    Table 1 Parameters for granting the permission to access a specified directory

                    Parameter

                    +
                    - - - - - - - diff --git a/docs/obs/perms-cfg/obs_40_0033.html b/docs/obs/perms-cfg/obs_40_0033.html index d01d6bc4..5da0d767 100644 --- a/docs/obs/perms-cfg/obs_40_0033.html +++ b/docs/obs/perms-cfg/obs_40_0033.html @@ -1,6 +1,6 @@ -

                    Granting Anonymous Users Public Read Permissions on Certain Objects

                    +

                    Granting Anonymous Users the Read Permission for Certain Objects

                    Scenario

                    Enterprise A stores a large volume of map data in OBS, and offers the data for public query. This enterprise sets a read permission for anonymous users, and provides the data URLs on the Internet. Then all users can read or download the data through the URLs.

                    Procedure

                    1. In the navigation pane of OBS Console, choose Object Storage.
                    2. In the bucket list, click the bucket to be operated. The Overview page of the bucket is displayed.
                    3. In the navigation pane, click Objects.
                    4. Click the name of the object to be operated.
                    5. On the Object ACL tab page, click the target object and click Object ACL.
                    6. In Public Permissions > Anonymous User, click Edit and select the object read permission for anonymous users.

                      Figure 1 Granting the public read permission on objects to anonymous users
                      diff --git a/docs/obs/perms-cfg/obs_40_0034.html b/docs/obs/perms-cfg/obs_40_0034.html index 7ee68f0b..23a4190a 100644 --- a/docs/obs/perms-cfg/obs_40_0034.html +++ b/docs/obs/perms-cfg/obs_40_0034.html @@ -3,9 +3,9 @@

                      Temporarily Sharing Objects with Anonymous Users

                      Scenario

                      If you want to open an object to all users for a limited period of time, you can use the object sharing function.

                      -

                      Procedure for Sharing a File

                      1. In the navigation pane of OBS Console, choose Object Storage.
                      2. In the bucket list, click the bucket name you want to go to the Overview page.
                      3. In the navigation pane, click Objects.
                      4. Locate the file to be shared and click Share in the Operation column.

                        Once the Share File dialog box is opened, the URL is effective and valid for five minutes by default. If you change the validity period, the authentication information in the URL changes accordingly, and the URL's new validity period starts upon the change.

                        -

                      5. Perform URL related operations.

                        • Click Open URL to preview the file on a new page or directly download it to your default download path.
                        • Click Copy Link to share the link to other users, so that they can enter the link to a web browser to access the file.
                        • Click Copy Path to share the file path to users who have access permissions to the bucket. Then the users can search for the file by pasting the path to the search box of the bucket.
                        -

                        Within the validity period of a URL, any user who has the URL can access the file.

                        +

                        Procedure for Sharing a File

                        1. In the navigation pane of OBS Console, choose Object Storage.
                        2. In the bucket list, click the bucket name you want to go to the Objects page.
                        3. Select the file to be shared and click Share in the Operation column.

                          Once the Share File dialog box is opened, the URL is effective and valid for five minutes by default. If you change the validity period, the authentication information in the URL changes accordingly, and the URL's new validity period starts upon the change.

                          +

                        4. Perform URL related operations.

                          • Click Open in Browser to preview the file on a new page or directly download it to your default download path.
                          • Click Copy Link to share the link to other users, so that they can enter the link to a web browser to access the file.
                          • Click Copy Path to share the file path to users who have access permissions to the bucket. Then the users can search for the file by pasting the path to the search box of the bucket.
                          +

                          Within the URL validity period, anyone who has the URL can access the file.

                        diff --git a/docs/obs/perms-cfg/obs_40_0036.html b/docs/obs/perms-cfg/obs_40_0036.html index efc81215..fdc384db 100644 --- a/docs/obs/perms-cfg/obs_40_0036.html +++ b/docs/obs/perms-cfg/obs_40_0036.html @@ -1,11 +1,11 @@ -

                        Preventing Specific IP Addresses from Accessing a Bucket

                        +

                        Restricting Access to a Bucket for Specific IP Addresses

                        Scenario

                        This case describes how to restrict the source IP addresses that can access an OBS bucket. The following shows how to deny a client access whose source IP address is within the range of 114.115.1.0/24.

                        Recommended Configuration

                        Bucket policy

                        -

                        Procedure

                        1. In the navigation pane of OBS Console, choose Object Storage.
                        2. In the bucket list, click the bucket name you want to go to the Overview page.
                        3. In the navigation pane, choose Permissions.
                        4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
                        5. Configure parameters for a bucket policy.

                          Figure 1 Configuring parameters for a bucket policy
                          +

                          Procedure

                          1. In the navigation pane of OBS Console, choose Object Storage.
                          2. In the bucket list, click the bucket name you want to go to the Overview page.
                          3. In the navigation pane, choose Permissions.
                          4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
                          5. Configure a bucket policy.

                            Figure 1 Configuring a bucket policy
                    Table 1 Parameters for granting the permission to access a specified directory

                    Parameter

                    Value

                    +

                    Value

                    Policy Mode

                    +

                    Policy Mode

                    Select Read-only.

                    +

                    Select Read-only.

                    Principal

                    +

                    Principal

                    • Choose Include > Cloud service user.
                    • Account ID: Enter * to indicate all anonymous users.
                    +
                    • Choose Include > Cloud service user.
                    • Account ID: Enter * to indicate all anonymous users.

                    Resources

                    +

                    Resources

                    • Include
                    • Select Specific resources.
                    • Set this parameter to all objects in the selected folder. If the folder name is folder-001, enter the value folder-001/*.
                    +
                    • Include
                    • Select Specific resources.
                    • Set this parameter to all objects in the selected folder. If the folder name is folder-001, enter the value folder-001/*.
                    @@ -40,7 +40,7 @@ - @@ -50,16 +50,16 @@

                    If you want to allow clients whose IP addresses are outside the configured range to access your bucket, grant access permissions to anonymous users by referring to Granting Permissions to Anonymous Users.

                    -

                  6. Click OK. The bucket policy is created.
                    7. +

                  7. Click OK.
                    8. -

                    Verification

                    Initiate an access request from an IP address within the range of 114.115.1.0/24. The access is denied. Initiate an access request from an IP address outside the range of 114.115.1.0/24. The access is allowed.

                    +

                    Verification

                    Initiate an access request from an IP address within 114.115.1.0/24. The access is denied. Initiate an access request from an IP address outside 114.115.1.0/24. The access is allowed.

                    -

                    Scenario

                    To allow only a specified IP address to access the OBS bucket, set Condition Operator to NotIpAddress and specify the allowed IP address as the Value.

                    +

                    Related Scenarios

                    • To allow only a specified IP address to access the OBS bucket, set Condition Operator to NotIpAddress and specify the allowed IP address as the Value.
                    diff --git a/docs/obs/perms-cfg/obs_40_0037.html b/docs/obs/perms-cfg/obs_40_0037.html index 08b4ea34..bdb584a9 100644 --- a/docs/obs/perms-cfg/obs_40_0037.html +++ b/docs/obs/perms-cfg/obs_40_0037.html @@ -1,10 +1,10 @@

                    Granting Temporary Access to OBS

                    -

                    Scenario

                    This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS in temporary authorization mode.

                    +

                    Scenario

                    This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS.

                    Assume that you want to enable an IAM user (user name: APPServer) to access the APPClient folder in bucket hi-company and apply for two different temporary access keys to distribute to APP-1 and APP-2. APP-1 can only access files in APPClient/APP-1. APP-2 can access only the files in APPClient/APP-2.

                    -

                    Procedure

                    1. Log in to the management console using a cloud service account.
                    2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
                    3. Create an IAM user APPServer. For details, see Creating a User.
                    4. Create a user-defined policy that allows access to the AppClient folder in bucket hi-company.

                      1. In the navigation pane, choose Permissions.
                      2. Configure parameters for a custom policy.

                        Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user APPServer only has full permissions on objects in the APPClient folder.

                        +

                        Procedure

                        1. Log in to the management console using a cloud service account.
                        2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
                        3. Create an IAM user APPServer. For details, see Creating an IAM User.
                        4. Create a user-defined policy that allows access to the AppClient folder in bucket hi-company.

                          1. In the navigation pane, choose Permissions.
                          2. Configure parameters for a custom policy.

                            Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user APPServer only has full permissions on objects in the APPClient folder.

                            Figure 1 Configuring a custom policy
                            @@ -16,12 +16,12 @@
                    - -
                    Table 1 Parameters for creating a bucket policy

                    Parameter

                    Conditions

                    • Conditional Operator: IpAddress
                    • Key: Select SourceIp.
                    • Value: Set it to 114.115.1.0/24.
                      NOTE:

                      Use commas (,) to separate multiple IP addresses.

                      +
                    • Conditional Operator: IpAddress
                    • Key: Select SourceIp.
                    • Value: Enter 114.115.1.0/24.
                      NOTE:

                      Use commas (,) to separate multiple IP addresses.

                    Policy Name

                    Name of the custom policy

                    +

                    Enter a policy name.

                    Policy View

                    Set this parameter based on your own habits. JSON is used here.

                    +

                    Select one based on your own habits. JSON is used here.

                    Policy Content

                    @@ -50,11 +50,11 @@
                    -
                  8. Click OK. The custom policy is created.
                    9. -

                  9. Create a user group and assign permissions.

                    Add the created custom policy to the user group by following the instructions in the IAM document.

                    -

                  10. Add the IAM user (APPServer) you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

                    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

                    +
                  11. Click OK.
                    12. +

                  12. Create a user group and assign permissions.

                    Apply the created custom policy to the user group by following the instructions in the IAM document.

                    +

                  13. Add the IAM user (APPServer) to the created user group.

                    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

                    -

                  14. The IAM user (APPServer) obtains temporary access keys (temporary access keys and security token) for APP-1 and APP-2.

                    To obtain temporary access keys with different permissions, you need to set a temporary policy by adding the policy parameter in the request body. For details, see Obtaining a Temporary AK/SK.

                    +

                  15. The IAM user (APPServer) obtains temporary access keys (temporary access keys and security token) for APP-1 and APP-2.

                    To obtain temporary access keys with different permissions, you need to set a temporary policy by adding the policy parameter in the request body. For details, see Obtaining a Temporary AK/SK.

                    The following is a sample request for obtaining a pair of temporary access keys. The temporary policy parameters are displayed in bold.

                    A sample request for obtaining a pair of temporary access keys for the device app APP-1:

                    {
@@ -119,7 +119,7 @@
 
 
 
diff --git a/docs/obs/perms-cfg/obs_40_0039.html b/docs/obs/perms-cfg/obs_40_0039.html
index 1cdc93a8..870f6a61 100644
--- a/docs/obs/perms-cfg/obs_40_0039.html
+++ b/docs/obs/perms-cfg/obs_40_0039.html
@@ -8,17 +8,23 @@

                    16. 2023-02-16

                    +

                    2024-07-23

                    This is the second official release.

                    +

                    This issue is the third official release.

                    +

                    This issue incorporates the following changes:

                    + +

                    2023-02-16

                    +

                    This issue is the second official release.

                    This issue incorporates the following changes:

                    -

                    Updated the application scenario of access control with IAM permissions.

                    -

                    Updated the GUI screenshots and parameter descriptions about bucket policy creation.

                    +
                    • Updated the application scenario of access control with IAM permissions.
                    • Updated the GUI screenshots and parameter descriptions about bucket policy creation.

                    2022-10-27

                    This is the first official release.

                    +

                    This issue is the first official release.
                    Table 1 Statement elements

                    Element

                    +
                    @@ -45,63 +45,63 @@ - - - - - - - - - @@ -109,16 +109,16 @@
                    Table 1 Elements of a bucket policy statement

                    Element

                    Description

                    Sid

                    ID of a statement. The value is a string that describes the statement.

                    +

                    ID of the statement. The value is a string that describes the statement.

                    Optional

                    Principal

                    Domains and users to which a statement applies. The wildcard (*) is supported, indicating all users. When permissions are authorized to all users under a domain, the format of Principal is domain/domainid:user/*. When permissions are authorized to a specific user under a domain, the format of Principal is domain/domainid:user/userId or domain/domainid:user/userName.

                    +

                    Domains and users that a statement applies to. The value can be a wildcard (*), indicating all users. To grant permissions to all users in a domain, set Principal to domain/domainid:user/*. To grant permissions to a specific user in a domain, set Principal to domain/domainid:user/userId or domain/domainid:user/userName.

                    Optional. Select either Principal or NotPrincipal.

                    NotPrincipal

                    An exception to a list of principals in the statement. You can deny access to all principals except the ones named in the NotPrincipal element. This parameter has the same value format as Principal.

                    +

                    Users that the statement does not apply to. Its value has the same format as Principal.

                    Optional. Select either NotPrincipal or Principal.

                    Action

                    Actions which a statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. The value supports a wildcard character (*) that indicates all actions, for example, "Action":["List*", "Get*"].

                    +

                    Actions that the statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. The value can be a wildcard character (*) that indicates all operations. For example: "Action":["List*","Get*"].

                    Optional. Select either Action or NotAction.

                    NotAction

                    An exception to a list of actions in the statement. All actions are performed except the ones specified in NotAction. This parameter has the same value format as Action.

                    +

                    Actions that are not controlled by this statement. Its value has the same format as Action.

                    Optional. Select either Action or NotAction.

                    Effect

                    Whether the permission in a statement is allowed or denied. The value is Allow or Deny.

                    +

                    Whether the permission in a statement is Allow or Deny.

                    Mandatory

                    Resource

                    Resources on which the statement takes effect. The wildcard (*) is supported, indicating all resources.

                    +

                    Resources that the statement will apply to. You can use a wildcard (*) to indicate all resources.

                    Optional. Select either Resource or NotResource.

                    NotResource

                    An exception to a list of resources in a statement. A policy is not applied to the resources specified in NotResource. This parameter has the same value format as Resource.

                    +

                    Resources that the statement will not apply to. Its value has the same format as Resource.

                    Optional. Select either Resource or NotResource.

                    Condition

                    Conditions for a statement to take effect.

                    +

                    Conditions for the statement to take effect.

                    Optional
                    -

                    A statement must contain either Action or NotAction, either Resource or NotResource, and either Principal or NotPrincipal.

                    +

                    A statement must contain Action or NotAction, Resource or NotResource, and Principal or NotPrincipal.

                    -

                    Principal/NotPrincipal

                    Principal or NotPrincipal supported by OBS includes anonymous users, specific tenants, specific users, federated users, and agencies.

                    +

                    Principal/NotPrincipal

                    Principal or NotPrincipal can be anonymous users, specific tenants, specific users, federated users, or agencies.

                    • All (anonymous users)
                      "Principal": {"ID": "*"}
                      -

                      In the example, the wildcard (*) is used as a placeholder for Everyone/Anonymous. We strongly recommend that you do not use wildcards in the Principal element of the role's trust policy unless you have restricted access by using the Condition element in the policy.

                      +

                      In the example, the wildcard (*) indicates Everyone/Anonymous. Do not use the wildcard for Principal of the role's trust policy unless you have restricted access by using the Condition element in the policy.

                    -
                    • Specific tenants

                      If the tenant identifier is used as the authorizer in the policy, permissions in the policy statement can be granted to all roles, including all the users, contained in this tenant. The following example demonstrates how to specify a tenant as an authorizer.

                      +
                      • Specific tenants

                        If a tenant identifier is used as the Principal of a policy, permissions are granted to all users of this tenant. This includes all subscribers under the account. The following example demonstrates how to specify an account as an authorized person.

                        "Principal": { "ID": " domain/domainIdxxxx:user/*" }
                        -

                        You can grant permissions to multiple tenants, as described in the following example:

                        +

                        You can also grant permissions to multiple tenants at a time:

                        "Principal": { 
   "ID": [
     "domain/domainIDxx1:user/useridxxxx",
@@ -126,7 +126,7 @@
   ]
 }
                      -
                      • Specific users

                        In the Principal element, user names are case sensitive.

                        +
                        • Specific users

                          User names in the Principal element are case-sensitive.

                          "Principal": {"ID": "domain/domainIDxxx:user/user-name" }
 "Principal": {
   "ID": [
@@ -141,25 +141,25 @@
 "Principal": { "ID": "domain/domainIDxxx:agency/*" }
                    -

                    The principals on OBS Console refer to the users which the bucket policies apply to. These users can be accounts, federated users or federated user groups, and IAM users. You can specify principals in either of the following ways:

                    -
                    • Include: Specifies the users to whom the bucket policy applies.
                    • Exclude: Specifies that to all users except the specified ones the bucket policy applies.
                    +

                    The principals on OBS Console refer to the users that the bucket policies apply to. These users can be accounts, federated users or federated user groups, or IAM users. You can specify the principals to include or exclude.

                    +
                    • Include: The policy applies to specified users.
                    • Exclude: The policy applies to users except the specified ones.

                    Specifying IAM users under the current account

                    -

                    With Principal set to Current account, you can select one or more IAM users under this account, so the bucket policy applies to the selected IAM users.

                    +

                    You can set Principal to Current account and select one or more IAM users under this account, so that the bucket policy applies to the selected IAM users.

                    Specifying another account

                    -

                    With Principal set to Other account, you can enter an account ID. If you want to grant access only to IAM users under the account, you need to enter user IDs, and use commas (,) to separate one user ID from another.

                    -

                    To obtain the account ID and user ID, log in to the console as an IAM user and go to the My Credentials page.

                    +

                    You can set Principal to Other account, enter an account ID, and then enter one or more user IDs to apply the bucket policy to only the IAM users under that account. You need to use commas (,) to separate user IDs.

                    +

                    To obtain the account ID and user ID, log in to the console as an IAM user and go to the My Credentials page to obtain them.

                    -

                    Specifying anonymous users

                    -

                    To grant the bucket access to anyone, set Principal to Other account and enter a wildcard (*) as the account ID.

                    -

                    Exercise caution when granting bucket access permissions to anonymous users. If you grant the access permissions to anonymous users, anyone can access your bucket. You are advised to set restrictions on access requests. For example, you can allow the access requests from only one IP address.

                    +

                    Specifying anonymous users

                    +

                    To grant access to anyone, set Principal to Other account and enter a wildcard (*) as the account ID.

                    +

                    Exercise caution when granting permissions to anonymous users. If you grant the permissions to anonymous users, anyone can access your bucket. You are advised to restrict access requests. For example, you can allow access only from a specific IP address.

                    -

                    Action/NotAction

                    If a policy applies to a bucket, configure bucket-related actions; if the policy applies to the objects in a bucket, configure object-related actions.

                    +

                    Action/NotAction

                    If a policy applies to a bucket, configure bucket-related actions. If the policy applies to the objects in a bucket, configure object-related actions.

                    Actions can be specified in either of the following ways:

                    -
                    • Include: Specifies the actions on which the bucket policy takes effect.
                    • Exclude: Specifies that on all actions except the specified ones the bucket policy takes effect.
                    +
                    • Include: The bucket policy applies to specified actions.
                    • Exclude: The bucket policy applies to actions except the specified ones.

                    Bucket Actions

                    -
                    Table 2 Action description

                    Type

                    +
                    @@ -171,22 +171,22 @@ - - - - - - - - - - - -
                    Table 2 Description of bucket-related actions

                    Type

                    Value

                    *

                    Indicates that all operations can be performed on a resource.

                    +

                    Indicates all actions on a bucket.

                    Get*

                    Indicates that all GET operations can be performed on a resource.

                    +

                    Indicates all GET actions on a bucket.

                    Put*

                    Indicates that all PUT operations can be performed on a resource.

                    +

                    Indicates all PUT actions on a bucket.

                    List*

                    Indicates that all LIST operations can be performed on a resource.

                    +

                    Indicates all LIST actions on a bucket.

                    Bucket

                    @@ -203,7 +203,7 @@

                    ListBucket

                    Lists objects in a bucket, and gets the bucket metadata.

                    +

                    Lists objects in a bucket, and obtains the bucket metadata.

                    ListBucketVersions

                    @@ -218,12 +218,12 @@

                    GetBucketAcl

                    Gets the bucket ACL information.

                    +

                    Gets the ACL information of a bucket.

                    PutBucketAcl

                    Configures a bucket ACL.

                    +

                    Configures ACL for a bucket.

                    GetBucketCORS

                    @@ -238,7 +238,7 @@

                    GetBucketVersioning

                    Gets the bucket versioning information.

                    +

                    Gets the versioning information of a bucket.

                    PutBucketVersioning

                    @@ -248,12 +248,12 @@

                    GetBucketLocation

                    Gets the bucket location.

                    +

                    Gets the location of a bucket.

                    GetBucketLogging

                    Gets the bucket logging information.

                    +

                    Gets the logs of a bucket.

                    PutBucketLogging

                    @@ -263,7 +263,7 @@

                    GetBucketWebsite

                    Obtains the static website configuration information of a bucket.

                    +

                    Obtains the static website configuration of a bucket.

                    PutBucketWebsite

                    @@ -273,7 +273,7 @@

                    DeleteBucketWebsite

                    Cancels the static website hosting of a bucket.

                    +

                    Cancels static website hosting for a bucket.

                    GetLifecycleConfiguration

                    @@ -291,7 +291,7 @@

                    Object Actions

                    -
                    Table 3 Action description

                    Type

                    +
                    @@ -303,22 +303,22 @@ - - - - - - -
                    Table 3 Description of object-related actions

                    Type

                    Value

                    *

                    Indicates that all operations can be performed on a resource.

                    +

                    Indicates all actions on an object.

                    Get*

                    Indicates that all GET operations can be performed on a resource.

                    +

                    Indicates all GET actions on an object.

                    Put*

                    Indicates that all PUT operations can be performed on a resource.

                    +

                    Indicates all PUT actions on an object.

                    List*

                    Indicates that all LIST operations can be performed on a resource.

                    +

                    Indicates all LIST actions on an object.

                    Object

                    @@ -340,7 +340,7 @@

                    GetObjectAcl

                    Gets the object ACL information.

                    +

                    Gets the ACL information of an object.

                    GetObjectVersionAcl

                    @@ -350,12 +350,12 @@

                    PutObjectAcl

                    Configures the ACL for an object.

                    +

                    Configures ACL for an object.

                    PutObjectVersionAcl

                    Configures the ACL for a specified object version.

                    +

                    Configures ACL for a specified object version.

                    DeleteObject

                    @@ -383,8 +383,8 @@

                    Resource/NotResource

                    The resources supported by OBS are as follows:

                    -
                    • bucketname (bucket operation): The Action drop-down list box contains the list of supported bucket actions. If you want to perform the listed operations on the bucket, set Resource to the bucket name.
                    • bucketname/objectname (object operation): The Action drop-down list box contains the list of supported object actions. If you want to respond to an object in a bucket, set Resource to bucketname/objectname. objectname supports wildcards. For example, if you have permissions on the directory object in a bucket, set Resource to "bucketname/directory/*". If you have permissions on all the objects in a bucket, set Resource to "bucketname/*". If permissions for both a bucket and its objects need to be granted, set Resource to ["examplebucket/*","examplebucket"].
                    -

                    The following example policy grants all operation permissions on examplebucket (including the bucket and its objects) to user1 whose user ID is 71f3901173514e6988115ea2c26d1999 under account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID).

                    +
                    • bucketname: The Action drop-down list box lists all actions allowed on a bucket. To allow an action on a bucket, set Resource to the bucket name.
                    • bucketname/objectname: The Action drop-down list box lists all actions allowed on an object. To allow an action on an object in a bucket, set Resource to bucketname/objectname. You can use a wildcard for objectname to allow an action on all objects in the bucket. For example, if you want to allow an action on all objects in a directory of a bucket, set Resource to "bucketname/directory/*". If you have permissions on all the objects in a bucket, set Resource to "bucketname/*". If you want to allow an action on both a bucket and its objects, set Resource to ["examplebucket/*","examplebucket"].
                    +

                    The following example policy grants the permissions to allow user1 with the ID of 71f3901173514e6988115ea2c26d1999 under account b4bf1b36d9ca43d984fbcb9491b6fce9 (account ID) to take all actions on the examplebucket bucket and all objects in it.

                    { 
     "Statement":[ 
     { 
@@ -396,25 +396,25 @@
     } 
   ] 
 }
                    -

                    On OBS Console, resources can be a bucket or objects in the bucket.

                    -

                    Resources can be specified in either of the following ways:

                    -
                    • Include: Specifies the OBS resources on which the bucket policy takes effect.
                    • Exclude: Specifies that on all OBS resources except the specified ones the bucket policy takes effect.
                    -

                    Specifying the bucket as the resource

                    -

                    To specify the current bucket as the resource, keep the resource text box empty. When configuring actions for the policy, select bucket related actions.

                    -

                    Specifying objects as the resources

                    -

                    When objects in a bucket are specified as the resources, configure object-related actions in the bucket policy. The following are examples of how to specify objects as resources.

                    -
                    • For an object, enter the object name (including its folder name if any). For example, if the specified resource is the example.jpg file in the imgs-folder folder in the bucket, enter the following content in the resource text box:

                      imgs-folder/example.jpg

                      -
                    • For an object set, the wildcard asterisk (*) should be used. The asterisk (*) indicates an empty string or any combination of multiple characters. The format rules are as follows:
                      • Use only one asterisk (*) to indicate all objects in a bucket.
                      • Use Object name prefix* to indicate objects starting with this prefix in a bucket. Example:

                        imgs*

                        +

                        On OBS Console, you can apply a bucket policy to the following resources: the current bucket, and all objects in a bucket.

                        +

                        You can specify the resources to include or exclude:

                        +
                        • Include: The bucket policy applies to specified OBS resources.
                        • Exclude: The bucket policy applies to OBS resources except the specified ones.
                        +

                        Applying a bucket policy to a bucket

                        +

                        To apply a bucket policy to the current bucket, keep the resource text box empty. When configuring actions for the policy, select bucket related actions.

                        +

                        Applying a bucket policy to specified objects

                        +

                        To apply a bucket policy to specified objects in a bucket, object-related actions must be configured in the policy.

                        +
                        • For an object, enter the object name (including its folder name if any). For example, if the resource is the example.jpg file in the imgs-folder folder in the bucket, enter the following in the resource text box:

                          imgs-folder/example.jpg

                          +
                        • For an object set, use the wildcard asterisk (*). The asterisk (*) indicates an empty string or any combination of characters.
                          • Use only one asterisk (*) to indicate all objects in a bucket.
                          • Use Object name prefix* to indicate objects with this prefix in a bucket. Example:

                            imgs*

                          -
                          • Use *Object name suffix to indicate objects ending with this suffix in a bucket. Example:

                            *.jpg

                            +
                            • Use *Object name suffix to indicate objects with this suffix in a bucket. Example:

                              *.jpg

                          Use commas (,) to separate one object (or object set) from another.

                          -

                          Condition

                          In addition to the effect, principal, resources, and actions, you can also specify the conditions under which a bucket policy takes effect. The bucket policy takes effect only when its condition expressions match values contained in the request. Conditions are optional. You can choose whether to configure them.

                          -

                          For example, if account A needs to have full control over an object uploaded by account B to bucket example of account A, the x-obs-acl key must be specified in the upload request and the policy effect must be set to Allow for account A. The complete condition expression is as follows:

                          +

                          Condition

                          In addition to the effect, principals, resources, and actions, you can also specify the conditions for a bucket policy to take effect. The bucket policy is applied only when its condition expressions match the values contained in the request. Conditions are optional. You can choose whether to configure them.

                          +

                          For example, if account A needs to have full control over an object uploaded by account B to bucket example of account A, the x-obs-acl key must be specified in the upload request and the policy effect must be set to Allow for account A. The complete condition expression is as follows:

                          -

                          Conditional Operator

                          +
                          @@ -432,22 +432,23 @@

                          Condition Operator

                          Key
                          -

                          A condition consists of three parts: conditional operator, key, and value. If there are multiple identical keys in the same conditional operator, only the last key is retained. Conditional operators and keys are mutually restricted:

                          -
                          • If you select a conditional operator of the string type, for example, StringEquals, the key can only be of the string type, for example, UserAgent.
                          • Likewise, if a key of the date type is selected, for example, CurrentTime, the conditional operator can only be of the date type, for example, DateEquals.
                          -

                          Table 4 lists the general condition types that you can specify.

                          +

                          A condition consists of condition operator, key, and value. If there are multiple identical keys in the same condition operator, only the last key is retained. Condition operators and keys are correlated. If you select a string type, for example, StringEquals, for a condition operator, the key can only be a string type, for example, UserAgent. Likewise, if you select a key of the date type, for example, CurrentTime, the condition operator can only be a date type, for example, DateEquals.

                          +
                          • Condition operators

                            A condition operator, a condition key, and a condition value together constitute a complete condition statement. A policy can be applied only when its request conditions are met. Table 4 lists the condition operators available for statements. String condition operators are not case-sensitive unless otherwise specified.

                            +

                            +
                          -
                          Table 4 Conditional operators

                          Type

                          +
                          - - - @@ -477,17 +478,17 @@ - - - - - - - - - - - - - - - - - - @@ -578,57 +579,60 @@ "SourceIp" : ["192.168.176.0/24","192.168.143.0/24"] } } -

                          Keys in a condition can be classified into three types: general keys, keys related to bucket actions, and keys related to object actions.

                          +
                          • Condition keys
                          +

                          Keys in a condition can be classified into general keys, keys related to actions on buckets, and keys related to actions on objects.

                          The following table lists the keys that are not related to actions.

                          -
                          Table 4 Condition operators

                          Type

                          Element

                          +

                          Element

                          Description

                          String

                          +

                          String

                          StringEquals

                          +

                          StringEquals

                          Strict matching. Short version: streq

                          Negated loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strnl

                          Numeric

                          +

                          Numeric

                          NumericEquals

                          +

                          NumericEquals

                          Strict matching. Short version: numeq

                          +

                          Matching. Short version: numeq

                          Numeric indicates a data type expressed in numbers.

                          NumericNotEquals

                          Strict negated matching. Short version: numneq

                          +

                          Negated matching. Short version: numneq

                          NumericLessThan

                          @@ -510,55 +511,55 @@

                          "Greater than or equals" matching. Short version: numgteq

                          Date

                          +

                          Date

                          DateEquals

                          +

                          DateEquals

                          Strict matching. Short version: dateeq

                          +

                          Matching a specific date. Short version: dateeq

                          DateNotEquals

                          Strict negated matching. Short version: dateneq

                          +

                          Negated matching. Short version: dateneq

                          DateLessThan

                          Indicates that the date is earlier than a specific date. Short version: datelt

                          +

                          The date is earlier than a specific date. Short version: datelt

                          DateLessThanEquals

                          Indicates that the date is earlier than or equal to a specific date. Short version: datelteq

                          +

                          The date is earlier than or equal to a specific date. Short version: datelteq

                          DateGreaterThan

                          Indicates that the date is later than a specific date. Short version: dategt

                          +

                          The date is later than a specific date. Short version: dategt

                          DateGreaterThanEquals

                          Indicates that the date is later than or equal to a specific date. Short version: dategteq

                          +

                          The date is later than or equal to a specific date. Short version: dategteq

                          Boolean

                          +

                          Boolean

                          Bool

                          +

                          Bool

                          Strict Boolean matching

                          IP address

                          +

                          IP address

                          IpAddress

                          +

                          IpAddress

                          Specified IP address or IP address range

                          +

                          Specified IP address or range

                          NotIpAddress

                          All IP addresses excluding the specified IP address or IP address range

                          +

                          All IP addresses excluding the specified IP address or range
                          Table 5 General keys

                          Key

                          +
                          - - - - - - - - - - - - - - - - - - - - @@ -636,172 +640,172 @@

                          Keys in a condition must be used in certain actions. The following table lists the mapping between actions and the keys in a condition.

                          -
                          Table 5 General keys

                          Key

                          Type

                          +

                          Type

                          Description

                          +

                          Description

                          CurrentTime

                          +

                          CurrentTime

                          Date

                          +

                          Date

                          Indicates the date when the request is received by the server. The date format must comply with ISO 8601.

                          +

                          Date when the request is received by the server. The date format must comply with ISO 8601.

                          EpochTime

                          +

                          EpochTime

                          Numeric

                          +

                          Numeric

                          Indicates the time when the request is received by the server, which is expressed as seconds since 1970.01.01 00:00:00 UTC, regardless of the leap seconds.

                          +

                          Time when the request is received by the server, which is expressed as seconds since 1970.01.01 00:00:00 UTC, regardless of the leap seconds

                          SecureTransport

                          +

                          SecureTransport

                          Bool

                          +

                          Bool

                          Indicates whether requests are encrypted using SSL.

                          +

                          Whether the request is encrypted using SSL

                          +
                          NOTE:

                          The value can be either true or false. Any other values you enter will become false by default.

                          +

                          SourceIp

                          +

                          SourceIp

                          IP address

                          +

                          IP address

                          Source IP address from which the request is sent

                          +

                          Source (client) IP address of the request

                          UserAgent

                          +

                          UserAgent

                          String

                          +

                          String

                          Requested client software agent

                          +

                          Requested client software agent

                          Referer

                          +

                          Referer

                          String

                          +

                          String

                          Indicates the link from which the request is sent.

                          +

                          Link from which the request is sent
                          Table 6 Keys related to bucket actions

                          Action

                          +
                          - - - - - - - - - - - - - - - - - - - - - -
                          Table 6 Keys related to bucket actions

                          Action

                          Optional Key

                          +

                          Optional Key

                          Description

                          +

                          Description

                          Remarks

                          +

                          Remarks

                          ListBucket

                          +

                          ListBucket

                          prefix

                          +

                          prefix

                          Type: String. Lists objects that begin with the specified prefix.

                          +

                          Type: String. Lists objects with the specified prefix.

                          If prefix, delimiter, and max-keys are configured, the key-value pair meeting the conditions must be specified in the List operation for the bucket policy to take effect.

                          -

                          For example, if a bucket policy (with the conditional operator set to NumericEquals, the key to max-keys, and the value to 100) that allows anonymous users to read data is configured for a bucket, the anonymous users must add ?max-keys=100 to the end of the bucket domain name for listing objects. The listed objects are the first 100 objects in alphabetic order.

                          +

                          If prefix, delimiter, and max-keys are configured for a bucket policy, the List requests must contain the matched key-value pair.

                          +

                          For example, if a bucket policy (with the condition operator set to NumericEquals, the key to max-keys, and the value to 100) is configured to allow anonymous users to read data from a bucket, the List requests from the anonymous users must have ?max-keys=100 at the end of the bucket domain name. The listed objects are the first 100 objects in alphabetic order.

                          delimiter

                          +

                          delimiter

                          Type: String. Groups objects in a bucket.

                          +

                          Type: String. Groups objects in a bucket.

                          max-keys

                          +

                          max-keys

                          Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.

                          +

                          Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.

                          ListBucketVersions

                          +

                          ListBucketVersions

                          prefix

                          +

                          prefix

                          Type: String. Lists multi-version objects whose name starts with the specified prefix.

                          +

                          Type: String. Lists multi-version objects with the specified prefix.

                          delimiter

                          +

                          delimiter

                          Type: String. Groups objects of different versions in a bucket.

                          +

                          Type: String. Groups objects of different versions in a bucket.

                          max-keys

                          +

                          max-keys

                          Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.

                          +

                          Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.

                          PutBucketAcl

                          +

                          PutBucketAcl

                          x-obs-acl

                          +

                          x-obs-acl

                          Type: String. Configures the bucket ACL. When modifying a bucket ACL, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|log-delivery-write.

                          +

                          Type: String. Configures the bucket ACL. When modifying a bucket ACL, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|log-delivery-write.

                          None

                          +

                          None
                          -
                          Table 7 Keys related to object actions

                          Action

                          +
                          - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                          Table 7 Keys related to object actions

                          Action

                          Optional Key

                          +

                          Optional Key

                          Description

                          +

                          Description

                          PutObject

                          +

                          PutObject

                          x-obs-acl

                          +

                          x-obs-acl

                          Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write.

                          +

                          Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write.

                          x-obs-copy-source

                          +

                          x-obs-copy-source

                          Type: String. Specifies names of the source bucket and the source object. Format: /bucketname/keyname

                          +

                          Type: String. Specifies names of the source bucket and the source object. Format: /bucketname/keyname

                          x-obs-metadata-directive

                          +

                          x-obs-metadata-directive

                          Type: String. Specifies whether to copy the metadata from the source object or replace with the metadata in the request. The value can be COPY or REPLACE.

                          +

                          Type: String. Specifies whether to copy the metadata of the source object or replace with the metadata in the request. The value can be COPY or REPLACE.

                          x-obs-server-side-encryption

                          +

                          x-obs-server-side-encryption

                          Type: String. Specifies that objects in a bucket are encrypted using SSE-KMS before they are stored. The value is kms.

                          +

                          Type: String. Specifies that objects in a bucket are encrypted using SSE-KMS before they are stored. The value is kms.

                          PutObjectAcl

                          +

                          PutObjectAcl

                          x-obs-acl

                          +

                          x-obs-acl

                          Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write.

                          +

                          Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write.

                          GetObjectVersion

                          +

                          GetObjectVersion

                          versionId

                          +

                          versionId

                          Type: String. Obtains the object with the specified version ID.

                          +

                          Type: String. Obtains the object with the specified version ID.

                          GetObjectVersionAcl

                          +

                          GetObjectVersionAcl

                          versionId

                          +

                          versionId

                          Type: String. Obtains the ACL of the object with the specified version ID.

                          +

                          Type: String. Obtains the ACL of the object with the specified version ID.

                          PutObjectVersionAcl

                          +

                          PutObjectVersionAcl

                          versionId

                          +

                          versionId

                          Type: String. Specifies a version ID.

                          +

                          Type: String. Specifies a version ID.

                          x-obs-acl

                          +

                          x-obs-acl

                          Type: String. Configures the ACL of the object with the specified version ID. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write.

                          +

                          Type: String. Configures the ACL of the object with the specified version ID. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write.

                          DeleteObjectVersion

                          +

                          DeleteObjectVersion

                          versionId

                          +

                          versionId

                          Type: String. Deletes the object with the specified version ID.

                          +

                          Type: String. Deletes the object with the specified version ID.
                          -

                          Policy Permission Judgment Logic

                          A policy may pose any of the three results for each statement: Explicit Deny, Allow, and Default Deny. If a bucket policy contains multiple statements, the policy determines which statement prevails according to the following rules:

                          -

                          1. If conditions in any statement of a policy are not met, the policy poses a default deny result.

                          -

                          2. An explicit deny overrides an allow.

                          -

                          3. An allow overrides a default deny.

                          -

                          4. Statements can be in any order in a policy.

                          +

                          Policy Permission Judgment Logic

                          Each statement in a policy can have the action Explicit Deny, Allow, or Default Deny. If a bucket policy contains multiple statements with different actions, the final action is determined according to the following rules:

                          +

                          - If there are no Explicit Deny or Allow, Default Deny will apply.

                          +

                          - An explicit deny overrides an allow.

                          +

                          - An allow overrides a default deny.

                          +

                          - Statements can be in any order in a policy.

                          -
                          Table 8 Statement results

                          Result

                          +
                          - - - - - - -
                          Table 8 Statement results

                          Result

                          Description

                          +

                          Description

                          explicit deny

                          +

                          explicit deny

                          A statement defines effect="deny". All requests for resources to which the statement applies are denied. No permission is returned.

                          +

                          A statement defines effect="deny". All requests for resources to which the statement applies are denied. No permission is returned.

                          allow

                          +

                          allow

                          A statement defines effect="allow". All requests for resources to which the statement applies are allowed.

                          +

                          A statement defines effect="allow". All requests for resources to which the statement applies are allowed.

                          default deny

                          +

                          default deny

                          Conditions defined in a statement are not met. Requests are denied.

                          +

                          Conditions defined in a statement are not met. Requests are denied.
                          -

                          If an ACL and a bucket policy are applied together to an account, an explicit deny in the bucket policy overrides the allow in the ACL.

                          -

                          If a bucket policy and an IAM policy are applied together to an account, an explicit deny overrides the allow, and an allow overrides the default deny.

                          -

                          SSE-KMS server-side encrypted object does not support Bucket ACL/Policy for cross-tenant authorization.

                          +

                          If both an ACL and a bucket policy apply, an explicit deny in the bucket policy overrides the allow in the ACL.

                          +

                          If both a bucket policy and an IAM policy apply, an explicit deny overrides an allow, and an allow overrides the default deny.

                          +

                          Bucket ACL/Policy for cross-tenant authorization does not apply to SSE-KMS server-side encrypted objects.

                          diff --git a/docs/obs/perms-cfg/obs_40_0042.html b/docs/obs/perms-cfg/obs_40_0042.html index 9d22c789..b2cb6786 100644 --- a/docs/obs/perms-cfg/obs_40_0042.html +++ b/docs/obs/perms-cfg/obs_40_0042.html @@ -1,13 +1,12 @@

                          Appendix

                          -

                          -
                          +
                          diff --git a/docs/obs/perms-cfg/obs_40_0043.html b/docs/obs/perms-cfg/obs_40_0043.html index 36b56978..882a65bd 100644 --- a/docs/obs/perms-cfg/obs_40_0043.html +++ b/docs/obs/perms-cfg/obs_40_0043.html @@ -1,7 +1,7 @@ -

                          Relationship Between Bucket Policies and Bucket ACLs

                          -

                          Mapping Between Bucket ACLs and Bucket Policies

                          Bucket ACLs are used to control basic read and write access to buckets. Custom settings of bucket policies support more actions that can be performed on buckets. Bucket ACLs supplement bucket policies, and in many cases, can be replaced by bucket policies to manage access to buckets. Table 1 shows the mapping between bucket ACL access permissions and bucket policy actions.

                          +

                          Relationship Between Bucket ACLs and Bucket Policies

                          +

                          Mapping Between Bucket ACLs and Bucket Policies

                          Bucket ACLs control read and write permissions on buckets. Custom bucket policies can control more actions on buckets. Bucket ACLs are a supplement to bucket policies, but are usually replaced with bucket policies. Table 1 shows the mapping between bucket ACL permissions and actions in a custom bucket policy.

                          @@ -27,12 +27,12 @@ - - diff --git a/docs/obs/perms-cfg/obs_40_0044.html b/docs/obs/perms-cfg/obs_40_0044.html index 9cd0cbfb..ab346747 100644 --- a/docs/obs/perms-cfg/obs_40_0044.html +++ b/docs/obs/perms-cfg/obs_40_0044.html @@ -1,18 +1,18 @@ -

                          Granting IAM User Groups Specified Permissions on Certain OBS Folders

                          -

                          Scenario

                          This topic describes how to grant certain operation permissions on specific folders in an OBS bucket to multiple IAM users or user groups.

                          +

                          Granting IAM User Groups Specific Permissions on a Folder

                          +

                          Scenario

                          This topic describes how to grant specified permissions for a folder in an OBS bucket to multiple IAM users or user groups.

                          -

                          Recommended Configuration

                          IAM custom policies

                          +

                          Recommended Configuration

                          Use an IAM custom policy to configure the permissions.

                          -

                          Configuration Precautions

                          After the configuration is complete, you can perform allowed operations using APIs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.

                          -

                          This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.

                          -

                          To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions to the custom policy. (In this case, these two permissions are configured in permission 2 and 3.)

                          +

                          Precautions

                          After configuration, IAM users can perform allowed operations using APIs. If they log in to OBS Console or OBS Browser+ to perform those operations, a message will be displayed indicating that they do not have required permissions.

                          +

                          This is because when they log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is diplayed.

                          +

                          To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions to the custom policy. (In this case, these two permissions are configured in permissions 2 and 3.)

                          obs:bucket:ListAllMyBuckets applies to all resources. You need to select all resources.

                          obs:bucket:ListBucket applies only to the authorized bucket. You can select all resources or a specified bucket as needed.

                          -

                          Procedure

                          1. Log in to the management console using a cloud service account.
                          2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
                          3. In the navigation pane, choose Permissions.
                          4. Click Create Custom Policy in the upper right corner.
                          5. Configure parameters for a custom policy.

                            Figure 1 Configuring a custom policy
                            +

                            Procedure

                            1. Log in to the management console using a cloud service account.
                            2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
                            3. In the navigation pane, choose Permissions.
                            4. Click Create Custom Policy in the upper right corner.
                            5. Configure a custom policy.

                              Figure 1 Configuring a custom policy
                          Table 1 Mapping between bucket ACLs and bucket policies

                          ACL Permission

                          Read

                          GetBucketAcl

                          +
                          • GetBucketAcl

                          Write

                          PutBucketAcl

                          +
                          • PutBucketAcl
                          @@ -22,12 +22,12 @@ - -
                          Table 1 Parameters for configuring a custom policy

                          Parameter

                          Policy Name

                          Name of the custom policy

                          +

                          Enter a policy name.

                          Policy View

                          Set this parameter based on your own habits. Visual editor is used here.

                          +

                          Select one based on your own habits. Visual editor is used here.

                          Policy Content

                          @@ -42,7 +42,7 @@

                          [Permission 2] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.

                          • Select Allow.
                          • Select Object Storage Service (OBS).
                          • Select obs:bucket:ListBucket from the actions.
                          • On the All tab, choose Specific > Specify resource path to specify a bucket.

                            [Path Format]

                            obs:*:*:bucket:Bucket name

                            -
                          • On the (Optional) Add request condition tab, click Add Request Condition.
                            • Condition key: Select obs:prefix from the drop-down list.
                            • Operator: Select StringStartWith from the drop-down list.
                            • Value: Folder name/
                            +
                          • On the (Optional) Add request condition tab, click Add Request Condition.
                            • Condition key: Select obs:prefix from the drop-down list.
                            • Operator: Select StringMatch from the drop-down list.
                            • Value: Folder name/

                            [Notes]

                            If you want a user to have only the permission to list a folder in the bucket, add a request condition for action obs:bucket:ListBucket. prefix is included in the request for listing objects in a bucket. In this way, when you specify prefix to list objects whose names start with Folder name/, the objects in the bucket can be listed.

                          @@ -58,16 +58,16 @@
                          -

                        • Click OK. The custom policy is created.
                        • Create a user group and assign permissions.

                          Add the created custom policy to the user group by following the instructions in the IAM document.

                          -

                        • Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

                          Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

                          +

                        • Click OK.
                        • Create a user group and assign permissions.

                          Apply the created custom policy to the user group by following the instructions in the IAM document.

                          +

                        • Add the IAM user you want to authorize to the created user group.

                          Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

                          • -

                          Verification

                          1. Log in to OBS Console as an IAM user.
                          2. In the bucket list, click bucket example-002 to go to the overview page.

                            After the configuration is complete, it is normal if the system still displays a message indicating that you do not have required permissions, because OBS Console also calls other APIs for advanced settings, but you can still perform the operations allowed on the folder.

                            +

                            Verification

                            1. Log in to OBS Console as an IAM user.
                            2. In the bucket list, click bucket example-002 to go to the Overview page.

                              After the configuration is complete, it is normal if the system still displays a message indicating that you do not have required permissions, because OBS Console also calls other APIs for advanced settings, but you can still perform the operations allowed on the folder.

                              -

                            3. In the navigation pane, select Objects. It is normal that a message indicating no permission is displayed and no object can be viewed.

                              The reason why there is no required permission is that listing objects on OBS Console is to list objects in the root folder. This rule does not match the configured custom policy for listing objects in folder folder-001/.

                              +

                            4. In the navigation pane, select Objects. If a message indicating no sufficient is available and no object can be viewed, ignore the message and continue with the operations.

                              The reason why there is no required permission is that listing objects on OBS Console is to list objects in the root folder. This is different from the configured custom policy (listing objects in folder folder-001/).

                              -

                            5. In the search box, enter folder-001/ to view the list of objects in folder-001. Objects 222.txt and 111.txt are displayed.
                            6. Click Create Folder to create folder folder-002.
                            7. Click Upload Object to upload file 333.txt.

                              If some other permissions are required, hover your cursor over the username and choose Identity and Access Management > Permissions, and then repeat the operations above to configure custom policies as needed.

                              +

                            8. In the search box, enter folder-001/ to view the list of objects in folder-001. Objects 222.txt and 111.txt are displayed.
                            9. Click Create Folder to create folder folder-002.
                            10. Click Upload Object to upload file 333.txt.

                              If some other permissions are required, hover over the username and choose Identity and Access Management > Permissions, and then repeat the operations above to configure custom policies as needed.