vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity

OBS PERM DOC

Browse Source 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
This commit is contained in:
zhangyue 2024-10-29 16:45:36 +00:00 committed by zuul
parent 689926508e
commit 2c8baf104e
44 changed files with 1244 additions and 904 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

483
docs/obs/perms-cfg/ALL_META.TXT.json
View File

File diff suppressed because it is too large Load Diff

114
docs/obs/perms-cfg/CLASS.TXT.json
View File

File diff suppressed because it is too large Load Diff

BIN
docs/obs/perms-cfg/en-us_image_0000001436265909.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 38 KiB

0
docs/obs/perms-cfg/en-us_image_0000001335934590.png → docs/obs/perms-cfg/en-us_image_0000001664558420.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

114
docs/obs/perms-cfg/obs_40_0001.html
View File

File diff suppressed because it is too large Load Diff

2
docs/obs/perms-cfg/obs_40_0002.html
View File

@ -1,6 +1,6 @@
<a name="obs_40_0002"></a><a name="obs_40_0002"></a> <a name="obs_40_0002"></a><a name="obs_40_0002"></a>
<h1 class="topictitle1">Permission Control Mechanisms</h1> <h1 class="topictitle1">Permission Control Methods</h1>
<div id="body1588766432188"></div> <div id="body1588766432188"></div>
<div> <div>
<ul class="ullinks"> <ul class="ullinks">

145
docs/obs/perms-cfg/obs_40_0003.html
View File

File diff suppressed because it is too large Load Diff

74
docs/obs/perms-cfg/obs_40_0004.html
View File

File diff suppressed because it is too large Load Diff

94
docs/obs/perms-cfg/obs_40_0005.html
View File

File diff suppressed because it is too large Load Diff

6
docs/obs/perms-cfg/obs_40_0007.html
View File

@ -1,10 +1,10 @@
<a name="obs_40_0007"></a><a name="obs_40_0007"></a> <a name="obs_40_0007"></a><a name="obs_40_0007"></a>
<h1 class="topictitle1">Accessing OBS Using Permanent Access Keys</h1> <h1 class="topictitle1">Accessing OBS Using Permanent Access Keys</h1>
<div id="body1597061276141"><p id="obs_40_0007__p8384154201114">OBS provides REST APIs that supports authenticated requests and anonymous requests. Anonymous requests are typically used for scenarios that require public access, such as accessing a hosted static website. In most scenarios, accessing OBS resources require authenticated requests. An authenticated request contains a signature value. The signature value is calculated based on the requester's access keys (a pair of AK and SK) as the encryption factor and the specific information carried by the request body. The signature calculation process is included in the SDK. You only need to prepare the access keys when initializing the SDK. Then the signature calculation is implemented automatically. However, if a client uses the REST APIs to develop a program to access OBS, the client needs to calculate the signature based on the signature algorithm defined by the OBS and add the signature to the request.</p> <div id="body1597061276141"><p id="obs_40_0007__p8384154201114">OBS REST APIs support authenticated requests and anonymous requests. Anonymous requests are typically used for public access, such as accessing hosted static websites. In most cases, authenticated requests are required for accessing OBS resources. An authenticated request contains a signature value that is calculated based on the requester's access keys (AK and SK) and the specific information carried in the request body. You only need to prepare the access keys for the SDK. The SDK will then automatically calculate the signature for you. However, if a client uses REST APIs to develop a program to access OBS, the client needs to calculate the signature based on the signature algorithm defined by OBS and add the signature to the request.</p>
<p id="obs_40_0007__p15291241">Users can create permanent access keys (a pair of AK and SK) on the <strong id="obs_40_0007__b536018488218">My Credentials</strong> page.</p> <p id="obs_40_0007__p15291241">Users can create permanent access keys (a pair of AK and SK) on the <strong id="obs_40_0007__b536018488218">My Credentials</strong> page.</p>
<ul id="obs_40_0007__ul36784332"><li id="obs_40_0007__li32558606">AK stands for the access key ID. It is the unique ID associated with the secret access key (SK). An AK is used together with an SK to encrypt and sign a request.</li><li id="obs_40_0007__li24592002">They can identify a request sender and prevent the request from being modified.</li></ul> <ul id="obs_40_0007__ul36784332"><li id="obs_40_0007__li32558606">AK: a unique ID of the secret access key (SK). An AK is used together with an SK to encrypt and sign a request.</li><li id="obs_40_0007__li24592002">SK: a secret access key used together with its AK to verify a request sender and prevent the request from being tampered with.</li></ul>
<p class="msonormal" id="obs_40_0007__p62623536">An AK is also the unique identifier of an IAM user. OBS identifies a user based on its AK and SK, and then checks the permissions.</p> <p class="msonormal" id="obs_40_0007__p62623536">An AK can also identify an IAM user. OBS identifies an IAM user by their AK and SK, and then checks whether they have the permissions to access the resources they are requesting.</p>
<p id="obs_40_0007__p136071453104913">For details about how to obtain the permanent access keys, see <a href="https://docs.otc.t-systems.com/en-us/browsertg/obs/obs_03_1007.html" target="_blank" rel="noopener noreferrer">Where Can I Obtain Access Keys (AK and SK)?</a></p> <p id="obs_40_0007__p136071453104913">For details about how to obtain the permanent access keys, see <a href="https://docs.otc.t-systems.com/en-us/browsertg/obs/obs_03_1007.html" target="_blank" rel="noopener noreferrer">Where Can I Obtain Access Keys (AK and SK)?</a></p>
</div> </div>
<div> <div>

30
docs/obs/perms-cfg/obs_40_0008.html
View File

@ -1,28 +1,28 @@
<a name="obs_40_0008"></a><a name="obs_40_0008"></a> <a name="obs_40_0008"></a><a name="obs_40_0008"></a>
<h1 class="topictitle1">Accessing OBS Using Temporary Access Keys</h1> <h1 class="topictitle1">Accessing OBS Using Temporary Access Keys</h1>
<div id="body1597060383204"><div class="section" id="obs_40_0008__section9831018134415"><h4 class="sectiontitle">Temporary Access Keys</h4><p id="obs_40_0008__p13730171513276">OBS can be accessed through temporary access keys and the security token, which can be obtained on IAM. You can assign the temporary access keys (including the security token) to a third-party application and an IAM user, so they can access OBS within a specified period of time.</p> <div id="body1597060383204"><div class="section" id="obs_40_0008__section9831018134415"><h4 class="sectiontitle">Temporary Access Keys</h4><p id="obs_40_0008__p13730171513276">You can assign temporary security credentials (including an AK, an SK, and a security token) to a third-party application or an IAM user, so that they can access OBS only for a specified period of time.</p>
<p id="obs_40_0008__p1046714345219">You can obtain the temporary access keys and security token by calling the IAM API in <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>.</p> <p id="obs_40_0008__p1046714345219">You can obtain temporary security credentials by calling an IAM API. For details, see <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>.</p>
<p id="obs_40_0008__p15487641192319">Temporary AK/SK and security token comply with the least privilege principle and can be used to temporarily access OBS. When you use a temporary AK/SK pair to call an API for authentication, you must use the temporary AK/SK and security token at the same time and add the <strong id="obs_40_0008__b24394441318">x-obs-security-token</strong> field to the request header.</p> <p id="obs_40_0008__p15487641192319">The least privilege principle is granted for temporary security credentials to ensure security. Both a temporary AK/SK pair and a security token are required to call an API for authentication, which means that the request header needs to include <strong id="obs_40_0008__b24394441318">x-obs-security-token</strong> field.</p>
<p id="obs_40_0008__p886610168273">Temporary access keys have the following advantages over permanent access keys of IAM users:</p> <p id="obs_40_0008__p886610168273">Temporary access keys have the following advantages over permanent access keys of IAM users:</p>
<ul id="obs_40_0008__ul48663167279"><li id="obs_40_0008__li118661716152719">Temporary access keys are valid for 15 minutes to 24 hours. You do not need to expose the permanent access keys of IAM users, reducing security risks.</li><li id="obs_40_0008__li957912263442">When obtaining temporary access keys, you can pass policy parameters to further restrict the temporary permissions granted to users. This ensures that IAM users can effectively control permissions granted to other users.</li></ul> <ul id="obs_40_0008__ul48663167279"><li id="obs_40_0008__li118661716152719">Temporary access keys are valid for 15 minutes to 24 hours. Permanent access keys of IAM users are not exposed, reducing the risk of identity theft or fraud.</li><li id="obs_40_0008__li957912263442">When obtaining temporary access keys, you can send the policy parameter to request for the least temporary permissions that can be granted to IAM users.</li></ul>
<p id="obs_40_0008__p132948119510">For details, see <a href="https://docs.otc.t-systems.com/api_obs/obs/en-us_topic_0125560435.html" target="_blank" rel="noopener noreferrer">Authenticating a Request</a>.</p> <p id="obs_40_0008__p132948119510">For details, see <a href="https://docs.otc.t-systems.com/api_obs/obs/en-us_topic_0125560435.html" target="_blank" rel="noopener noreferrer">Authenticating a Request</a>.</p>
</div> </div>
<div class="section" id="obs_40_0008__section114813400459"><h4 class="sectiontitle">Permissions of the Temporary Access Keys</h4><p id="obs_40_0008__p88917031019">When an IAM user calls the IAM API in <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>, the user can specify parameter <strong id="obs_40_0008__b194816914418">policy</strong> to add a temporary policy for the temporary access keys to further restrict the permissions granted to other users. The format and content of a temporary policy are consistent with those specified in <a href="obs_40_0003.html">IAM Permissions</a>.</p> <div class="section" id="obs_40_0008__section114813400459"><h4 class="sectiontitle">Permissions of Temporary Access Keys</h4><p id="obs_40_0008__p88917031019">When an IAM user calls the IAM API for <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>, the user can send the <strong id="obs_40_0008__b194816914418">policy</strong> parameter to add a temporary policy to further restrict the permissions that can be granted to other users. The format and content of a temporary policy should be consistent with those specified in <a href="obs_40_0003.html">IAM Permissions</a>.</p>
<ul id="obs_40_0008__ul9969419203210"><li id="obs_40_0008__li3649172273215">If policy parameters are not specified, no temporary policies are used. The temporary access keys inherit the IAM user's permissions.</li><li id="obs_40_0008__li220117270328">If policy parameters are specified, a temporary policy is enabled. Then the temporary access keys confine the granted permissions according to the temporary policy and the IAM user permissions.</li></ul> <ul id="obs_40_0008__ul9969419203210"><li id="obs_40_0008__li3649172273215">If the <strong id="obs_40_0008__b755383815918">policy</strong> parameter is not specified, the temporary access keys have the IAM user's permissions.</li><li id="obs_40_0008__li220117270328">If the <strong id="obs_40_0008__b176589621310">policy</strong> parameter is specified, the temporary access keys' permissions are the overlaps between the temporary policy's permissions and the IAM user's permissions.</li></ul>
<p id="obs_40_0008__p96091528153211">As shown in the following figure, circle 1 indicates the original permissions of an IAM user, and circle 2 indicates the temporary permissions specified by a temporary policy. The overlapped part 3 is the scope of permissions enabled by the temporary access keys.</p> <p id="obs_40_0008__p96091528153211">As shown in the following figure, circle 1 indicates an IAM user's permissions, and circle 2 indicates the temporary policy's permissions. The overlapping part 3 is the permissions of the temporary access keys.</p>
<div class="fignone" id="obs_40_0008__fig479016438362"><span class="figcap"><b>Figure 1 </b>Intersection of IAM user permissions and temporary policy permissions</span><br><span><img id="obs_40_0008__image1769334518330" src="en-us_image_0269157281.png"></span></div> <div class="fignone" id="obs_40_0008__fig479016438362"><span class="figcap"><b>Figure 1 </b>Intersection of IAM user permissions and temporary policy permissions</span><br><span><img id="obs_40_0008__image1769334518330" src="en-us_image_0269157281.png"></span></div>
<p id="obs_40_0008__p15917195513116"><span style="color:#3D3F43;">Temporary access keys comply with the least privilege principle</span>. Configure a temporary policy within the original permission scope of an IAM user. Otherwise you may be confused about why permissions enabled by a temporary policy are not effective. As illustrated by the following figure, the finally effective permissions are the authorized temporary permissions.</p> <p id="obs_40_0008__p15917195513116">Temporary access keys have the least privilege. You are advised to restrict a temporary policy's permissions within an IAM user's permissions. If a temporary policy's permissions are not all within the IAM user's permissions, the temporary access keys' permissions are definitely not the temporary policy's permissions. As illustrated by the following figure, the finally granted permissions are the temporary policy's permissions.</p>
<div class="fignone" id="obs_40_0008__fig78106108396"><span class="figcap"><b>Figure 2 </b>Restricting temporary permissions within the scope of IAM user permissions</span><br><span><img id="obs_40_0008__image79784541391" src="en-us_image_0269160697.png"></span></div> <div class="fignone" id="obs_40_0008__fig78106108396"><span class="figcap"><b>Figure 2 </b>Restricting temporary permissions within IAM user permissions</span><br><span><img id="obs_40_0008__image79784541391" src="en-us_image_0269160697.png"></span></div>
<p id="obs_40_0008__p2062985411216">A temporary policy authentication starts from the Deny statements. Unspecified permissions are denied by default.</p> <p id="obs_40_0008__p2062985411216">For a temporary policy's permissions, Deny always overrides Allow. Unspecified permissions are all Deny permissions by default.</p>
<div class="note" id="obs_40_0008__note1450962491713"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0008__p9509524111715">Therefore, you are advised to specify only the allowed permission.</p> <div class="note" id="obs_40_0008__note1450962491713"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0008__p9509524111715">Therefore, you are advised to specify only Allow permissions.</p>
</div></div> </div></div>
</div> </div>
<div class="section" id="obs_40_0008__section1586812104015"><h4 class="sectiontitle">Application Scenarios</h4><p id="obs_40_0008__p582375113811">Temporary access keys are used to authorize third parties to temporarily access OBS. For example, some companies have their user management systems, which manage device app users and local enterprise users. These users do not have IAM user permissions, so IAM users can grant temporary access keys to these users when they need to access OBS.</p> <div class="section" id="obs_40_0008__section1586812104015"><h4 class="sectiontitle">Application Scenarios</h4><p id="obs_40_0008__p582375113811">Temporary access keys are authorized to third parties to allow them to temporarily access OBS. For example, some companies have user management systems that manage app users and local users. These users do not have IAM user permissions, so IAM can grant temporary access keys to allow these users to temporarily access OBS.</p>
<p id="obs_40_0008__p2028733765210"><strong id="obs_40_0008__b171291233598">Typical application scenario:</strong></p> <p id="obs_40_0008__p2028733765210"><strong id="obs_40_0008__b171291233598">Typical application scenario:</strong></p>
<p id="obs_40_0008__p1722820165317">A company has a large number of device apps that need to access OBS. Different apps represent different end users who require different access permissions. In this case, temporary access keys can be used to access OBS.</p> <p id="obs_40_0008__p1722820165317">A company has a large number of apps that need to access OBS. Different apps require different access permissions. In this case, temporary access keys can be granted to app users to allow them to temporarily access OBS.</p>
<div class="fignone" id="obs_40_0008__fig1578555615594"><span class="figcap"><b>Figure 3 </b>Application scenarios of temporary access keys</span><br><span><img id="obs_40_0008__image8785185610591" src="en-us_image_0268971273.jpg"></span></div> <div class="fignone" id="obs_40_0008__fig1578555615594"><span class="figcap"><b>Figure 3 </b>Application scenarios of temporary access keys</span><br><span><img id="obs_40_0008__image8785185610591" src="en-us_image_0268971273.jpg"></span></div>
<ol id="obs_40_0008__ol13913571123"><li id="obs_40_0008__li187401810623">If the customer's server can obtain permanent access keys for IAM users, the server can send requests to IAM to generate different temporary access keys for different apps.<p id="obs_40_0008__p1515944241010"><a name="obs_40_0008__li187401810623"></a><a name="li187401810623"></a>IAM users can obtain the temporary access keys and security token by calling the IAM API in <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>. When calling this API, pass the <strong id="obs_40_0008__b17874234156">policy</strong> parameter to set a temporary policy. An example is provided as follows:</p> <ol id="obs_40_0008__ol13913571123"><li id="obs_40_0008__li187401810623">The customer server has permanent access keys, so it can request IAM to generate different temporary access keys for different apps.<p id="obs_40_0008__p1515944241010"><a name="obs_40_0008__li187401810623"></a><a name="li187401810623"></a>IAM users can call the IAM API for <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>. IAM users can also send the <strong id="obs_40_0008__b17874234156">policy</strong> parameter to request for temporary policy's permissions. An example is provided as follows:</p>
<pre class="screen" id="obs_40_0008__screen895118193314">{ <pre class="screen" id="obs_40_0008__screen895118193314">{
"auth": { "auth": {
"identity": { "identity": {
@ -36,7 +36,7 @@
} }
}</pre> }</pre>
<p id="obs_40_0008__p196416033516">The policy's syntax and format are the same as those specified in <a href="obs_40_0003.html">IAM Permissions</a>.</p> <p id="obs_40_0008__p196416033516">The policy's syntax and format are the same as those specified in <a href="obs_40_0003.html">IAM Permissions</a>.</p>
</li><li id="obs_40_0008__li02417287213">IAM generates temporary access keys with different permissions and validity periods based on the passed policy parameters and returns the access keys to the customer server.</li><li id="obs_40_0008__li11742153019213">Then the customer server distributes the temporary access keys to device apps that require such permissions.</li><li id="obs_40_0008__li173616331227">A device app can use the temporary access keys to access OBS through OBS SDKs or APIs. Temporary access keys are valid for a short period of time. If the device app needs to prolong its use of OBS, it should send a request to the customer server for updating temporary access keys before they expire.</li></ol> </li><li id="obs_40_0008__li02417287213">IAM generates temporary access keys with different permissions and validity periods based on the <strong id="obs_40_0008__b955865417114">policy</strong> parameter and returns the access keys to the customer server.</li><li id="obs_40_0008__li11742153019213">The customer server distributes the temporary access keys to apps.</li><li id="obs_40_0008__li173616331227">Apps can use the temporary access keys to access OBS through OBS SDKs or APIs. Temporary access keys are valid for the specified period of time. If the apps need to prolong the access to OBS, they should request to the customer server to update temporary access keys before they expire.</li></ol>
</div> </div>
<div class="section" id="obs_40_0008__section68052393915"><h4 class="sectiontitle">Configuration Example</h4><p id="obs_40_0008__p14371168163915">For details, see <a href="obs_40_0037.html">Granting Temporary Access to OBS</a>.</p> <div class="section" id="obs_40_0008__section68052393915"><h4 class="sectiontitle">Configuration Example</h4><p id="obs_40_0008__p14371168163915">For details, see <a href="obs_40_0037.html">Granting Temporary Access to OBS</a>.</p>
</div> </div>

14
docs/obs/perms-cfg/obs_40_0009.html
View File

@ -1,16 +1,16 @@
<a name="obs_40_0009"></a><a name="obs_40_0009"></a> <a name="obs_40_0009"></a><a name="obs_40_0009"></a>
<h1 class="topictitle1">Accessing OBS Using a Temporary URL</h1> <h1 class="topictitle1">Accessing OBS Using a Temporary URL</h1>
<div id="body1588766432188"><p id="obs_40_0009__p8235152911353">You can use a temporary URL to access OBS and perform operations such as bucket creation or object upload and download. This section describes how to share objects using a temporary URL.</p> <div id="body1588766432188"><p id="obs_40_0009__p8235152911353">You can share a temporary URL to allow other users to access OBS to create buckets and upload and download objects. This section describes how to share a temporary URL to allow other users to temporarily access objects.</p>
<div class="section" id="obs_40_0009__section19994292017"><h4 class="sectiontitle">Sharing Objects</h4><p id="obs_40_0009__p8060118">You can share objects (files or folders) stored in OBS with all users within a specified period.</p> <div class="section" id="obs_40_0009__section19994292017"><h4 class="sectiontitle">Sharing Objects</h4><p id="obs_40_0009__p8060118">You can share a temporary URL to allow other users to access objects (files or folders) for only a specified period of time.</p>
<p id="obs_40_0009__p485730113312"><strong id="obs_40_0009__b317316469135">Sharing a file</strong></p> <p id="obs_40_0009__p485730113312"><strong id="obs_40_0009__b317316469135">Sharing a file</strong></p>
<p id="obs_40_0009__p728652492213">All URLs generated during file sharing are temporary and remain valid for a limited period of time.</p> <p id="obs_40_0009__p728652492213">All URLs generated during file sharing are temporary and remain valid for a specified period of time.</p>
<p id="obs_40_0009__p23269357438">A temporary URL uses V4 temporarily authorized requests. The following is a temporary URL sample:</p> <p id="obs_40_0009__p23269357438">A temporary URL uses V4 temporarily authorized requests. The following is an example:</p>
<pre class="screen" id="obs_40_0009__screen732623584313">https://oss.<em id="obs_40_0009__i77546494">regionid</em>.example.region.com/<em id="obs_40_0009__i1717434918">bucketname</em>/<em id="obs_40_0009__i1877416498">objectname</em>?<span style="color:#FF0000;">X-Amz-Algorithm</span>=<em id="obs_40_0009__i1071048494">xxx</em>&amp;<span style="color:#FF0000;">X-Amz-Credential</span>=<em id="obs_40_0009__i11717411494">xxx</em>&amp;<span style="color:#FF0000;">X-Amz-Date</span>=<em id="obs_40_0009__i07047498">xxx</em>&amp;<span style="color:#FF0000;">X-Amz-Expires</span>=900&amp;<span style="color:#FF0000;">X-Amz-Signature</span>=<em id="obs_40_0009__i8713464915">xxx</em>&amp;<span style="color:#FF0000;">X-Amz-SignedHeaders</span>=<em id="obs_40_0009__i1671148498">xxx</em>&amp;<span style="color:#FF0000;">response-content-disposition</span>=<em id="obs_40_0009__i9714484913">xxx</em></pre> <pre class="screen" id="obs_40_0009__screen732623584313">https://oss.<em id="obs_40_0009__i77546494">regionid</em>.example.region.com/<em id="obs_40_0009__i1717434918">bucketname</em>/<em id="obs_40_0009__i1877416498">objectname</em>?X-Amz-Algorithm=<em id="obs_40_0009__i1071048494">xxx</em>&amp;X-Amz-Credential=<em id="obs_40_0009__i11717411494">xxx</em>&amp;X-Amz-Date=<em id="obs_40_0009__i07047498">xxx</em>&amp;X-Amz-Expires=900&amp;X-Amz-Signature=<em id="obs_40_0009__i8713464915">xxx</em>&amp;X-Amz-SignedHeaders=<em id="obs_40_0009__i1671148498">xxx</em>&amp;response-content-disposition=<em id="obs_40_0009__i9714484913">xxx</em></pre>
<p id="obs_40_0009__p78796553521">For details about the temporary authentication and parameters, see <a href="https://docs.otc.t-systems.com/en-us/api_obs/obs/en-us_topic_0125560420.html" target="_blank" rel="noopener noreferrer">V4 Temporarily Authorized Request</a> in the <em id="obs_40_0009__i188166914813">Object Storage Service API Reference</em>. A temporary URL also contains the <strong id="obs_40_0009__b1455482495">response-content-disposition</strong> parameter that defines whether an object is directly downloaded or previewed in a browser when it is accessed. This is determined by the browser based on the <strong id="obs_40_0009__b16555621918">Content-Type</strong> of the shared object.</p> <p id="obs_40_0009__p78796553521">For details about the temporary authentication and parameters, see <a href="https://docs.otc.t-systems.com/en-us/api_obs/obs/en-us_topic_0125560420.html" target="_blank" rel="noopener noreferrer">V4 Temporarily Authorized Request</a> in the <em id="obs_40_0009__i188166914813">Object Storage Service API Reference</em>. A temporary URL also contains the <strong id="obs_40_0009__b128263913819">response-content-disposition</strong> parameter that defines whether an object is to be downloaded or previewed in a browser. The browser obtains the value of <strong id="obs_40_0009__b19838395819">response-content-disposition</strong> based on the <strong id="obs_40_0009__b38313918815">Content-Type</strong> of the shared object.</p>
<p id="obs_40_0009__p52403316294">After you share an object by choosing <strong id="obs_40_0009__b10272191912013">More</strong> &gt; <strong id="obs_40_0009__b1727220197208">Copy Object URL</strong> on OBS Console, the system will generate a URL that contains the temporary authentication information, valid for 900 seconds since its generation by default. Each time you click <strong id="obs_40_0009__b17360142022216">Copy Object URL</strong>, OBS will obtain the authentication information again to generate a new sharing URL whose validity period is reset.</p> <p id="obs_40_0009__p52403316294">After you share an object by choosing <strong id="obs_40_0009__b10272191912013">More</strong> &gt; <strong id="obs_40_0009__b1727220197208">Copy Object URL</strong> on OBS Console, the system will generate a URL that contains the temporary authentication information, valid for 900 seconds since its generation by default. Each time you click <strong id="obs_40_0009__b17360142022216">Copy Object URL</strong>, OBS will obtain the authentication information again to generate a new sharing URL whose validity period is reset.</p>
</div> </div>
<div class="section" id="obs_40_0009__section2995192554816"><h4 class="sectiontitle">Limitations and Constraints</h4><ul id="obs_40_0009__ul109951125124812"><li id="obs_40_0009__li799542515487">The validity period of files shared through OBS Console is fixed at 900s. If you want a file to be accessed permanently, you can configure <a href="https://docs.otc.t-systems.com/usermanual/obs/en-us_topic_0045853745.html" target="_blank" rel="noopener noreferrer">a bucket policy or an object policy</a>.</li><li id="obs_40_0009__li1862383053711">Only buckets 3.0 support file and folder sharing. You can view the bucket version in the <strong id="obs_40_0009__b769213043717">Basic Information</strong> area on the <strong id="obs_40_0009__b176922023714">Overview</strong> page of a bucket.</li><li id="obs_40_0009__li1068453183718">To share a cold object, restore it first.</li></ul> <div class="section" id="obs_40_0009__section2995192554816"><h4 class="sectiontitle">Limitations and Constraints</h4><ul id="obs_40_0009__ul109951125124812"><li id="obs_40_0009__li799542515487">The validity period of files shared through OBS Console is fixed at 900s. If you want to allow permanent access to a file, you can configure <a href="https://docs.otc.t-systems.com/usermanual/obs/en-us_topic_0045853745.html" target="_blank" rel="noopener noreferrer">a bucket policy or an object policy</a>.</li><li id="obs_40_0009__li1862383053711">Only buckets of version 3.0 support file and folder sharing. You can view the bucket version in the <strong id="obs_40_0009__b769213043717">Basic Information</strong> area on the <strong id="obs_40_0009__b176922023714">Overview</strong> page of a bucket.</li><li id="obs_40_0009__li1068453183718">To share a cold object, restore it first.</li></ul>
</div> </div>
</div> </div>
<div> <div>

2
docs/obs/perms-cfg/obs_40_0010.html
View File

@ -1,7 +1,7 @@
<a name="obs_40_0010"></a><a name="obs_40_0010"></a> <a name="obs_40_0010"></a><a name="obs_40_0010"></a>
<h1 class="topictitle1">Accessing OBS Using an IAM Agency</h1> <h1 class="topictitle1">Accessing OBS Using an IAM Agency</h1>
<div id="body1593432992233"><p id="obs_40_0010__p8060118">The IAM agency is a function of Identity and Access Management (IAM). In some OBS application scenarios (such as CDN private bucket retrieval and cross-region replication), IAM agencies are required to grant other users or cloud services the permission to access OBS and manage OBS resources for the delegating party, thus implementing secure and efficient agent maintenance.</p> <div id="body1593432992233"><p id="obs_40_0010__p8060118">The IAM agency is a function of Identity and Access Management (IAM). In scenarios such as CDN private bucket retrieval and cross-region replication, IAM agencies are required to grant other users or cloud services the permissions to access and to securely and efficiently manage OBS resources.</p>
<p id="obs_40_0010__p7715152117311">For details about IAM agencies, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0026.html" target="_blank" rel="noopener noreferrer">Identity and Access Management User Guide</a>.</p> <p id="obs_40_0010__p7715152117311">For details about IAM agencies, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0026.html" target="_blank" rel="noopener noreferrer">Identity and Access Management User Guide</a>.</p>
</div> </div>
<div> <div>

57
docs/obs/perms-cfg/obs_40_0011.html
View File

File diff suppressed because it is too large Load Diff

6
docs/obs/perms-cfg/obs_40_0012.html
View File

@ -1,9 +1,11 @@
<a name="obs_40_0012"></a><a name="obs_40_0012"></a> <a name="obs_40_0012"></a><a name="obs_40_0012"></a>
<h1 class="topictitle1">Configuration Cases in Typical Permission Control Scenarios</h1> <h1 class="topictitle1">Permission Configuration in Typical Scenarios</h1>
<div id="body1588765301378"></div> <div id="body1588765301378"></div>
<div> <div>
<ul class="ullinks"> <ul class="ullinks">
<li class="ulchildlink"><strong><a href="obs_40_0011.html">Typical Permissions Scenarios</a></strong><br>
</li>
<li class="ulchildlink"><strong><a href="obs_40_0013.html">Granting Permissions to an IAM User Under the Account</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0013.html">Granting Permissions to an IAM User Under the Account</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0019.html">Granting Permissions to Multiple IAM Users or User Groups Under the Account</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0019.html">Granting Permissions to Multiple IAM Users or User Groups Under the Account</a></strong><br>
@ -14,7 +16,7 @@
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0037.html">Granting Temporary Access to OBS</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0037.html">Granting Temporary Access to OBS</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0036.html">Preventing Specific IP Addresses from Accessing a Bucket</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0036.html">Restricting Access to a Bucket for Specific IP Addresses</a></strong><br>
</li> </li>
</ul> </ul>
</div> </div>

12
docs/obs/perms-cfg/obs_40_0013.html
View File

@ -4,20 +4,20 @@
<div id="body1588765301378"></div> <div id="body1588765301378"></div>
<div> <div>
<ul class="ullinks"> <ul class="ullinks">
<li class="ulchildlink"><strong><a href="obs_40_0014.html">Granting an IAM User the Permissions Required to List and Create Buckets</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0014.html">Granting an IAM User the Permissions to Create and List Buckets</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0015.html">Granting an IAM User the Read and Write Permissions on a Bucket</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0015.html">Granting an IAM User the Read/Write Permission on a Bucket</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0016.html">Granting an IAM User the Permissions Required to Perform Specific Operations on a Specific Bucket</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0016.html">Granting an IAM User the Specified Permissions for a Bucket</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0017.html">Granting an IAM User the Read Permission on a Specific Object</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0017.html">Granting an IAM User the Read Permissions on Specific Objects</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0018.html">Granting an IAM User the Permissions Required to Perform Specific Operations on Certain Objects</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0018.html">Granting an IAM User the Specific Permissions on Specific Objects</a></strong><br>
</li> </li>
</ul> </ul>
<div class="familylinks"> <div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Configuration Cases in Typical Permission Control Scenarios</a></div> <div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Permission Configuration in Typical Scenarios</a></div>
</div> </div>
</div> </div>

18
docs/obs/perms-cfg/obs_40_0014.html
View File

@ -1,11 +1,11 @@
<a name="obs_40_0014"></a><a name="obs_40_0014"></a> <a name="obs_40_0014"></a><a name="obs_40_0014"></a>
<h1 class="topictitle1">Granting an IAM User the Permissions Required to List and Create Buckets</h1> <h1 class="topictitle1">Granting an IAM User the Permissions to Create and List Buckets</h1>
<div id="body1588765301378"><div class="section" id="obs_40_0014__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0014__p3431154410448">This topic describes how to grant an IAM user the permissions required to create and list buckets. An IAM user with this permission can create buckets. The created buckets are still owned by the account of the IAM user. The IAM user can view all buckets under the account.</p> <div id="body1588765301378"><div class="section" id="obs_40_0014__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0014__p3431154410448">This topic describes how to grant an IAM user the permissions to create and list buckets. An IAM user with this permission can create and list buckets. The created buckets are owned by the account of the IAM user. The IAM user can also view all buckets under the account.</p>
</div> </div>
<div class="section" id="obs_40_0014__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0014__p103657437515">Permissions to create and list buckets are at OBS service-level, which can be implemented only through IAM. You are advised to use IAM custom policies.</p> <div class="section" id="obs_40_0014__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0014__p103657437515">To create and list buckets, you need OBS-level permissions, which can be configured on IAM.</p>
</div> </div>
<div class="section" id="obs_40_0014__section4844164485112"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0014__ol170633855216"><li id="obs_40_0014__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0014__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0014__b447811155440">Service List</strong> &gt; <strong id="obs_40_0014__b154781715144419">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0014__b1047841564414">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0014__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0014__b56342219314">Permissions</strong>.</span></li><li id="obs_40_0014__li1388483016366"><span>Click <strong id="obs_40_0014__b1210915505130">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0014__li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0014__fig692184720164"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0014__image179221947161619" src="en-us_image_0000001385655888.png"></span></div> <div class="section" id="obs_40_0014__section4844164485112"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0014__ol170633855216"><li id="obs_40_0014__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0014__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0014__b447811155440">Service List</strong> &gt; <strong id="obs_40_0014__b154781715144419">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0014__b1047841564414">Identity and Access Management</strong>.</span></li><li id="obs_40_0014__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0014__b56342219314">Permissions</strong>.</span></li><li id="obs_40_0014__li1388483016366"><span>Click <strong id="obs_40_0014__b1210915505130">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0014__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0014__fig692184720164"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0014__image179221947161619" src="en-us_image_0000001385655888.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0014__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0014__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="30.3%" id="mcps1.3.3.2.5.2.2.2.3.1.1"><p id="obs_40_0014__p23757272286"><strong id="obs_40_0014__b204325640094018">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0014__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0014__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="30.3%" id="mcps1.3.3.2.5.2.2.2.3.1.1"><p id="obs_40_0014__p23757272286"><strong id="obs_40_0014__b204325640094018">Parameter</strong></p>
</th> </th>
@ -15,12 +15,12 @@
</thead> </thead>
<tbody><tr id="obs_40_0014__row17375102752819"><td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0014__p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0014__row17375102752819"><td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0014__p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="69.69999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0014__p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="69.69999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0014__p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0014__row1937592712288"><td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0014__p173753272284">Policy View</p> <tr id="obs_40_0014__row1937592712288"><td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0014__p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="69.69999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0014__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0014__b191136915176">Visual editor</strong> is used here.</p> <td class="cellrowborder" valign="top" width="69.69999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0014__p17375102714285">Select one based on your own habits. <strong id="obs_40_0014__b838353619815">Visual editor</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0014__row133751227142812"><td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0014__p203751027172816">Policy Content</p> <tr id="obs_40_0014__row133751227142812"><td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0014__p203751027172816">Policy Content</p>
@ -30,14 +30,14 @@
</tr> </tr>
<tr id="obs_40_0014__row5473173210497"><td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0014__p83756273285">Scope</p> <tr id="obs_40_0014__row5473173210497"><td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0014__p83756273285">Scope</p>
</td> </td>
<td class="cellrowborder" valign="top" width="69.69999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0014__p1037542711283">The default value is <strong id="obs_40_0014__b10986123241">Global services</strong>.</p> <td class="cellrowborder" valign="top" width="69.69999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0014__p1037542711283">Use the default value <strong id="obs_40_0014__b10986123241">Global services</strong>.</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0014__li1293324623719"><span>Click <strong id="obs_40_0014__b152631939349">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0014__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0014__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0014__li1293324623719"><span>Click <strong id="obs_40_0014__b152631939349">OK</strong>.</span></li><li id="obs_40_0014__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0014__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0014__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0014__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0014__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0014__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0014__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0014__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

35
docs/obs/perms-cfg/obs_40_0015.html
View File

@ -1,17 +1,16 @@
<a name="obs_40_0015"></a><a name="obs_40_0015"></a> <a name="obs_40_0015"></a><a name="obs_40_0015"></a>
<h1 class="topictitle1">Granting an IAM User the Read and Write Permissions on a Bucket</h1> <h1 class="topictitle1">Granting an IAM User the Read/Write Permission on a Bucket</h1>
<div id="body1588765301378"><div class="section" id="obs_40_0015__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0015__p3431154410448">This topic describes how to grant an IAM user the read and write permissions on an OBS bucket.</p> <div id="body1588765301378"><div class="section" id="obs_40_0015__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0015__p3431154410448">This topic describes how to grant an IAM user the read/write permission on an OBS bucket.</p>
</div> </div>
<div class="section" id="obs_40_0015__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0015__p103657437515">You are advised to use bucket policies to grant resource-level permissions to an IAM user.</p> <div class="section" id="obs_40_0015__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0015__p103657437515">To grant resource-level permissions to an IAM user, use a bucket policy.</p>
</div> </div>
<div class="section" id="obs_40_0015__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0015__p1436151622312">The preset read/write mode of OBS has the following permissions:</p> <div class="section" id="obs_40_0015__section786219432319"><h4 class="sectiontitle">Precautions</h4>
<ul id="obs_40_0015__ul12273198112311"><li id="obs_40_0015__li1327378202314">GetObject: downloading objects</li><li id="obs_40_0015__li227314817237">PutObject: uploading objects</li><li id="obs_40_0015__li127318812235">GetObjectVersion: downloading versioned objects</li><li id="obs_40_0015__li727310818238">DeleteObjectVersion: deleting objects versions</li><li id="obs_40_0015__li8273888232">DeleteObject: deleting objects</li></ul> <p id="obs_40_0015__p817120327254">After configuration, the IAM user can use APIs or SDKs to upload, download, and delete objects in the bucket. However, if they log in to OBS Console or OBS Browser+ to perform those operations, an error will be reported indicating that they do not have required permissions. .</p>
<p id="obs_40_0015__p817120327254">After the configuration is complete, read and write operations (uploading, downloading, and deleting all objects in the bucket) can be performed using APIs or SDKs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions. .</p> <p id="obs_40_0015__p7807163365117">If you still want the IAM user to perform read and write operations on OBS Console or OBS Browser+, you need to configure custom IAM policies. For details, see <a href="#obs_40_0015__section220405220511">Follow-up Procedure</a>.</p>
<p id="obs_40_0015__p7807163365117">If you want an IAM user to perform read and write operations on OBS Console or OBS Browser+, configure custom IAM policies by referring to <a href="#obs_40_0015__section220405220511">Follow-up Procedure</a>.</p> <p id="obs_40_0015__p135531349172915">After configuration, the system still displays a message indicating that the IAM user does not have required permissions, because OBS Console also calls other APIs for advanced configurations. However, the IAM user can still perform read/write operations.</p>
<p id="obs_40_0015__p135531349172915">After the configuration is complete, the system still displays a message indicating that you do not have the permission to access the bucket. This is normal because the console invokes other advanced configuration APIs, but you can still perform operations allowed in read/write mode.</p>
</div> </div>
<div class="section" id="obs_40_0015__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0015__ol170633855216"><li id="obs_40_0015__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0015__b17942540145715">Object Storage</strong>.</span></li><li id="obs_40_0015__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0015__b1480210341667">Overview</strong> page.</span></li><li id="obs_40_0015__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0015__b2605105313511">Permissions</strong>.</span></li><li id="obs_40_0015__li1568715376490"><span>On the <strong id="obs_40_0015__b2317141425">Bucket Policies</strong> page, click <strong id="obs_40_0015__b5734202684217">Create Bucket Policy</strong> under <strong id="obs_40_0015__b29453318428">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0015__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0015__fig13644856182710"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0015__image16647195692714" src="en-us_image_0000001436220057.png"></span></div> <div class="section" id="obs_40_0015__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0015__ol170633855216"><li id="obs_40_0015__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0015__b17942540145715">Object Storage</strong>.</span></li><li id="obs_40_0015__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0015__b1480210341667">Overview</strong> page.</span></li><li id="obs_40_0015__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0015__b2605105313511">Permissions</strong>.</span></li><li id="obs_40_0015__li1568715376490"><span>On the <strong id="obs_40_0015__b2317141425">Bucket Policies</strong> page, click <strong id="obs_40_0015__b5734202684217">Create Bucket Policy</strong> under <strong id="obs_40_0015__b29453318428">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0015__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0015__fig13644856182710"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0015__image16647195692714" src="en-us_image_0000001436220057.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0015__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0015__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0015__p107559176234"><strong id="obs_40_0015__b26447525910101">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0015__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0015__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0015__p107559176234"><strong id="obs_40_0015__b26447525910101">Parameter</strong></p>
</th> </th>
@ -37,12 +36,12 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0015__li4406132611218"><span>Click <strong id="obs_40_0015__b19267734154318">OK</strong>. The bucket policy is created.</span></li></ol> </p></li><li id="obs_40_0015__li4406132611218"><span>Click <strong id="obs_40_0015__b19267734154318">OK</strong>.</span></li></ol>
</div> </div>
<div class="section" id="obs_40_0015__section220405220511"><a name="obs_40_0015__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0015__p349115115368">To perform read and write operations on OBS Console or OBS Browser+, you must add the <strong id="obs_40_0015__b3328145222113">obs:bucket:ListAllMyBuckets</strong> (for listing buckets) and <strong id="obs_40_0015__b191501957142118">obs:bucket:ListBucket</strong> (for listing objects in a bucket) permissions to the custom IAM policy.</p> <div class="section" id="obs_40_0015__section220405220511"><a name="obs_40_0015__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0015__p349115115368">To perform read and write operations on OBS Console or OBS Browser+, you must add the <strong id="obs_40_0015__b3328145222113">obs:bucket:ListAllMyBuckets</strong> (for listing buckets) and <strong id="obs_40_0015__b191501957142118">obs:bucket:ListBucket</strong> (for listing objects in a bucket) permissions to the custom IAM policy.</p>
<div class="note" id="obs_40_0015__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0015__p256692825216"><strong id="obs_40_0015__b4310121264120">obs:bucket:ListAllMyBuckets</strong> applies to all resources, while <strong id="obs_40_0015__b1831551254115">obs:bucket:ListBucket</strong> applies to the authorized bucket only. Therefore, you need to add two permissions to the policy.</p> <div class="note" id="obs_40_0015__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0015__p256692825216"><strong id="obs_40_0015__b4310121264120">obs:bucket:ListAllMyBuckets</strong> applies to all resources, while <strong id="obs_40_0015__b1831551254115">obs:bucket:ListBucket</strong> applies only to the authorized bucket. Therefore, you need to add these two permissions to the policy.</p>
</div></div> </div></div>
<ol id="obs_40_0015__ol8623195417319"><li id="obs_40_0015__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0015__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0015__b1624185733610">Service List</strong> &gt; <strong id="obs_40_0015__b112511573364">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0015__b17257573368">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0015__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0015__b757714919113">Permissions</strong>.</span></li><li id="obs_40_0015__li1388483016366"><span>Click <strong id="obs_40_0015__b118613715375">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0015__li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0015__fig1814219521628"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0015__image101432052622" src="en-us_image_0000001385676688.png"></span></div> <ol id="obs_40_0015__ol8623195417319"><li id="obs_40_0015__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0015__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0015__b1624185733610">Service List</strong> &gt; <strong id="obs_40_0015__b112511573364">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0015__b17257573368">Identity and Access Management</strong>.</span></li><li id="obs_40_0015__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0015__b757714919113">Permissions</strong>.</span></li><li id="obs_40_0015__li1388483016366"><span>Click <strong id="obs_40_0015__b118613715375">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0015__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0015__fig1814219521628"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0015__image101432052622" src="en-us_image_0000001385676688.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0015__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0015__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.79%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0015__p23757272286"><strong id="obs_40_0015__b68930084110101">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0015__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0015__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.79%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0015__p23757272286"><strong id="obs_40_0015__b68930084110101">Parameter</strong></p>
</th> </th>
@ -52,12 +51,12 @@
</thead> </thead>
<tbody><tr id="obs_40_0015__row17375102752819"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0015__row17375102752819"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0015__row1937592712288"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p173753272284">Policy View</p> <tr id="obs_40_0015__row1937592712288"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0015__b15269128171710">Visual editor</strong> is used here.</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p17375102714285">Select one based on your own habits. <strong id="obs_40_0015__b8703205911914">Visual editor</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0015__row133751227142812"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p203751027172816">Policy Content</p> <tr id="obs_40_0015__row133751227142812"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p203751027172816">Policy Content</p>
@ -65,19 +64,19 @@
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p1928318374535">[Permission 1]</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p1928318374535">[Permission 1]</p>
<ul id="obs_40_0015__ul312618263319"><li id="obs_40_0015__li112652673110">Select <strong id="obs_40_0015__b1442421510101">Allow</strong>.</li><li id="obs_40_0015__li1952919359">Select <strong id="obs_40_0015__b1420920813562">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0015__li813512281313">Select <strong id="obs_40_0015__b727714444551">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0015__li1991741116547">Select <strong id="obs_40_0015__b823218256422">All</strong> for resources.</li></ul> <ul id="obs_40_0015__ul312618263319"><li id="obs_40_0015__li112652673110">Select <strong id="obs_40_0015__b1442421510101">Allow</strong>.</li><li id="obs_40_0015__li1952919359">Select <strong id="obs_40_0015__b1420920813562">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0015__li813512281313">Select <strong id="obs_40_0015__b727714444551">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0015__li1991741116547">Select <strong id="obs_40_0015__b823218256422">All</strong> for resources.</li></ul>
<p id="obs_40_0015__p148511375414">[Permission 2]</p> <p id="obs_40_0015__p148511375414">[Permission 2]</p>
<ul id="obs_40_0015__ul127691549205313"><li id="obs_40_0015__li167691496533">Select <strong id="obs_40_0015__b49081477010101">Allow</strong>.</li><li id="obs_40_0015__li1676910494536">Select <strong id="obs_40_0015__b2053811501566">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0015__li18769949195314">Select <strong id="obs_40_0015__b1869165519563">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0015__li77691949175310">For <strong id="obs_40_0015__b1424511203473">Resources</strong>, select <strong id="obs_40_0015__b14645193125717">Specific</strong>, and for <strong id="obs_40_0015__b9449403471">bucket</strong>, select <strong id="obs_40_0015__b12150205824715">Specify resource path</strong>, and click <strong id="obs_40_0015__b3143112410489">Add Resource Path</strong>. Enter the bucket name in the <strong id="obs_40_0015__b4841111134916">Path</strong> text box, indicating that the policy takes effect only for this bucket.</li></ul> <ul id="obs_40_0015__ul127691549205313"><li id="obs_40_0015__li167691496533">Select <strong id="obs_40_0015__b49081477010101">Allow</strong>.</li><li id="obs_40_0015__li1676910494536">Select <strong id="obs_40_0015__b2053811501566">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0015__li18769949195314">Select <strong id="obs_40_0015__b1869165519563">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0015__li77691949175310">Select <strong id="obs_40_0015__b14645193125717">Specific</strong> for <strong id="obs_40_0015__b1424511203473">Resources</strong> and select <strong id="obs_40_0015__b12150205824715">Specify resource path</strong> for <strong id="obs_40_0015__b9449403471">Bucket</strong>. Click <strong id="obs_40_0015__b3143112410489">Add Resource Path</strong>. Enter the bucket name in the <strong id="obs_40_0015__b4841111134916">Path</strong> text box for applying the policy only to this bucket.</li></ul>
</td> </td>
</tr> </tr>
<tr id="obs_40_0015__row81414412509"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p83756273285">Scope</p> <tr id="obs_40_0015__row81414412509"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p83756273285">Scope</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p1037542711283">The default value is <strong id="obs_40_0015__b137650311419">Global services</strong>.</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p1037542711283">Use the default value <strong id="obs_40_0015__b137650311419">Global services</strong>.</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0015__li1293324623719"><span>Click <strong id="obs_40_0015__b117724509310101">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0015__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0015__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0015__li1293324623719"><span>Click <strong id="obs_40_0015__b117724509310101">OK</strong>.</span></li><li id="obs_40_0015__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0015__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0015__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0015__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0015__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0015__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0015__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0015__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

36
docs/obs/perms-cfg/obs_40_0016.html
View File

@ -1,16 +1,16 @@
<a name="obs_40_0016"></a><a name="obs_40_0016"></a> <a name="obs_40_0016"></a><a name="obs_40_0016"></a>
<h1 class="topictitle1">Granting an IAM User the Permissions Required to Perform Specific Operations on a Specific Bucket</h1> <h1 class="topictitle1">Granting an IAM User the Specified Permissions for a Bucket</h1>
<div id="body1588765301378"><div class="section" id="obs_40_0016__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0016__p3431154410448">This topic describes how to grant an IAM user the permissions required to perform specific operations on an OBS bucket. Below describes how to grant the bucket deletion permission.</p> <div id="body1588765301378"><div class="section" id="obs_40_0016__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0016__p3431154410448">This topic describes how to grant an IAM user the permissions required to delete a bucket.</p>
<p id="obs_40_0016__p131221236151420">If you need to configure other permissions, select the corresponding actions from the <strong id="obs_40_0016__b1887111181379">Action Name</strong> drop-down list in the bucket policy. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p> <p id="obs_40_0016__p131221236151420">To grant other permissions, select required actions from <strong id="obs_40_0016__b1968674651912">Action Name</strong> in the bucket policy. For details, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
</div> </div>
<div class="section" id="obs_40_0016__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0016__p103657437515">You are advised to use bucket policies to grant resource-level permissions to an IAM user.</p> <div class="section" id="obs_40_0016__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0016__p103657437515">To grant resource-level permissions to an IAM user, use a bucket policy.</p>
</div> </div>
<div class="section" id="obs_40_0016__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0016__p4883191595712">After the configuration is complete, you can delete buckets using APIs. However, if you log in to OBS Console or OBS Browser+ to delete buckets, an error is reported indicating that you do not have required permissions.</p> <div class="section" id="obs_40_0016__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0016__p4883191595712">After configuration, the IAM user can use APIs to delete buckets. However, if they log in to OBS Console or OBS Browser+ to delete buckets, a message will be displayed indicating that they do not have required permissions.</p>
<p id="obs_40_0016__p20343339195015">This is because when you log in to OBS Console or OBS Browser+, more APIs (such as <strong id="obs_40_0016__b146471514264">ListAllMyBuckets</strong> and <strong id="obs_40_0016__b13906172152620">ListBucketVersions</strong>) are called to load the list of buckets and versioned objects, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.</p> <p id="obs_40_0016__p20343339195015">This is because when they log in to OBS Console or OBS Browser+, more APIs (such as <strong id="obs_40_0016__b146471514264">ListAllMyBuckets</strong> and <strong id="obs_40_0016__b13906172152620">ListBucketVersions</strong>) will be called to load the list of buckets and versioned objects. In such case, the message is displayed.</p>
<p id="obs_40_0016__p7807163365117">If you want an IAM user to delete buckets on OBS Console or OBS Browser+, allow the <strong id="obs_40_0016__b15892192319290">ListBucketVersions</strong> permission in the bucket policy and configure a custom IAM policy to grant the <strong id="obs_40_0016__b81561239102919">ListAllMyBuckets</strong> permission by referring to <a href="#obs_40_0016__section220405220511">Follow-up Procedure</a>.</p> <p id="obs_40_0016__p7807163365117">If you want an IAM user to delete buckets on OBS Console or OBS Browser+, you need to allow the <strong id="obs_40_0016__b15892192319290">ListBucketVersions</strong> permission in the bucket policy and configure a custom IAM policy to grant the <strong id="obs_40_0016__b81561239102919">ListAllMyBuckets</strong> permission by referring to <a href="#obs_40_0016__section220405220511">Follow-up Procedure</a>.</p>
</div> </div>
<div class="section" id="obs_40_0016__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0016__ol170633855216"><li id="obs_40_0016__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0016__b817114045810">Object Storage</strong>.</span></li><li id="obs_40_0016__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0016__b14821954974">Overview</strong> page.</span></li><li id="obs_40_0016__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0016__b1224919532317">Permissions</strong>.</span></li><li id="obs_40_0016__li49461065486"><span>On the <strong id="obs_40_0016__b1581710142711">Bucket Policies</strong> page, click <strong id="obs_40_0016__b1681790132717">Create Bucket Policy</strong> under <strong id="obs_40_0016__b18818190172710">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0016__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0016__fig136019591588"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0016__image10615592819" src="en-us_image_0000001385678272.png"></span></div> <div class="section" id="obs_40_0016__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0016__ol170633855216"><li id="obs_40_0016__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0016__b817114045810">Object Storage</strong>.</span></li><li id="obs_40_0016__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0016__b10271330143111">Overview</strong> page.</span></li><li id="obs_40_0016__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0016__b19373029959044">Permissions</strong>.</span></li><li id="obs_40_0016__li1568715376490"><span>On the <strong id="obs_40_0016__b1581710142711">Bucket Policies</strong> page, click <strong id="obs_40_0016__b1681790132717">Create Bucket Policy</strong> under <strong id="obs_40_0016__b18818190172710">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0016__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0016__fig136019591588"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0016__image10615592819" src="en-us_image_0000001385678272.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0016__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0016__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0016__p107559176234"><strong id="obs_40_0016__b94846767511353">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0016__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0016__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0016__p107559176234"><strong id="obs_40_0016__b94846767511353">Parameter</strong></p>
</th> </th>
@ -40,18 +40,18 @@
</tr> </tr>
<tr id="obs_40_0016__row3951641158"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0016__p10952134114519">Actions</p> <tr id="obs_40_0016__row3951641158"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0016__p10952134114519">Actions</p>
</td> </td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0016__ul1663065817513"><li id="obs_40_0016__li1563025812519"><strong id="obs_40_0016__b160478738111353">Include</strong></li><li id="obs_40_0016__li9382124645310"><strong id="obs_40_0016__b2621916135014">Action Name</strong>:<ul id="obs_40_0016__ul0371748105310"><li id="obs_40_0016__li10224301466">DeleteBucket</li><li id="obs_40_0016__li1996111505537"><span style="color:#3D3F43;">ListBucketVersions</span> (required when the authorized user needs to access OBS on OBS Console or OBS Browser+)</li></ul> <td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0016__ul1663065817513"><li id="obs_40_0016__li1563025812519"><strong id="obs_40_0016__b160478738111353">Include</strong></li><li id="obs_40_0016__li9382124645310"><strong id="obs_40_0016__b2621916135014">Action Name</strong>:<ul id="obs_40_0016__ul0371748105310"><li id="obs_40_0016__li10224301466">DeleteBucket</li><li id="obs_40_0016__li1996111505537">ListBucketVersions (required when an authorized user needs to access OBS from OBS Console or OBS Browser+)</li></ul>
</li></ul> </li></ul>
<p id="obs_40_0016__p175400381720">To configure other permissions, select the corresponding actions. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p> <p id="obs_40_0016__p175400381720">To configure other permissions, select the corresponding actions. For details, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0016__li4406132611218"><span>Click <strong id="obs_40_0016__b2045315417430">OK</strong>. The bucket policy is created.</span></li></ol> </p></li><li id="obs_40_0016__li4406132611218"><span>Click <strong id="obs_40_0016__b2045315417430">OK</strong>.</span></li></ol>
</div> </div>
<div class="section" id="obs_40_0016__section220405220511"><a name="obs_40_0016__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0016__p349115115368">To successfully delete buckets on OBS Console or OBS Browser+, you need to allow the <strong id="obs_40_0016__b99410010315">obs:bucket:ListAllMyBuckets</strong> (for listing buckets) permission in the IAM policy.</p> <div class="section" id="obs_40_0016__section220405220511"><a name="obs_40_0016__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0016__p349115115368">To delete buckets on OBS Console or OBS Browser+, you need to allow the <strong id="obs_40_0016__b99410010315">obs:bucket:ListAllMyBuckets</strong> permission in the IAM policy.</p>
<ol id="obs_40_0016__ol8623195417319"><li id="obs_40_0016__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0016__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0016__b587704120115">Service List</strong> &gt; <strong id="obs_40_0016__b6878144115116">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0016__b9878241815">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0016__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0016__b127792011191410">Permissions</strong>.</span></li><li id="obs_40_0016__li1388483016366"><span>Click <strong id="obs_40_0016__b111271552914">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0016__li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0016__fig2216161311520"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0016__image921815136158" src="en-us_image_0000001385362028.png"></span></div> <ol id="obs_40_0016__ol8623195417319"><li id="obs_40_0016__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0016__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0016__b587704120115">Service List</strong> &gt; <strong id="obs_40_0016__b6878144115116">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0016__b9878241815">Identity and Access Management</strong>.</span></li><li id="obs_40_0016__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0016__b127792011191410">Permissions</strong>.</span></li><li id="obs_40_0016__li1388483016366"><span>Click <strong id="obs_40_0016__b111271552914">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0016__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0016__fig2216161311520"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0016__image921815136158" src="en-us_image_0000001385362028.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0016__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0016__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.48%" id="mcps1.3.5.3.5.2.2.2.3.1.1"><p id="obs_40_0016__p23757272286"><strong id="obs_40_0016__b204053214211353">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0016__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0016__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.48%" id="mcps1.3.5.3.5.2.2.2.3.1.1"><p id="obs_40_0016__p23757272286"><strong id="obs_40_0016__b204053214211353">Parameter</strong></p>
</th> </th>
@ -61,12 +61,12 @@
</thead> </thead>
<tbody><tr id="obs_40_0016__row17375102752819"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0016__row17375102752819"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0016__p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0016__p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0016__row1937592712288"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p173753272284">Policy View</p> <tr id="obs_40_0016__row1937592712288"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0016__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0016__b201724469172">Visual editor</strong> is used here.</p> <td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0016__p17375102714285">Select one based on your own habits. <strong id="obs_40_0016__b987183435712">Visual editor</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0016__row133751227142812"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p203751027172816">Policy Content</p> <tr id="obs_40_0016__row133751227142812"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p203751027172816">Policy Content</p>
@ -76,14 +76,14 @@
</tr> </tr>
<tr id="obs_40_0016__row154361617514"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p83756273285">Scope</p> <tr id="obs_40_0016__row154361617514"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p83756273285">Scope</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0016__p1037542711283">The default value is <strong id="obs_40_0016__b6254525056">Global services</strong>.</p> <td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0016__p1037542711283">Use the default value <strong id="obs_40_0016__b6254525056">Global services</strong>.</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0016__li1293324623719"><span>Click <strong id="obs_40_0016__b139894679711353">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0016__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0016__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0016__li1293324623719"><span>Click <strong id="obs_40_0016__b139894679711353">OK</strong>.</span></li><li id="obs_40_0016__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0016__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0016__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0016__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0016__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0016__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0016__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0016__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

34
docs/obs/perms-cfg/obs_40_0017.html
View File

@ -1,17 +1,15 @@
<a name="obs_40_0017"></a><a name="obs_40_0017"></a> <a name="obs_40_0017"></a><a name="obs_40_0017"></a>
<h1 class="topictitle1">Granting an IAM User the Read Permission on a Specific Object</h1> <h1 class="topictitle1">Granting an IAM User the Read Permissions on Specific Objects</h1>
<div id="body1588765301378"><div class="section" id="obs_40_0017__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0017__p3431154410448">This topic describes how to grant an IAM user the read permission on an object or a set of objects in an OBS bucket.</p> <div id="body1588765301378"><div class="section" id="obs_40_0017__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0017__p3431154410448">This topic describes how to grant an IAM user the read permissions on an object or a set of objects in an OBS bucket.</p>
</div> </div>
<div class="section" id="obs_40_0017__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0017__p103657437515">You are advised to use bucket policies to grant resource-level permissions to an IAM user.</p> <div class="section" id="obs_40_0017__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0017__p103657437515">To grant resource-level permissions to an IAM user, use a bucket policy.</p>
</div> </div>
<div class="section" id="obs_40_0017__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0017__p1436151622312">The preset read-only mode of OBS has the following permissions:</p> <div class="section" id="obs_40_0017__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0017__p817120327254">After configuration, the IAM user can download specific objects using APIs. However, if they download an object from OBS Console or OBS Browser+, a message will be displayed, indicating that they do not have required permissions.</p>
<ul id="obs_40_0017__ul12273198112311"><li id="obs_40_0017__li1327378202314">GetObject: downloading objects</li><li id="obs_40_0017__li127318812235">GetObjectVersion: downloading versioned objects</li></ul> <p id="obs_40_0017__p268581111517">This is because when they log in to OBS Console or OBS Browser+, the <strong id="obs_40_0017__b1397294793312">ListAllMyBuckets</strong> API is called to load the bucket list and some other APIs will also be called on other pages. In such case, the message is displayed.</p>
<p id="obs_40_0017__p817120327254">After the configuration is complete, you can read (download) specific objects using APIs. However, if you download an object from OBS Console or OBS Browser+, an error is reported indicating that you do not have required permissions.</p> <p id="obs_40_0017__p7807163365117">If you want an IAM user to perform read operations on OBS Console or OBS Browser+, you need to configure custom IAM policies by referring to <a href="#obs_40_0017__section220405220511">Follow-up Procedure</a>.</p>
<p id="obs_40_0017__p268581111517">This is because when you log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0017__b1397294793312">ListAllMyBuckets</strong> and <strong id="obs_40_0017__b6471174914332">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.</p>
<p id="obs_40_0017__p7807163365117">If you want an IAM user to perform read operations on OBS Console or OBS Browser+, configure custom IAM policies by referring to <a href="#obs_40_0017__section220405220511">Follow-up Procedure</a>.</p>
</div> </div>
<div class="section" id="obs_40_0017__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0017__ol170633855216"><li id="obs_40_0017__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0017__b16597141685817">Object Storage</strong>.</span></li><li id="obs_40_0017__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0017__b14952104141110">Overview</strong> page.</span></li><li id="obs_40_0017__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0017__b1786610361251">Permissions</strong>.</span></li><li id="obs_40_0017__li1568715376490"><span>On the <strong id="obs_40_0017__b1547546924114540">Bucket Policies</strong> page, click <strong id="obs_40_0017__b541037169114540">Create Bucket Policy</strong> under <strong id="obs_40_0017__b806325171114540">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0017__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0017__fig105401899251"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0017__image1154299192512" src="en-us_image_0000001385525368.png"></span></div> <div class="section" id="obs_40_0017__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0017__ol170633855216"><li id="obs_40_0017__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0017__b16597141685817">Object Storage</strong>.</span></li><li id="obs_40_0017__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0017__b9870182015355">Overview</strong> page.</span></li><li id="obs_40_0017__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0017__b3163980319046">Permissions</strong>.</span></li><li id="obs_40_0017__li1568715376490"><span>On the <strong id="obs_40_0017__b1547546924114540">Bucket Policies</strong> page, click <strong id="obs_40_0017__b541037169114540">Create Bucket Policy</strong> under <strong id="obs_40_0017__b806325171114540">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0017__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0017__fig105401899251"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0017__image1154299192512" src="en-us_image_0000001385525368.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0017__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0017__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.82%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0017__p107559176234"><strong id="obs_40_0017__b400363316114540">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0017__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0017__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.82%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0017__p107559176234"><strong id="obs_40_0017__b400363316114540">Parameter</strong></p>
</th> </th>
@ -39,12 +37,12 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0017__li4406132611218"><span>Click <strong id="obs_40_0017__b682380655114540">OK</strong>. The bucket policy is created.</span></li></ol> </p></li><li id="obs_40_0017__li4406132611218"><span>Click <strong id="obs_40_0017__b682380655114540">OK</strong>.</span></li></ol>
</div> </div>
<div class="section" id="obs_40_0017__section220405220511"><a name="obs_40_0017__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0017__p349115115368">To perform read operations on OBS Console or OBS Browser+, you must add the <strong id="obs_40_0017__b167361655103520">obs:bucket:ListAllMyBuckets</strong> (for listing buckets) and <strong id="obs_40_0017__b1351213017361">obs:bucket:ListBucket</strong> (for listing objects in a bucket) permissions to the custom IAM policy.</p> <div class="section" id="obs_40_0017__section220405220511"><a name="obs_40_0017__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0017__p349115115368">To perform read operations on OBS Console or OBS Browser+, you must add the <strong id="obs_40_0017__b167361655103520">obs:bucket:ListAllMyBuckets</strong> (for listing buckets) and <strong id="obs_40_0017__b1351213017361">obs:bucket:ListBucket</strong> (for listing objects in a bucket) permissions to the custom IAM policy.</p>
<div class="note" id="obs_40_0017__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0017__p256692825216"><strong id="obs_40_0017__b92211452202919">obs:bucket:ListAllMyBuckets</strong> applies to all resources, while <strong id="obs_40_0017__b1662485742911">obs:bucket:ListBucket</strong> applies to the authorized bucket only. Therefore, you need to add two permissions to the policy.</p> <div class="note" id="obs_40_0017__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0017__p256692825216"><strong id="obs_40_0017__b1645510352914">obs:bucket:ListAllMyBuckets</strong> applies to all resources, while <strong id="obs_40_0017__b745513319291">obs:bucket:ListBucket</strong> applies only to the authorized bucket. Therefore, you need to add these two permissions to the policy.</p>
</div></div> </div></div>
<ol id="obs_40_0017__ol8623195417319"><li id="obs_40_0017__obs_40_0015_li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0017__obs_40_0015_li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0017__obs_40_0015_b1624185733610">Service List</strong> &gt; <strong id="obs_40_0017__obs_40_0015_b112511573364">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0017__obs_40_0015_b17257573368">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0017__obs_40_0015_li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0017__obs_40_0015_b757714919113">Permissions</strong>.</span></li><li id="obs_40_0017__obs_40_0015_li1388483016366"><span>Click <strong id="obs_40_0017__obs_40_0015_b118613715375">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0017__obs_40_0015_li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0017__obs_40_0015_fig1814219521628"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0017__obs_40_0015_image101432052622" src="en-us_image_0000001385676688.png"></span></div> <ol id="obs_40_0017__ol8623195417319"><li id="obs_40_0017__obs_40_0015_li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0017__obs_40_0015_li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0017__obs_40_0015_b1624185733610">Service List</strong> &gt; <strong id="obs_40_0017__obs_40_0015_b112511573364">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0017__obs_40_0015_b17257573368">Identity and Access Management</strong>.</span></li><li id="obs_40_0017__obs_40_0015_li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0017__obs_40_0015_b757714919113">Permissions</strong>.</span></li><li id="obs_40_0017__obs_40_0015_li1388483016366"><span>Click <strong id="obs_40_0017__obs_40_0015_b118613715375">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0017__obs_40_0015_li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0017__obs_40_0015_fig1814219521628"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0017__obs_40_0015_image101432052622" src="en-us_image_0000001385676688.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0017__obs_40_0015_table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0017__obs_40_0015_row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.79%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0017__obs_40_0015_p23757272286"><strong id="obs_40_0017__obs_40_0015_b68930084110101">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0017__obs_40_0015_table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0017__obs_40_0015_row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.79%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0017__obs_40_0015_p23757272286"><strong id="obs_40_0017__obs_40_0015_b68930084110101">Parameter</strong></p>
</th> </th>
@ -54,12 +52,12 @@
</thead> </thead>
<tbody><tr id="obs_40_0017__obs_40_0015_row17375102752819"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0017__obs_40_0015_row17375102752819"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0017__obs_40_0015_row1937592712288"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p173753272284">Policy View</p> <tr id="obs_40_0017__obs_40_0015_row1937592712288"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0017__obs_40_0015_b15269128171710">Visual editor</strong> is used here.</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p17375102714285">Select one based on your own habits. <strong id="obs_40_0017__obs_40_0015_b8703205911914">Visual editor</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0017__obs_40_0015_row133751227142812"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p203751027172816">Policy Content</p> <tr id="obs_40_0017__obs_40_0015_row133751227142812"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p203751027172816">Policy Content</p>
@ -67,19 +65,19 @@
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p1928318374535">[Permission 1]</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p1928318374535">[Permission 1]</p>
<ul id="obs_40_0017__obs_40_0015_ul312618263319"><li id="obs_40_0017__obs_40_0015_li112652673110">Select <strong id="obs_40_0017__obs_40_0015_b1442421510101">Allow</strong>.</li><li id="obs_40_0017__obs_40_0015_li1952919359">Select <strong id="obs_40_0017__obs_40_0015_b1420920813562">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0017__obs_40_0015_li813512281313">Select <strong id="obs_40_0017__obs_40_0015_b727714444551">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0017__obs_40_0015_li1991741116547">Select <strong id="obs_40_0017__obs_40_0015_b823218256422">All</strong> for resources.</li></ul> <ul id="obs_40_0017__obs_40_0015_ul312618263319"><li id="obs_40_0017__obs_40_0015_li112652673110">Select <strong id="obs_40_0017__obs_40_0015_b1442421510101">Allow</strong>.</li><li id="obs_40_0017__obs_40_0015_li1952919359">Select <strong id="obs_40_0017__obs_40_0015_b1420920813562">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0017__obs_40_0015_li813512281313">Select <strong id="obs_40_0017__obs_40_0015_b727714444551">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0017__obs_40_0015_li1991741116547">Select <strong id="obs_40_0017__obs_40_0015_b823218256422">All</strong> for resources.</li></ul>
<p id="obs_40_0017__obs_40_0015_p148511375414">[Permission 2]</p> <p id="obs_40_0017__obs_40_0015_p148511375414">[Permission 2]</p>
<ul id="obs_40_0017__obs_40_0015_ul127691549205313"><li id="obs_40_0017__obs_40_0015_li167691496533">Select <strong id="obs_40_0017__obs_40_0015_b49081477010101">Allow</strong>.</li><li id="obs_40_0017__obs_40_0015_li1676910494536">Select <strong id="obs_40_0017__obs_40_0015_b2053811501566">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0017__obs_40_0015_li18769949195314">Select <strong id="obs_40_0017__obs_40_0015_b1869165519563">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0017__obs_40_0015_li77691949175310">For <strong id="obs_40_0017__obs_40_0015_b1424511203473">Resources</strong>, select <strong id="obs_40_0017__obs_40_0015_b14645193125717">Specific</strong>, and for <strong id="obs_40_0017__obs_40_0015_b9449403471">bucket</strong>, select <strong id="obs_40_0017__obs_40_0015_b12150205824715">Specify resource path</strong>, and click <strong id="obs_40_0017__obs_40_0015_b3143112410489">Add Resource Path</strong>. Enter the bucket name in the <strong id="obs_40_0017__obs_40_0015_b4841111134916">Path</strong> text box, indicating that the policy takes effect only for this bucket.</li></ul> <ul id="obs_40_0017__obs_40_0015_ul127691549205313"><li id="obs_40_0017__obs_40_0015_li167691496533">Select <strong id="obs_40_0017__obs_40_0015_b49081477010101">Allow</strong>.</li><li id="obs_40_0017__obs_40_0015_li1676910494536">Select <strong id="obs_40_0017__obs_40_0015_b2053811501566">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0017__obs_40_0015_li18769949195314">Select <strong id="obs_40_0017__obs_40_0015_b1869165519563">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0017__obs_40_0015_li77691949175310">Select <strong id="obs_40_0017__obs_40_0015_b14645193125717">Specific</strong> for <strong id="obs_40_0017__obs_40_0015_b1424511203473">Resources</strong> and select <strong id="obs_40_0017__obs_40_0015_b12150205824715">Specify resource path</strong> for <strong id="obs_40_0017__obs_40_0015_b9449403471">Bucket</strong>. Click <strong id="obs_40_0017__obs_40_0015_b3143112410489">Add Resource Path</strong>. Enter the bucket name in the <strong id="obs_40_0017__obs_40_0015_b4841111134916">Path</strong> text box for applying the policy only to this bucket.</li></ul>
</td> </td>
</tr> </tr>
<tr id="obs_40_0017__obs_40_0015_row81414412509"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p83756273285">Scope</p> <tr id="obs_40_0017__obs_40_0015_row81414412509"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p83756273285">Scope</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p1037542711283">The default value is <strong id="obs_40_0017__obs_40_0015_b137650311419">Global services</strong>.</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p1037542711283">Use the default value <strong id="obs_40_0017__obs_40_0015_b137650311419">Global services</strong>.</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0017__obs_40_0015_li1293324623719"><span>Click <strong id="obs_40_0017__obs_40_0015_b117724509310101">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0017__obs_40_0015_li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0017__obs_40_0015_p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0017__obs_40_0015_li1293324623719"><span>Click <strong id="obs_40_0017__obs_40_0015_b117724509310101">OK</strong>.</span></li><li id="obs_40_0017__obs_40_0015_li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0017__obs_40_0015_p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0017__obs_40_0015_li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0017__obs_40_0015_note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0017__obs_40_0015_p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0017__obs_40_0015_li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0017__obs_40_0015_note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0017__obs_40_0015_p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

38
docs/obs/perms-cfg/obs_40_0018.html
View File

@ -1,16 +1,16 @@
<a name="obs_40_0018"></a><a name="obs_40_0018"></a> <a name="obs_40_0018"></a><a name="obs_40_0018"></a>
<h1 class="topictitle1">Granting an IAM User the Permissions Required to Perform Specific Operations on Certain Objects</h1> <h1 class="topictitle1">Granting an IAM User the Specific Permissions on Specific Objects</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0018__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0018__p3431154410448">This topic describes how to grant an IAM user certain permissions on specific objects in a bucket. Below explains how to grant the object download permission.</p> <div id="body1588765301379"><div class="section" id="obs_40_0018__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0018__p3431154410448">This topic describes how to grant an IAM user the permissions to download specific objects from a bucket.</p>
<p id="obs_40_0018__p131221236151420">If you need to configure other permissions, select the corresponding actions from the <strong id="obs_40_0018__b88223874923053">Action Name</strong> drop-down list in the bucket policy. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p> <p id="obs_40_0018__p131221236151420">To grant other permissions, select required actions from <strong id="obs_40_0018__b88223874923053">Action Name</strong> in the bucket policy. For details, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
</div> </div>
<div class="section" id="obs_40_0018__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0018__p103657437515">You are advised to use bucket policies to grant resource-level permissions to an IAM user.</p> <div class="section" id="obs_40_0018__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0018__p103657437515">To grant resource-level permissions to an IAM user, use a bucket policy.</p>
</div> </div>
<div class="section" id="obs_40_0018__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0018__p4883191595712">After the configuration is complete, you can download objects using APIs. However, if you log in to OBS Console or OBS Browser+ to download an object, an error is reported indicating that you do not have required permissions.</p> <div class="section" id="obs_40_0018__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0018__p4883191595712">After configuration, the IAM user can download objects using APIs. However, if they download objects using OBS Console or OBS Browser+, a message will be displayed indicating that they do not have required permissions.</p>
<p id="obs_40_0018__p1486851214528">This is because when you log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0018__b030594717378">ListAllMyBuckets</strong> and <strong id="obs_40_0018__b18834164833712">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.</p> <p id="obs_40_0018__p1486851214528">When they log in to OBS Console or OBS Browser+, APIs such as <strong id="obs_40_0018__b10720152818346">ListAllMyBuckets</strong> and <strong id="obs_40_0018__b13112356349">ListBucket</strong> are called. <strong id="obs_40_0018__b566433211345">ListAllMyBuckets</strong> loads the bucket list while <strong id="obs_40_0018__b61251438143415">ListBucket</strong> loads the object list. Some other APIs are also called on other pages. In such case, the message is displayed.</p>
<p id="obs_40_0018__p7807163365117">If you want an IAM user to successfully download objects on OBS Console or OBS Browser+, configure custom IAM policies by referring to <a href="#obs_40_0018__section220405220511">Follow-up Procedure</a>.</p> <p id="obs_40_0018__p7807163365117">To allow an IAM user to download objects on OBS Console or OBS Browser+, you need to configure custom IAM policies. For details, see <a href="#obs_40_0018__section220405220511">Follow-up Procedure</a>.</p>
</div> </div>
<div class="section" id="obs_40_0018__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0018__ol170633855216"><li id="obs_40_0018__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0018__b65061622185814">Object Storage</strong>.</span></li><li id="obs_40_0018__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0018__b121216132122">Overview</strong> page.</span></li><li id="obs_40_0018__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0018__b4622118405">Permissions</strong>.</span></li><li id="obs_40_0018__li18104837112113"><span>On the <strong id="obs_40_0018__b3489831124414">Bucket Policies</strong> page, click <strong id="obs_40_0018__b6489163111440">Create Bucket Policy</strong> under <strong id="obs_40_0018__b449017312444">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0018__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0018__fig1699641119349"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0018__image189961011113416" src="en-us_image_0000001435889185.png"></span></div> <div class="section" id="obs_40_0018__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0018__ol170633855216"><li id="obs_40_0018__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0018__b101872402">Object Storage</strong>.</span></li><li id="obs_40_0018__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0018__b62013257523828">Overview</strong> page.</span></li><li id="obs_40_0018__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0018__b1250324489048">Permissions</strong>.</span></li><li id="obs_40_0018__li1568715376490"><span>On the <strong id="obs_40_0018__b1442154819296">Bucket Policies</strong> page, click <strong id="obs_40_0018__b242134822910">Create Bucket Policy</strong> under <strong id="obs_40_0018__b14422481296">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0018__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0018__fig1699641119349"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0018__image189961011113416" src="en-us_image_0000001435889185.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0018__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0018__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.599999999999998%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0018__p107559176234"><strong id="obs_40_0018__b19719045623053">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0018__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0018__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.599999999999998%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0018__p107559176234"><strong id="obs_40_0018__b19719045623053">Parameter</strong></p>
</th> </th>
@ -43,18 +43,18 @@
<tr id="obs_40_0018__row3951641158"><td class="cellrowborder" valign="top" width="23.599999999999998%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0018__p10952134114519">Actions</p> <tr id="obs_40_0018__row3951641158"><td class="cellrowborder" valign="top" width="23.599999999999998%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0018__p10952134114519">Actions</p>
</td> </td>
<td class="cellrowborder" valign="top" width="76.4%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0018__ul1663065817513"><li id="obs_40_0018__li1563025812519"><strong id="obs_40_0018__b109038457923053">Include</strong></li><li id="obs_40_0018__li10224301466">Action Name: Select <strong id="obs_40_0018__b6410174014714">GetObject</strong>.</li></ul> <td class="cellrowborder" valign="top" width="76.4%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0018__ul1663065817513"><li id="obs_40_0018__li1563025812519"><strong id="obs_40_0018__b109038457923053">Include</strong></li><li id="obs_40_0018__li10224301466">Action Name: Select <strong id="obs_40_0018__b6410174014714">GetObject</strong>.</li></ul>
<p id="obs_40_0018__p175400381720">To configure other permissions, select the corresponding actions. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p> <p id="obs_40_0018__p175400381720">To configure other permissions, select the corresponding actions. For details, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0018__li4406132611218"><span>Click <strong id="obs_40_0018__b162853642620">OK</strong>. The bucket policy is created.</span></li></ol> </p></li><li id="obs_40_0018__li4406132611218"><span>Click <strong id="obs_40_0018__b162853642620">OK</strong>.</span></li></ol>
</div> </div>
<div class="section" id="obs_40_0018__section220405220511"><a name="obs_40_0018__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0018__p349115115368">To perform specific operations on OBS Console or OBS Browser+, you must add the <strong id="obs_40_0018__b1196215355385">obs:bucket:ListAllMyBuckets</strong> (for listing buckets) and <strong id="obs_40_0018__b626413910387">obs:bucket:ListBucket</strong> (for listing objects in a bucket) permissions to the custom IAM policy.</p> <div class="section" id="obs_40_0018__section220405220511"><a name="obs_40_0018__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0018__p349115115368">To perform specific operations on OBS Console or OBS Browser+, you must add the <strong id="obs_40_0018__b937337395">obs:bucket:ListAllMyBuckets</strong> and <strong id="obs_40_0018__b322823610390">obs:bucket:ListBucket</strong> permissions to the custom IAM policy. <strong id="obs_40_0018__b110734020395">obs:bucket:ListAllMyBuckets</strong> lists buckets while <strong id="obs_40_0018__b2857343163918">obs:bucket:ListBucket</strong> lists objects in a bucket.</p>
<div class="note" id="obs_40_0018__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0018__p256692825216"><strong id="obs_40_0018__b1246318141558">obs:bucket:ListAllMyBuckets</strong> applies to all resources, while <strong id="obs_40_0018__b246781425518">obs:bucket:ListBucket</strong> applies to the authorized bucket only. Therefore, you need to add two permissions to the policy.</p> <div class="note" id="obs_40_0018__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0018__p256692825216"><strong id="obs_40_0018__b147631426113720">obs:bucket:ListAllMyBuckets</strong> applies to all resources while <strong id="obs_40_0018__b147631226153718">obs:bucket:ListBucket</strong> applies only to the authorized bucket, so you need to add the two permissions to the policy.</p>
</div></div> </div></div>
<ol id="obs_40_0018__ol8623195417319"><li id="obs_40_0018__obs_40_0015_li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0018__obs_40_0015_li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0018__obs_40_0015_b1624185733610">Service List</strong> &gt; <strong id="obs_40_0018__obs_40_0015_b112511573364">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0018__obs_40_0015_b17257573368">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0018__obs_40_0015_li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0018__obs_40_0015_b757714919113">Permissions</strong>.</span></li><li id="obs_40_0018__obs_40_0015_li1388483016366"><span>Click <strong id="obs_40_0018__obs_40_0015_b118613715375">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0018__obs_40_0015_li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0018__obs_40_0015_fig1814219521628"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0018__obs_40_0015_image101432052622" src="en-us_image_0000001385676688.png"></span></div> <ol id="obs_40_0018__ol8623195417319"><li id="obs_40_0018__obs_40_0015_li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0018__obs_40_0015_li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0018__obs_40_0015_b1624185733610">Service List</strong> &gt; <strong id="obs_40_0018__obs_40_0015_b112511573364">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0018__obs_40_0015_b17257573368">Identity and Access Management</strong>.</span></li><li id="obs_40_0018__obs_40_0015_li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0018__obs_40_0015_b757714919113">Permissions</strong>.</span></li><li id="obs_40_0018__obs_40_0015_li1388483016366"><span>Click <strong id="obs_40_0018__obs_40_0015_b118613715375">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0018__obs_40_0015_li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0018__obs_40_0015_fig1814219521628"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0018__obs_40_0015_image101432052622" src="en-us_image_0000001385676688.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0018__obs_40_0015_table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0018__obs_40_0015_row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.79%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0018__obs_40_0015_p23757272286"><strong id="obs_40_0018__obs_40_0015_b68930084110101">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0018__obs_40_0015_table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0018__obs_40_0015_row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.79%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0018__obs_40_0015_p23757272286"><strong id="obs_40_0018__obs_40_0015_b68930084110101">Parameter</strong></p>
</th> </th>
@ -64,12 +64,12 @@
</thead> </thead>
<tbody><tr id="obs_40_0018__obs_40_0015_row17375102752819"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0018__obs_40_0015_p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0018__obs_40_0015_row17375102752819"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0018__obs_40_0015_p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0018__obs_40_0015_p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0018__obs_40_0015_p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0018__obs_40_0015_row1937592712288"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0018__obs_40_0015_p173753272284">Policy View</p> <tr id="obs_40_0018__obs_40_0015_row1937592712288"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0018__obs_40_0015_p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0018__obs_40_0015_p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0018__obs_40_0015_b15269128171710">Visual editor</strong> is used here.</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0018__obs_40_0015_p17375102714285">Select one based on your own habits. <strong id="obs_40_0018__obs_40_0015_b8703205911914">Visual editor</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0018__obs_40_0015_row133751227142812"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0018__obs_40_0015_p203751027172816">Policy Content</p> <tr id="obs_40_0018__obs_40_0015_row133751227142812"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0018__obs_40_0015_p203751027172816">Policy Content</p>
@ -77,19 +77,19 @@
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0018__obs_40_0015_p1928318374535">[Permission 1]</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0018__obs_40_0015_p1928318374535">[Permission 1]</p>
<ul id="obs_40_0018__obs_40_0015_ul312618263319"><li id="obs_40_0018__obs_40_0015_li112652673110">Select <strong id="obs_40_0018__obs_40_0015_b1442421510101">Allow</strong>.</li><li id="obs_40_0018__obs_40_0015_li1952919359">Select <strong id="obs_40_0018__obs_40_0015_b1420920813562">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0018__obs_40_0015_li813512281313">Select <strong id="obs_40_0018__obs_40_0015_b727714444551">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0018__obs_40_0015_li1991741116547">Select <strong id="obs_40_0018__obs_40_0015_b823218256422">All</strong> for resources.</li></ul> <ul id="obs_40_0018__obs_40_0015_ul312618263319"><li id="obs_40_0018__obs_40_0015_li112652673110">Select <strong id="obs_40_0018__obs_40_0015_b1442421510101">Allow</strong>.</li><li id="obs_40_0018__obs_40_0015_li1952919359">Select <strong id="obs_40_0018__obs_40_0015_b1420920813562">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0018__obs_40_0015_li813512281313">Select <strong id="obs_40_0018__obs_40_0015_b727714444551">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0018__obs_40_0015_li1991741116547">Select <strong id="obs_40_0018__obs_40_0015_b823218256422">All</strong> for resources.</li></ul>
<p id="obs_40_0018__obs_40_0015_p148511375414">[Permission 2]</p> <p id="obs_40_0018__obs_40_0015_p148511375414">[Permission 2]</p>
<ul id="obs_40_0018__obs_40_0015_ul127691549205313"><li id="obs_40_0018__obs_40_0015_li167691496533">Select <strong id="obs_40_0018__obs_40_0015_b49081477010101">Allow</strong>.</li><li id="obs_40_0018__obs_40_0015_li1676910494536">Select <strong id="obs_40_0018__obs_40_0015_b2053811501566">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0018__obs_40_0015_li18769949195314">Select <strong id="obs_40_0018__obs_40_0015_b1869165519563">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0018__obs_40_0015_li77691949175310">For <strong id="obs_40_0018__obs_40_0015_b1424511203473">Resources</strong>, select <strong id="obs_40_0018__obs_40_0015_b14645193125717">Specific</strong>, and for <strong id="obs_40_0018__obs_40_0015_b9449403471">bucket</strong>, select <strong id="obs_40_0018__obs_40_0015_b12150205824715">Specify resource path</strong>, and click <strong id="obs_40_0018__obs_40_0015_b3143112410489">Add Resource Path</strong>. Enter the bucket name in the <strong id="obs_40_0018__obs_40_0015_b4841111134916">Path</strong> text box, indicating that the policy takes effect only for this bucket.</li></ul> <ul id="obs_40_0018__obs_40_0015_ul127691549205313"><li id="obs_40_0018__obs_40_0015_li167691496533">Select <strong id="obs_40_0018__obs_40_0015_b49081477010101">Allow</strong>.</li><li id="obs_40_0018__obs_40_0015_li1676910494536">Select <strong id="obs_40_0018__obs_40_0015_b2053811501566">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0018__obs_40_0015_li18769949195314">Select <strong id="obs_40_0018__obs_40_0015_b1869165519563">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0018__obs_40_0015_li77691949175310">Select <strong id="obs_40_0018__obs_40_0015_b14645193125717">Specific</strong> for <strong id="obs_40_0018__obs_40_0015_b1424511203473">Resources</strong> and select <strong id="obs_40_0018__obs_40_0015_b12150205824715">Specify resource path</strong> for <strong id="obs_40_0018__obs_40_0015_b9449403471">Bucket</strong>. Click <strong id="obs_40_0018__obs_40_0015_b3143112410489">Add Resource Path</strong>. Enter the bucket name in the <strong id="obs_40_0018__obs_40_0015_b4841111134916">Path</strong> text box for applying the policy only to this bucket.</li></ul>
</td> </td>
</tr> </tr>
<tr id="obs_40_0018__obs_40_0015_row81414412509"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0018__obs_40_0015_p83756273285">Scope</p> <tr id="obs_40_0018__obs_40_0015_row81414412509"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0018__obs_40_0015_p83756273285">Scope</p>
</td> </td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0018__obs_40_0015_p1037542711283">The default value is <strong id="obs_40_0018__obs_40_0015_b137650311419">Global services</strong>.</p> <td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0018__obs_40_0015_p1037542711283">Use the default value <strong id="obs_40_0018__obs_40_0015_b137650311419">Global services</strong>.</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0018__obs_40_0015_li1293324623719"><span>Click <strong id="obs_40_0018__obs_40_0015_b117724509310101">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0018__obs_40_0015_li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0018__obs_40_0015_p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0018__obs_40_0015_li1293324623719"><span>Click <strong id="obs_40_0018__obs_40_0015_b117724509310101">OK</strong>.</span></li><li id="obs_40_0018__obs_40_0015_li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0018__obs_40_0015_p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0018__obs_40_0015_li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0018__obs_40_0015_note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0018__obs_40_0015_p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0018__obs_40_0015_li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0018__obs_40_0015_note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0018__obs_40_0015_p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

8
docs/obs/perms-cfg/obs_40_0019.html
View File

@ -8,16 +8,16 @@
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0021.html">Granting IAM User Groups Basic Permissions on All OBS Resources</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0021.html">Granting IAM User Groups Basic Permissions on All OBS Resources</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0022.html">Granting IAM User Groups Specified Permissions on All OBS Resources</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0022.html">Granting IAM User Groups Specific Permissions for All OBS Resources</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0023.html">Granting IAM User Groups Specified Permissions on Certain OBS Resources</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0023.html">Granting IAM User Groups Specific Permissions on Specific OBS Resources</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0044.html">Granting IAM User Groups Specified Permissions on Certain OBS Folders</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0044.html">Granting IAM User Groups Specific Permissions on a Folder</a></strong><br>
</li> </li>
</ul> </ul>
<div class="familylinks"> <div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Configuration Cases in Typical Permission Control Scenarios</a></div> <div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Permission Configuration in Typical Scenarios</a></div>
</div> </div>
</div> </div>

14
docs/obs/perms-cfg/obs_40_0020.html
View File

@ -1,11 +1,11 @@
<a name="obs_40_0020"></a><a name="obs_40_0020"></a> <a name="obs_40_0020"></a><a name="obs_40_0020"></a>
<h1 class="topictitle1">Granting IAM User Groups All Permissions on All OBS Resources</h1> <h1 class="topictitle1">Granting IAM User Groups All Permissions on All OBS Resources</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0020__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0020__p3431154410448">This topic describes how to grant multiple IAM users or user groups all permissions on all OBS resources. Users with this permission can perform any OBS operation.</p> <div id="body1588765301379"><div class="section" id="obs_40_0020__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0020__p3431154410448">This topic describes how to grant multiple IAM users or user groups all permissions on all OBS resources. Users with this permission can perform any operations on OBS.</p>
</div> </div>
<div class="section" id="obs_40_0020__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0020__p103657437515">IAM custom policies</p> <div class="section" id="obs_40_0020__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0020__p103657437515">Use an IAM custom policy to configure the permissions.</p>
</div> </div>
<div class="section" id="obs_40_0020__section1976313561854"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0020__ol170633855216"><li id="obs_40_0020__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0020__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0020__b13023912502">Service List</strong> &gt; <strong id="obs_40_0020__b70123914501">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0020__b3003912507">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0020__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0020__b857015426257">Permissions</strong>.</span></li><li id="obs_40_0020__li1388483016366"><span>Click <strong id="obs_40_0020__b22623504509">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0020__li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0020__fig313442114368"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0020__image10136182117366" src="en-us_image_0000001385530212.png"></span></div> <div class="section" id="obs_40_0020__section1976313561854"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0020__ol170633855216"><li id="obs_40_0020__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0020__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0020__b13023912502">Service List</strong> &gt; <strong id="obs_40_0020__b70123914501">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0020__b3003912507">Identity and Access Management</strong>.</span></li><li id="obs_40_0020__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0020__b857015426257">Permissions</strong>.</span></li><li id="obs_40_0020__li1388483016366"><span>Click <strong id="obs_40_0020__b22623504509">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0020__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0020__fig313442114368"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0020__image10136182117366" src="en-us_image_0000001385530212.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0020__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0020__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.03%" id="mcps1.3.3.2.5.2.2.2.3.1.1"><p id="obs_40_0020__p23757272286"><strong id="obs_40_0020__b19681602982500">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0020__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0020__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.03%" id="mcps1.3.3.2.5.2.2.2.3.1.1"><p id="obs_40_0020__p23757272286"><strong id="obs_40_0020__b19681602982500">Parameter</strong></p>
</th> </th>
@ -15,12 +15,12 @@
</thead> </thead>
<tbody><tr id="obs_40_0020__row17375102752819"><td class="cellrowborder" valign="top" width="25.03%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0020__p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0020__row17375102752819"><td class="cellrowborder" valign="top" width="25.03%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0020__p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="74.97%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0020__p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="74.97%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0020__p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0020__row1937592712288"><td class="cellrowborder" valign="top" width="25.03%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0020__p173753272284">Policy View</p> <tr id="obs_40_0020__row1937592712288"><td class="cellrowborder" valign="top" width="25.03%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0020__p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="74.97%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0020__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0020__b1262518019178">Visual editor</strong> is used here.</p> <td class="cellrowborder" valign="top" width="74.97%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0020__p17375102714285">Select one based on your own habits. <strong id="obs_40_0020__b1273193318012">Visual editor</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0020__row133751227142812"><td class="cellrowborder" valign="top" width="25.03%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0020__p203751027172816">Policy Content</p> <tr id="obs_40_0020__row133751227142812"><td class="cellrowborder" valign="top" width="25.03%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0020__p203751027172816">Policy Content</p>
@ -36,8 +36,8 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0020__li1293324623719"><span>Click <strong id="obs_40_0020__b8744100402500">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0020__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0020__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0020__li1293324623719"><span>Click <strong id="obs_40_0020__b142262522328">OK</strong>.</span></li><li id="obs_40_0020__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0020__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0020__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0020__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0020__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0020__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0020__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0020__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

16
docs/obs/perms-cfg/obs_40_0021.html
View File

@ -1,7 +1,7 @@
<a name="obs_40_0021"></a><a name="obs_40_0021"></a> <a name="obs_40_0021"></a><a name="obs_40_0021"></a>
<h1 class="topictitle1">Granting IAM User Groups Basic Permissions on All OBS Resources</h1> <h1 class="topictitle1">Granting IAM User Groups Basic Permissions on All OBS Resources</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0021__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0021__p3431154410448">This topic describes how to use the OBS-related system roles and policies preset in IAM to grant basic operation permissions on all OBS resources to multiple IAM users or user groups. The following table lists the permissions supported by preset system roles and policies.</p> <div id="body1588765301379"><div class="section" id="obs_40_0021__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0021__p3431154410448">This topic describes how to use OBS system roles and policies preset in IAM to grant basic operation permissions for all OBS resources to multiple IAM users or user groups. The following table lists the permissions supported by preset system roles and policies.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0021__table143320246431" frame="border" border="1" rules="all"><caption><b>Table 1 </b>OBS system permissions</caption><thead align="left"><tr id="obs_40_0021__row13332624144312"><th align="left" class="cellrowborder" valign="top" width="21.89%" id="mcps1.3.1.3.2.4.1.1"><p id="obs_40_0021__p7332132484320">Role/Policy Name</p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0021__table143320246431" frame="border" border="1" rules="all"><caption><b>Table 1 </b>OBS system permissions</caption><thead align="left"><tr id="obs_40_0021__row13332624144312"><th align="left" class="cellrowborder" valign="top" width="21.89%" id="mcps1.3.1.3.2.4.1.1"><p id="obs_40_0021__p7332132484320">Role/Policy Name</p>
</th> </th>
@ -41,7 +41,7 @@
</tr> </tr>
<tr id="obs_40_0021__row7333132416439"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p23331324114313">OBS ReadOnlyAccess</p> <tr id="obs_40_0021__row7333132416439"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p23331324114313">OBS ReadOnlyAccess</p>
</td> </td>
<td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p193331246430">Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects (not the objects that have been versioned).</p> <td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p193331246430">Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects (excluding the objects that have been versioned).</p>
<div class="note" id="obs_40_0021__note864512387375"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0021__p136452384379">If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the <strong id="obs_40_0021__b11873241193513">obs:bucket:ListBucketVersions</strong> permission so that the user can view different versions of objects on OBS Console.</p> <div class="note" id="obs_40_0021__note864512387375"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0021__p136452384379">If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the <strong id="obs_40_0021__b11873241193513">obs:bucket:ListBucketVersions</strong> permission so that the user can view different versions of objects on OBS Console.</p>
</div></div> </div></div>
</td> </td>
@ -50,7 +50,7 @@
</tr> </tr>
<tr id="obs_40_0021__row3333202464311"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p1333112420434">OBS OperateAccess</p> <tr id="obs_40_0021__row3333202464311"><td class="cellrowborder" valign="top" width="21.89%" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0021__p1333112420434">OBS OperateAccess</p>
</td> </td>
<td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p145991616552">Users with this permission can perform all OBS ReadOnlyAccess operations and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.</p> <td class="cellrowborder" valign="top" width="60.050000000000004%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0021__p145991616552">Users with this permission can perform all ReadOnlyAccess operations on OBS and perform basic operations on objects, such as uploading, downloading, deleting objects, and obtaining object ACLs.</p>
<div class="note" id="obs_40_0021__note84579519419"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0021__p9457205144115">If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the <strong id="obs_40_0021__b79791245133515">obs:bucket:ListBucketVersions</strong> permission so that the user can view different versions of objects on OBS Console.</p> <div class="note" id="obs_40_0021__note84579519419"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0021__p9457205144115">If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the <strong id="obs_40_0021__b79791245133515">obs:bucket:ListBucketVersions</strong> permission so that the user can view different versions of objects on OBS Console.</p>
</div></div> </div></div>
</td> </td>
@ -63,12 +63,12 @@
</div> </div>
<div class="section" id="obs_40_0021__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0021__p103657437515">IAM system roles and policies</p> <div class="section" id="obs_40_0021__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0021__p103657437515">IAM system roles and policies</p>
</div> </div>
<div class="section" id="obs_40_0021__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0021__p817120327254">After a system role or policy is configured according to this case, if you log in to the system using OBS Console or OBS Browser+, a message may be displayed indicating that you do not have the permission. </p> <div class="section" id="obs_40_0021__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0021__p817120327254">After a system role or policy is configured according to this case, if you log in to the system using OBS Console or OBS Browser+, a message may be displayed indicating that you do not have the permission. </p>
<p id="obs_40_0021__p5919175842316">Authorized permissions are valid, though operations on the console or client are restricted. You can call the APIs directly.</p> <p id="obs_40_0021__p5919175842316">Although the error message is displayed, the IAM users can still call the APIs to perform authorized operations.</p>
<p id="obs_40_0021__p2091955810234">With <strong id="obs_40_0021__b6954823124117">OBS OperateAccess</strong> configured, you can upload or download objects on OBS Console or OBS Browser+.</p> <p id="obs_40_0021__p2091955810234">When <strong id="obs_40_0021__b6954823124117">OBS OperateAccess</strong> is allowed, they can upload or download objects on OBS Console or OBS Browser+.</p>
</div> </div>
<div class="section" id="obs_40_0021__section1976313561854"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0021__ol170633855216"><li id="obs_40_0021__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0021__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0021__b1424104235114">Service List</strong> &gt; <strong id="obs_40_0021__b152515429519">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0021__b225154225119">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0021__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0021__p1312812258417">Add system roles or policies that meet the service scenario requirements to the user group by following the instructions provided in the IAM document.</p> <div class="section" id="obs_40_0021__section1976313561854"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0021__ol170633855216"><li id="obs_40_0021__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0021__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0021__b1424104235114">Service List</strong> &gt; <strong id="obs_40_0021__b152515429519">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0021__b225154225119">Identity and Access Management</strong>.</span></li><li id="obs_40_0021__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0021__p1312812258417">Apply system roles or policies that meet requirements to the user group by following the instructions provided in the IAM document.</p>
</p></li><li id="obs_40_0021__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0021__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0021__p37253183814">Due to data caching, it takes about 10 to 15 minutes for the configured permissions to take effect.</p> </p></li><li id="obs_40_0021__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0021__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0021__p37253183814">Due to data caching, it takes about 10 to 15 minutes for the configured permissions to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

22
docs/obs/perms-cfg/obs_40_0022.html
View File

@ -1,15 +1,15 @@
<a name="obs_40_0022"></a><a name="obs_40_0022"></a> <a name="obs_40_0022"></a><a name="obs_40_0022"></a>
<h1 class="topictitle1">Granting IAM User Groups Specified Permissions on All OBS Resources</h1> <h1 class="topictitle1">Granting IAM User Groups Specific Permissions for All OBS Resources</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0022__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0022__p3431154410448">This topic describes how to grant multiple IAM users or user groups specific permissions on all OBS resources.</p> <div id="body1588765301379"><div class="section" id="obs_40_0022__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0022__p3431154410448">This topic describes how to grant multiple IAM users or user groups specified permissions for all OBS resources.</p>
</div> </div>
<div class="section" id="obs_40_0022__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0022__p103657437515">IAM custom policies</p> <div class="section" id="obs_40_0022__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0022__p103657437515">Use an IAM custom policy to configure the permissions.</p>
</div> </div>
<div class="section" id="obs_40_0022__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0022__p817120327254">After the configuration is complete, you can perform allowed operations using APIs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.</p> <div class="section" id="obs_40_0022__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0022__p817120327254">After configuration, IAM user groups can perform allowed operations using APIs. If they log in to OBS Console or OBS Browser+ to perform those operations, a message will be displayed indicating that they do not have required permissions.</p>
<p id="obs_40_0022__p116361483599">This is because when you log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0022__b337011864314">ListAllMyBuckets</strong> and <strong id="obs_40_0022__b71716203434">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.</p> <p id="obs_40_0022__p116361483599">This is because when they log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0022__b333219515015">ListAllMyBuckets</strong> and <strong id="obs_40_0022__b1033310512019">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is diplayed.</p>
<p id="obs_40_0022__p7807163365117">To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the <strong id="obs_40_0022__b44441417182119">obs:bucket:ListAllMyBuckets</strong> and <strong id="obs_40_0022__b3451161714213">obs:bucket:ListBucket</strong> permissions to the custom policy.</p> <p id="obs_40_0022__p7807163365117">To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the <strong id="obs_40_0022__b44441417182119">obs:bucket:ListAllMyBuckets</strong> and <strong id="obs_40_0022__b3451161714213">obs:bucket:ListBucket</strong> permissions to the custom policy.</p>
</div> </div>
<div class="section" id="obs_40_0022__section1976313561854"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0022__ol170633855216"><li id="obs_40_0022__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0022__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0022__b19348101015418">Service List</strong> &gt; <strong id="obs_40_0022__b1034881065414">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0022__b143481108548">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0022__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0022__b6600151112716">Permissions</strong>.</span></li><li id="obs_40_0022__li1388483016366"><span>Click <strong id="obs_40_0022__b07324916548">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0022__li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0022__fig59601157145012"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0022__image1096195735010" src="en-us_image_0000001436253413.png"></span></div> <div class="section" id="obs_40_0022__section1976313561854"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0022__ol170633855216"><li id="obs_40_0022__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0022__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0022__b19348101015418">Service List</strong> &gt; <strong id="obs_40_0022__b1034881065414">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0022__b143481108548">Identity and Access Management</strong>.</span></li><li id="obs_40_0022__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0022__b6600151112716">Permissions</strong>.</span></li><li id="obs_40_0022__li1388483016366"><span>Click <strong id="obs_40_0022__b07324916548">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0022__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0022__fig59601157145012"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0022__image1096195735010" src="en-us_image_0000001436253413.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0022__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0022__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.25%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0022__p23757272286"><strong id="obs_40_0022__b9153439274332">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0022__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0022__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.25%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0022__p23757272286"><strong id="obs_40_0022__b9153439274332">Parameter</strong></p>
</th> </th>
@ -19,17 +19,17 @@
</thead> </thead>
<tbody><tr id="obs_40_0022__row17375102752819"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0022__p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0022__row17375102752819"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0022__p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0022__p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0022__p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0022__row1937592712288"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0022__p173753272284">Policy View</p> <tr id="obs_40_0022__row1937592712288"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0022__p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0022__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0022__b498165611613">Visual editor</strong> is used here.</p> <td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0022__p17375102714285">Select one based on your own habits. <strong id="obs_40_0022__b207111424507">Visual editor</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0022__row133751227142812"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0022__p203751027172816">Policy Content</p> <tr id="obs_40_0022__row133751227142812"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0022__p203751027172816">Policy Content</p>
</td> </td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0022__ul312618263319"><li id="obs_40_0022__li112652673110">Select <strong id="obs_40_0022__b15462797584332">Allow</strong>.</li><li id="obs_40_0022__li1952919359">Select <strong id="obs_40_0022__b10755842674332">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0022__li813512281313">Select the actions to be authorized.</li><li id="obs_40_0022__li024173143415">Select <strong id="obs_40_0022__b7462133612293">All</strong> for resources.</li></ul> <td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0022__ul312618263319"><li id="obs_40_0022__li112652673110">Select <strong id="obs_40_0022__b15462797584332">Allow</strong>.</li><li id="obs_40_0022__li1952919359">Select <strong id="obs_40_0022__b10755842674332">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0022__li813512281313">Select the actions to be allowed.</li><li id="obs_40_0022__li024173143415">Select <strong id="obs_40_0022__b7462133612293">All</strong> for resources.</li></ul>
</td> </td>
</tr> </tr>
<tr id="obs_40_0022__row15393131325217"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0022__p83756273285">Scope</p> <tr id="obs_40_0022__row15393131325217"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0022__p83756273285">Scope</p>
@ -40,8 +40,8 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0022__li1293324623719"><span>Click <strong id="obs_40_0022__b5831489364332">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0022__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0022__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0022__li1293324623719"><span>Click <strong id="obs_40_0022__b103151843193213">OK</strong>.</span></li><li id="obs_40_0022__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0022__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0022__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0022__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0022__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0022__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0022__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0022__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

37
docs/obs/perms-cfg/obs_40_0023.html
View File

@ -1,18 +1,18 @@
<a name="obs_40_0023"></a><a name="obs_40_0023"></a> <a name="obs_40_0023"></a><a name="obs_40_0023"></a>
<h1 class="topictitle1">Granting IAM User Groups Specified Permissions on Certain OBS Resources</h1> <h1 class="topictitle1">Granting IAM User Groups Specific Permissions on Specific OBS Resources</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0023__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0023__p3431154410448">This topic describes how to grant certain operation permissions on specific OBS resources (can be a bucket or an object) to multiple IAM users or user groups.</p> <div id="body1588765301379"><div class="section" id="obs_40_0023__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0023__p3431154410448">This topic describes how to grant specific operation permissions on specific OBS resources (a bucket or an object) to multiple IAM users or user groups.</p>
</div> </div>
<div class="section" id="obs_40_0023__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0023__p103657437515">IAM custom policies</p> <div class="section" id="obs_40_0023__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0023__p103657437515">Use an IAM custom policy to configure the permissions.</p>
</div> </div>
<div class="section" id="obs_40_0023__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0023__p817120327254">After the configuration is complete, you can perform allowed operations using APIs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.</p> <div class="section" id="obs_40_0023__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0023__p817120327254">After configuration, IAM user groups can perform allowed operations using APIs. If they log in to OBS Console or OBS Browser+ to perform those operations, a message will be displayed indicating that they do not have required permissions.</p>
<p id="obs_40_0023__p2095722518592">This is because when you log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0023__b1130515291818">ListAllMyBuckets</strong> and <strong id="obs_40_0023__b137993304820">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.</p> <p id="obs_40_0023__p2095722518592">When they log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0023__b34331469166">ListAllMyBuckets</strong> and <strong id="obs_40_0023__b13433194621618">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is diplayed.</p>
<p id="obs_40_0023__p7807163365117">To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the <strong id="obs_40_0023__b1611149202711">obs:bucket:ListAllMyBuckets</strong> and <strong id="obs_40_0023__b86122918270">obs:bucket:ListBucket</strong> permissions to the custom policy.</p> <p id="obs_40_0023__p7807163365117">To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the <strong id="obs_40_0023__b1611149202711">obs:bucket:ListAllMyBuckets</strong> and <strong id="obs_40_0023__b86122918270">obs:bucket:ListBucket</strong> permissions to the custom policy.</p>
<div class="note" id="obs_40_0023__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0023__p1518015112445"><strong id="obs_40_0023__b12487175316569">obs:bucket:ListAllMyBuckets</strong> applies to all resources. You need to select all resources.</p> <div class="note" id="obs_40_0023__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0023__p1518015112445"><strong id="obs_40_0023__b12487175316569">obs:bucket:ListAllMyBuckets</strong> applies to all resources. You need to select all resources.</p>
<p id="obs_40_0023__p256692825216"><strong id="obs_40_0023__b272951591913">obs:bucket:ListBucket</strong> applies only to the authorized bucket. You can select all resources or a specified bucket as needed.</p> <p id="obs_40_0023__p256692825216"><strong id="obs_40_0023__b272951591913">obs:bucket:ListBucket</strong> applies only to the authorized bucket. You can select all resources or a specified bucket as needed.</p>
</div></div> </div></div>
</div> </div>
<div class="section" id="obs_40_0023__section1976313561854"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0023__ol170633855216"><li id="obs_40_0023__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0023__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0023__b4329163635612">Service List</strong> &gt; <strong id="obs_40_0023__b183291636155616">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0023__b123291436185618">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0023__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0023__b742013972818">Permissions</strong>.</span></li><li id="obs_40_0023__li1388483016366"><span>Click <strong id="obs_40_0023__b819614439565">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0023__li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0023__fig108170917818"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0023__image18181994819" src="en-us_image_0000001385859230.png"></span></div> <div class="section" id="obs_40_0023__section1976313561854"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0023__ol170633855216"><li id="obs_40_0023__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0023__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0023__b4329163635612">Service List</strong> &gt; <strong id="obs_40_0023__b183291636155616">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0023__b123291436185618">Identity and Access Management</strong>.</span></li><li id="obs_40_0023__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0023__b742013972818">Permissions</strong>.</span></li><li id="obs_40_0023__li1388483016366"><span>Click <strong id="obs_40_0023__b819614439565">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0023__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0023__fig108170917818"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0023__image18181994819" src="en-us_image_0000001385859230.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0023__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0023__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.25%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0023__p23757272286"><strong id="obs_40_0023__b138822153645142">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0023__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0023__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.25%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0023__p23757272286"><strong id="obs_40_0023__b138822153645142">Parameter</strong></p>
</th> </th>
@ -22,12 +22,12 @@
</thead> </thead>
<tbody><tr id="obs_40_0023__row17375102752819"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0023__p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0023__row17375102752819"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0023__p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0023__p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0023__p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0023__row1937592712288"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0023__p173753272284">Policy View</p> <tr id="obs_40_0023__row1937592712288"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0023__p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0023__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0023__b4289123041619">Visual editor</strong> is used here.</p> <td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0023__p17375102714285">Select one based on your own habits. <strong id="obs_40_0023__b77688415919">Visual editor</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0023__row133751227142812"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0023__p203751027172816">Policy Content</p> <tr id="obs_40_0023__row133751227142812"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0023__p203751027172816">Policy Content</p>
@ -35,19 +35,20 @@
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0023__p1928318374535">[Permission 1] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.</p> <td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0023__p1928318374535">[Permission 1] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.</p>
<ul id="obs_40_0023__ul1488325514462"><li id="obs_40_0023__li10883125510469">Select <strong id="obs_40_0023__b88976299145142">Allow</strong>.</li><li id="obs_40_0023__li988318554466">Select <strong id="obs_40_0023__b151943995545142">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0023__li19883155554614">Select <strong id="obs_40_0023__b12727183314324">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0023__li1991741116547">Select <strong id="obs_40_0023__b153479408322">All</strong> for resources.</li></ul> <ul id="obs_40_0023__ul1488325514462"><li id="obs_40_0023__li10883125510469">Select <strong id="obs_40_0023__b88976299145142">Allow</strong>.</li><li id="obs_40_0023__li988318554466">Select <strong id="obs_40_0023__b151943995545142">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0023__li19883155554614">Select <strong id="obs_40_0023__b12727183314324">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0023__li1991741116547">Select <strong id="obs_40_0023__b153479408322">All</strong> for resources.</li></ul>
<p id="obs_40_0023__p148511375414">[Permission 2]</p> <p id="obs_40_0023__p148511375414">[Permission 2]</p>
<ul id="obs_40_0023__ul127691549205313"><li id="obs_40_0023__li167691496533">Select <strong id="obs_40_0023__b74938556745142">Allow</strong>.</li><li id="obs_40_0023__li1676910494536">Select <strong id="obs_40_0023__b145468528145142">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0023__li7820139488">Select the actions to be authorized.</li><li id="obs_40_0023__li77691949175310">Choose <strong id="obs_40_0023__b35010192029">Specific resources</strong> &gt; <strong id="obs_40_0023__b4258125924">Bucket</strong> to specify bucket resources.<p id="obs_40_0023__p4392013822"><span style="color:#3D3F43;">[Format]</span></p> <ul id="obs_40_0023__ul127691549205313"><li id="obs_40_0023__li167691496533">Select <strong id="obs_40_0023__b74938556745142">Allow</strong>.</li><li id="obs_40_0023__li1676910494536">Select <strong id="obs_40_0023__b145468528145142">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0023__li7820139488">Select the actions to be authorized.</li><li id="obs_40_0023__li77691949175310">Choose <strong id="obs_40_0023__b35010192029">Specific resources</strong> &gt; <strong id="obs_40_0023__b4258125924">Bucket</strong> to specify bucket resources.<p id="obs_40_0023__p4392013822">[Format]</p>
<p id="obs_40_0023__p9933155311298"><strong id="obs_40_0023__b17700193119537">obs:*:*:bucket:</strong><em id="obs_40_0023__i102229783545142">bucket name</em></p> <p id="obs_40_0023__p9933155311298"><strong id="obs_40_0023__b17700193119537">obs:*:*:bucket:</strong><em id="obs_40_0023__i102229783545142">bucket name</em></p>
<p id="obs_40_0023__p14703335307">[Note]</p> <p id="obs_40_0023__p14703335307">[Note]</p>
<p id="obs_40_0023__p9142175873014">For bucket resources, IAM automatically generates the prefix of the resource path: <strong style="color:#3D3F43;" id="obs_40_0023__b123687613345142">obs:*:*:bucket:</strong>.</p> <p id="obs_40_0023__p9142175873014">For bucket resources, IAM automatically generates the prefix of the resource path: <strong id="obs_40_0023__b123687613345142">obs:*:*:bucket:</strong>.</p>
<p id="obs_40_0023__p17463217363">For the path of a specific bucket, add the <em id="obs_40_0023__i27889316645142">bucket name</em> to the end. You can also add a wildcard character (*) to indicate any bucket. Example:</p> <p id="obs_40_0023__p17463217363">For the path of a specific bucket, add the <em id="obs_40_0023__i27889316645142">bucket name</em> to the end. You can also add a wildcard character (*) to indicate any bucket. Examples are given as follows:</p>
<p id="obs_40_0023__p129731439193114"><strong style="color:#3D3F43;" id="obs_40_0023__b177524031545142">obs:*:*:bucket:</strong><strong style="color:#3D3F43;" id="obs_40_0023__b24859914545142">*</strong>, indicating any OBS bucket.</p> <ul id="obs_40_0023__ul5609041191715"><li id="obs_40_0023__li389817471171"><strong id="obs_40_0023__b10899184761711">obs:*:*:bucket:</strong><strong id="obs_40_0023__b1489924721718">*</strong> (indicating any OBS bucket)</li><li id="obs_40_0023__li2060984191712"><strong id="obs_40_0023__b13659863294">obs:*:*:bucket:examplebucket</strong> (indicating that the policy applies to bucket <strong id="obs_40_0023__b109899017816">examplebucket</strong>)</li></ul>
<p id="obs_40_0023__p07854412554">To perform operations on OBS Console or OBS Browser+, grant the<strong id="obs_40_0023__b1392303593417"> obs:bucket:ListBucket</strong> permission to a specified bucket.</p> <p id="obs_40_0023__p07854412554">To perform operations on OBS Console or OBS Browser+, grant the<strong id="obs_40_0023__b1392303593417"> obs:bucket:ListBucket</strong> permission to a specified bucket.</p>
</li><li id="obs_40_0023__li68704665514">Choose <strong id="obs_40_0023__b1294597612">Specific resources</strong> &gt; <strong id="obs_40_0023__b63881013665">Object</strong> to specify an object resource.<p id="obs_40_0023__p325619913310"><span style="color:#3D3F43;">[Format]</span></p> </li><li id="obs_40_0023__li68704665514">Choose <strong id="obs_40_0023__b1294597612">Specific resources</strong> &gt; <strong id="obs_40_0023__b63881013665">Object</strong> to specify an object resource.<p id="obs_40_0023__p325619913310">[Format]</p>
<p id="obs_40_0023__p1925689183116"><span style="color:#3D3F43;">obs:*:*:object:</span><em style="color:#3D3F43;" id="obs_40_0023__i50449033345142">bucket name/object name</em></p> <p id="obs_40_0023__p1925689183116">Objects in a specified directory: <strong id="obs_40_0023__b19991655085">obs:*:*:object:</strong><em id="obs_40_0023__i052751113910">Bucket name</em><strong id="obs_40_0023__b1170011142091">/</strong><em id="obs_40_0023__i19757131614910">Prefix</em><strong id="obs_40_0023__b2076831914912">/*</strong></p>
<p id="obs_40_0023__p12557181110459">Specified object: <strong id="obs_40_0023__b934634918916">obs:*:*:object:</strong><em id="obs_40_0023__i1764535519910">Bucket name</em><strong id="obs_40_0023__b128853562918">/</strong><em id="obs_40_0023__i264518555918">Object name</em></p>
<p id="obs_40_0023__p182561698314">[Note]</p> <p id="obs_40_0023__p182561698314">[Note]</p>
<p id="obs_40_0023__p770393763415">For object resources, IAM automatically generates the prefix of the resource path: <strong id="obs_40_0023__b132313378445142">obs:*:*:object:</strong></p> <p id="obs_40_0023__p770393763415">For object resources, IAM automatically generates the prefix of the resource path: <strong id="obs_40_0023__b132313378445142">obs:*:*:object:</strong></p>
<p id="obs_40_0023__p181983113519">For the path of a specific object, add the <em id="obs_40_0023__i187486116645142">bucket name/object name</em> to the end. You can also add a wildcard character (*) to indicate any object in a bucket. Example:</p> <p id="obs_40_0023__p181983113519">For the path of a specific object, add the <em id="obs_40_0023__i187486116645142">bucket name/object name</em> to the end. You can also add a wildcard character (*) to indicate any object in a bucket. Examples are given as follows:</p>
<p id="obs_40_0023__p161341247133614"><strong id="obs_40_0023__b51485814945142">obs:*:*:object:my-bucket/my-object/*</strong>: any object in the <strong id="obs_40_0023__b211828846445142">my-object</strong> directory of the <strong id="obs_40_0023__b134773144545142">my-bucket</strong> bucket.</p> <ul id="obs_40_0023__ul1749611911817"><li id="obs_40_0023__li164971619121811"><strong id="obs_40_0023__b528922915117">obs:*:*:object:my-bucket/my-object/*</strong> (indicating any object in the <strong id="obs_40_0023__b18289529141116">my-object</strong> directory of bucket <strong id="obs_40_0023__b1289152921112">my-bucket</strong>)</li><li id="obs_40_0023__li10610192691814"><strong id="obs_40_0023__b12668105469">obs:*:*:object:</strong><strong id="obs_40_0023__b1566910154617">my-bucket/exampleobject</strong> (indicating object <strong id="obs_40_0023__b20792171571216">exampleobject</strong> in bucket <strong id="obs_40_0023__b1716812282124">my-bucket</strong>)</li></ul>
</li></ul> </li></ul>
</td> </td>
</tr> </tr>
@ -59,8 +60,8 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0023__li1293324623719"><span>Click <strong id="obs_40_0023__b87622676045142">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0023__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0023__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0023__li1293324623719"><span>Click <strong id="obs_40_0023__b8111135943212">OK</strong>.</span></li><li id="obs_40_0023__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0023__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0023__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0023__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0023__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0023__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0023__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0023__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

12
docs/obs/perms-cfg/obs_40_0024.html
View File

@ -4,20 +4,20 @@
<div id="body1588765301379"></div> <div id="body1588765301379"></div>
<div> <div>
<ul class="ullinks"> <ul class="ullinks">
<li class="ulchildlink"><strong><a href="obs_40_0025.html">Granting an Account the Read and Write Permissions on a Bucket</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0025.html">Granting Other Accounts the Read/Write Permission for a Bucket</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0026.html">Granting an Account the Specified Permissions on a Bucket</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0026.html">Granting Other Accounts the Specified Permissions for a Bucket</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and the Resources in It</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0028.html">Granting an Account Read Permissions on Certain Objects</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0028.html">Granting Other Accounts the Read Permission for Certain Objects</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0029.html">Granting an Account the Specified Permissions on Certain Objects</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0029.html">Granting Other Accounts Specific Permissions for Specific Objects</a></strong><br>
</li> </li>
</ul> </ul>
<div class="familylinks"> <div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Configuration Cases in Typical Permission Control Scenarios</a></div> <div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Permission Configuration in Typical Scenarios</a></div>
</div> </div>
</div> </div>

23
docs/obs/perms-cfg/obs_40_0025.html
View File

@ -1,17 +1,16 @@
<a name="obs_40_0025"></a><a name="obs_40_0025"></a> <a name="obs_40_0025"></a><a name="obs_40_0025"></a>
<h1 class="topictitle1">Granting an Account the Read and Write Permissions on a Bucket</h1> <h1 class="topictitle1">Granting Other Accounts the Read/Write Permission for a Bucket</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0025__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0025__p3431154410448">This topic describes how to grant other accounts (excluding the IAM users under them) the read and write permissions on OBS buckets. For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket</a>.</p> <div id="body1588765301379"><div class="section" id="obs_40_0025__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0025__p3431154410448">This topic describes how to grant other accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and the Resources in It</a>.</p>
</div> </div>
<div class="section" id="obs_40_0025__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0025__p103657437515">You are advised to use bucket policies to grant permissions to other accounts.</p> <div class="section" id="obs_40_0025__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0025__p103657437515">Use bucket policies to grant permissions to other accounts.</p>
</div> </div>
<div class="section" id="obs_40_0025__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><div class="p" id="obs_40_0025__p1436151622312">The preset read/write mode of OBS has the following permissions:<ul id="obs_40_0025__ul12273198112311"><li id="obs_40_0025__li1327378202314">GetObject: downloading objects</li><li id="obs_40_0025__li227314817237">PutObject: uploading objects</li><li id="obs_40_0025__li127318812235">GetObjectVersion: downloading versioned objects</li><li id="obs_40_0025__li727310818238">DeleteObjectVersion: deleting objects versions</li><li id="obs_40_0025__li8273888232">DeleteObject: deleting objects</li></ul> <div class="section" id="obs_40_0025__section786219432319"><h4 class="sectiontitle">Precautions</h4>
<p id="obs_40_0025__p16477101313289">After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or by adding external buckets through OBS Browser+. Currently, access to buckets of other accounts is not allowed on OBS Console.</p>
<p id="obs_40_0025__p119511212513">When you use OBS Browser+ to access the added external bucket, a message may still be displayed indicating that you do not have required permissions.</p>
<p id="obs_40_0025__p8321172512317">Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.</p>
</div> </div>
<p id="obs_40_0025__p16477101313289">After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the <strong id="obs_40_0025__b720124283">ListBucket</strong> permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.</p> <div class="section" id="obs_40_0025__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0025__ol170633855216"><li id="obs_40_0025__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0025__b189344278589">Object Storage</strong>.</span></li><li id="obs_40_0025__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0025__b99118241123829">Overview</strong> page.</span></li><li id="obs_40_0025__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0025__b10549556669050">Permissions</strong>.</span></li><li id="obs_40_0025__li1568715376490"><span>On the <strong id="obs_40_0025__b147605057051039">Bucket Policies</strong> page, click <strong id="obs_40_0025__b195674331451039">Create Bucket Policy</strong> under <strong id="obs_40_0025__b122537408951039">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0025__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0025__fig1852718391218"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0025__image25281839172119" src="en-us_image_0000001436140385.png"></span></div>
<p id="obs_40_0025__p119511212513">After the ListBucket permission is configured, a message may still be displayed indicating that you do not have the permission to access the added external bucket through OBS Browser+.</p>
<p id="obs_40_0025__p8321172512317">Error cause: <span style="color:#3D3F43;">The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.</span></p>
</div>
<div class="section" id="obs_40_0025__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0025__ol170633855216"><li id="obs_40_0025__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0025__b189344278589">Object Storage</strong>.</span></li><li id="obs_40_0025__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0025__b97586262357">Overview</strong> page.</span></li><li id="obs_40_0025__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0025__b1970758941">Permissions</strong>.</span></li><li id="obs_40_0025__li1568715376490"><span>On the <strong id="obs_40_0025__b147605057051039">Bucket Policies</strong> page, click <strong id="obs_40_0025__b195674331451039">Create Bucket Policy</strong> under <strong id="obs_40_0025__b122537408951039">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0025__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0025__fig1852718391218"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0025__image25281839172119" src="en-us_image_0000001436140385.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0025__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0025__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0025__p107559176234"><strong id="obs_40_0025__b126898518751039">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0025__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0025__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0025__p107559176234"><strong id="obs_40_0025__b126898518751039">Parameter</strong></p>
</th> </th>
@ -26,7 +25,7 @@
</tr> </tr>
<tr id="obs_40_0025__row8783617122317"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0025__p478519172231">Principal</p> <tr id="obs_40_0025__row8783617122317"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0025__p478519172231">Principal</p>
</td> </td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0025__ul1341145419174"><li id="obs_40_0025__li6417546174">Select <strong id="obs_40_0025__b599782418303">Include</strong> &gt; <strong id="obs_40_0025__b8969142863011">Other account</strong>.</li><li id="obs_40_0025__li4253125801711"><strong id="obs_40_0025__b971085145016">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0025__b2710195119509">My Credentials</strong> page of the account.</li><li id="obs_40_0025__li1530533711817"><strong id="obs_40_0025__b17887923204714">User ID</strong>: Enter the account ID, which can be obtained from the <strong id="obs_40_0025__b789213237479">My Credentials</strong> page of the account.<div class="note" id="obs_40_0025__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0025__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p> <td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0025__ul1341145419174"><li id="obs_40_0025__li6417546174">Select <strong id="obs_40_0025__b599782418303">Include</strong> &gt; <strong id="obs_40_0025__b8969142863011">Other account</strong>.</li><li id="obs_40_0025__li4253125801711"><strong id="obs_40_0025__b971085145016">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0025__b2710195119509">My Credentials</strong> page of the account.</li><li id="obs_40_0025__li1530533711817"><strong id="obs_40_0025__b17887923204714">User ID</strong>: Enter the account ID. You can obtain it from the <strong id="obs_40_0025__b789213237479">My Credentials</strong> page of the account.<div class="note" id="obs_40_0025__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0025__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p>
</div></div> </div></div>
</li></ul> </li></ul>
</td> </td>
@ -39,7 +38,7 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0025__li4406132611218"><span>Click <strong id="obs_40_0025__b85420007751039">OK</strong>. The bucket policy is created.</span></li><li id="obs_40_0025__li2201036121111"><span>(Optional) Click <strong id="obs_40_0025__b1325710565310">Create Bucket Policy</strong> again.</span><p><p id="obs_40_0025__p1299963512116">If the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket, you need to add a ListBucket permission.</p> </p></li><li id="obs_40_0025__li4406132611218"><span>Click <strong id="obs_40_0025__b85420007751039">OK</strong>.</span></li><li id="obs_40_0025__li2201036121111"><span>(Optional) Click <strong id="obs_40_0025__b1325710565310">Create Bucket Policy</strong> again.</span><p><p id="obs_40_0025__p1299963512116">If the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket, you need to add a ListBucket permission.</p>
</p></li><li id="obs_40_0025__li1470617571214"><span>(Optional) Configure the ListBucket permission.</span><p><div class="fignone" id="obs_40_0025__fig12326103116234"><span class="figcap"><b>Figure 2 </b>Configuring the ListBucket permission</span><br><span><img id="obs_40_0025__image1132733113237" src="en-us_image_0000001435981085.png"></span></div> </p></li><li id="obs_40_0025__li1470617571214"><span>(Optional) Configure the ListBucket permission.</span><p><div class="fignone" id="obs_40_0025__fig12326103116234"><span class="figcap"><b>Figure 2 </b>Configuring the ListBucket permission</span><br><span><img id="obs_40_0025__image1132733113237" src="en-us_image_0000001435981085.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0025__table3706135201215" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0025__row2070620591220"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.8.2.2.2.3.1.1"><p id="obs_40_0025__p1770714531211"><strong id="obs_40_0025__b124334919751039">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0025__table3706135201215" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0025__row2070620591220"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.8.2.2.2.3.1.1"><p id="obs_40_0025__p1770714531211"><strong id="obs_40_0025__b124334919751039">Parameter</strong></p>
@ -78,7 +77,7 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0025__li1940154881411"><span>(Optional) Click <strong id="obs_40_0025__b181981053184714">OK</strong>. The bucket policy is created.</span></li></ol> </p></li><li id="obs_40_0025__li1940154881411"><span>(Optional) Click <strong id="obs_40_0025__b181981053184714">OK</strong>.</span></li></ol>
</div> </div>
</div> </div>
<div> <div>

16
docs/obs/perms-cfg/obs_40_0026.html
View File

@ -1,14 +1,14 @@
<a name="obs_40_0026"></a><a name="obs_40_0026"></a> <a name="obs_40_0026"></a><a name="obs_40_0026"></a>
<h1 class="topictitle1">Granting an Account the Specified Permissions on a Bucket</h1> <h1 class="topictitle1">Granting Other Accounts the Specified Permissions for a Bucket</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0026__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0026__p122729624518">This topic describes how to grant other accounts (excluding the IAM users under them) specific operation permissions on OBS buckets. For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket</a>.</p> <div id="body1588765301379"><div class="section" id="obs_40_0026__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0026__p122729624518">This topic describes how to grant other accounts (excluding the IAM users under them) specific permissions for OBS buckets. For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and the Resources in It</a>.</p>
<p id="obs_40_0026__p3431154410448">The following example explains how to grant the permissions to configure a bucket ACL and obtain the bucket ACL configuration information. If you need to configure other permissions, select the corresponding actions from the <strong id="obs_40_0026__b8042834446010">Action Name</strong> drop-down list in the bucket policy. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p> <p id="obs_40_0026__p3431154410448">The following example explains how to grant the permissions to configure a bucket ACL and obtain the bucket ACL configuration information. To grant other permissions, select required actions from <strong id="obs_40_0026__b197522419171">Action Name</strong> in the bucket policy. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
</div> </div>
<div class="section" id="obs_40_0026__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0026__p103657437515">You are advised to use bucket policies to grant permissions to other accounts.</p> <div class="section" id="obs_40_0026__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0026__p103657437515">Use bucket policies to grant permissions to other accounts.</p>
</div> </div>
<div class="section" id="obs_40_0026__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0026__p119511212513">After the configuration is complete, the authorized account can configure and obtain a bucket ACL by using APIs or SDKs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the <strong id="obs_40_0026__b74571950993">ListBucket</strong> permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.</p> <div class="section" id="obs_40_0026__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0026__p119511212513">After configuration, the authorized account can configure and obtain a bucket ACL by using APIs or SDKs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the <strong id="obs_40_0026__b74571950993">ListBucket</strong> permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.</p>
</div> </div>
<div class="section" id="obs_40_0026__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0026__ol170633855216"><li id="obs_40_0026__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0026__b55631234145812">Object Storage</strong>.</span></li><li id="obs_40_0026__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0026__b9925184715356">Overview</strong> page.</span></li><li id="obs_40_0026__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0026__b66631832104415">Permissions</strong>.</span></li><li id="obs_40_0026__li49461065486"><span>On the <strong id="obs_40_0026__b271214281818">Bucket Policies</strong> page, click <strong id="obs_40_0026__b9712728817">Create Bucket Policy</strong> under <strong id="obs_40_0026__b27121128911">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0026__li1470617571214"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0026__fig195023162719"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0026__image19950839279" src="en-us_image_0000001385862242.png"></span></div> <div class="section" id="obs_40_0026__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0026__ol170633855216"><li id="obs_40_0026__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0026__b55631234145812">Object Storage</strong>.</span></li><li id="obs_40_0026__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0026__b73459336923830">Overview</strong> page.</span></li><li id="obs_40_0026__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0026__b21029769509052">Permissions</strong>.</span></li><li id="obs_40_0026__li1568715376490"><span>On the <strong id="obs_40_0026__b271214281818">Bucket Policies</strong> page, click <strong id="obs_40_0026__b9712728817">Create Bucket Policy</strong> under <strong id="obs_40_0026__b27121128911">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0026__li1470617571214"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0026__fig195023162719"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0026__image19950839279" src="en-us_image_0000001385862242.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0026__table3706135201215" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0026__row2070620591220"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0026__p1770714531211"><strong id="obs_40_0026__b15223315836010">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0026__table3706135201215" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0026__row2070620591220"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0026__p1770714531211"><strong id="obs_40_0026__b15223315836010">Parameter</strong></p>
</th> </th>
@ -28,7 +28,7 @@
</tr> </tr>
<tr id="obs_40_0026__row27071453128"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0026__p9707195171215">Principal</p> <tr id="obs_40_0026__row27071453128"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0026__p9707195171215">Principal</p>
</td> </td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0026__ul1770715511217"><li id="obs_40_0026__li1070775131213">Select <strong id="obs_40_0026__b7291505406010">Include</strong> &gt; <strong id="obs_40_0026__b10479822166010">Other account</strong>.</li><li id="obs_40_0026__li117071512129"><strong id="obs_40_0026__b178541856510">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0026__b685455165119">My Credentials</strong> page of the account.</li><li id="obs_40_0026__li4707175171214"><strong id="obs_40_0026__b1089715764919">User ID</strong>: Enter the account ID, which can be obtained from the <strong id="obs_40_0026__b1457188676010">My Credentials</strong> page of the account.<div class="note" id="obs_40_0026__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0026__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p> <td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0026__ul1770715511217"><li id="obs_40_0026__li1070775131213">Select <strong id="obs_40_0026__b7291505406010">Include</strong> &gt; <strong id="obs_40_0026__b10479822166010">Other account</strong>.</li><li id="obs_40_0026__li117071512129"><strong id="obs_40_0026__b178541856510">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0026__b685455165119">My Credentials</strong> page of the account.</li><li id="obs_40_0026__li4707175171214"><strong id="obs_40_0026__b16461122618210">User ID</strong>: Enter the account ID. You can obtain it from the <strong id="obs_40_0026__b174616266214">My Credentials</strong> page of the account.<div class="note" id="obs_40_0026__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0026__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p>
</div></div> </div></div>
</li></ul> </li></ul>
</td> </td>
@ -48,7 +48,7 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0026__li1940154881411"><span>Click <strong id="obs_40_0026__b6119912276010">OK</strong>. The bucket policy is created.</span></li></ol> </p></li><li id="obs_40_0026__li1940154881411"><span>Click <strong id="obs_40_0026__b6119912276010">OK</strong>.</span></li></ol>
</div> </div>
</div> </div>
<div> <div>

97
docs/obs/perms-cfg/obs_40_0027.html
View File

File diff suppressed because it is too large Load Diff

18
docs/obs/perms-cfg/obs_40_0028.html
View File

@ -1,16 +1,14 @@
<a name="obs_40_0028"></a><a name="obs_40_0028"></a> <a name="obs_40_0028"></a><a name="obs_40_0028"></a>
<h1 class="topictitle1">Granting an Account Read Permissions on Certain Objects</h1> <h1 class="topictitle1">Granting Other Accounts the Read Permission for Certain Objects</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0028__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0028__p3431154410448">This case describes how to grant other accounts (excluding IAM users under the account) the read permission for an object or a type of objects in an OBS bucket. For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket</a>.</p> <div id="body1588765301379"><div class="section" id="obs_40_0028__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0028__p3431154410448">This case describes how to grant other accounts (excluding IAM users under the account) the read permission for an object or a type of objects in an OBS bucket. For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and the Resources in It</a>.</p>
</div> </div>
<div class="section" id="obs_40_0028__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0028__p103657437515">You are advised to use bucket policies to grant permissions to other accounts.</p> <div class="section" id="obs_40_0028__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0028__p103657437515">Use bucket policies to grant permissions to other accounts.</p>
</div> </div>
<div class="section" id="obs_40_0028__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0028__p1436151622312">The preset read-only mode of OBS has the following permissions:</p> <div class="section" id="obs_40_0028__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0028__p817120327254">After configuration, they can read (download) specific objects using APIs. However, if they download an object from OBS Console or OBS Browser+, a message will be displayed, indicating that they do not have required permissions.</p>
<ul id="obs_40_0028__ul12273198112311"><li id="obs_40_0028__li1327378202314">GetObject: downloading objects</li><li id="obs_40_0028__li127318812235">GetObjectVersion: downloading versioned objects</li></ul> <p id="obs_40_0028__p2027615802413">When they log in to OBS Console or OBS Browser+, the <strong id="obs_40_0028__b13505139164020">ListAllMyBuckets</strong> APi is called to load the bucket list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is displayed.</p>
<p id="obs_40_0028__p817120327254">After the configuration is complete, you can read (download) specific objects using APIs. However, if you download an object from OBS Console or OBS Browser+, an error is reported indicating that you do not have required permissions.</p>
<p id="obs_40_0028__p2027615802413">This is because when you log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0028__b7957153916368">ListAllMyBuckets</strong> and <strong id="obs_40_0028__b13277941123615">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.</p>
</div> </div>
<div class="section" id="obs_40_0028__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0028__ol745117710219"><li id="obs_40_0028__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0028__b166521479587">Object Storage</strong>.</span></li><li id="obs_40_0028__li104511752115"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0028__b327691211374">Overview</strong> page.</span></li><li id="obs_40_0028__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0028__b17881115474513">Permissions</strong>.</span></li><li id="obs_40_0028__li49461065486"><span>On the <strong id="obs_40_0028__b344716607">Bucket Policies</strong> page, click <strong id="obs_40_0028__b14482614015">Create Bucket Policy</strong> under <strong id="obs_40_0028__b04481366013">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0028__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0028__fig7676182754111"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0028__image13678227144115" src="en-us_image_0000001385864766.png"></span></div> <div class="section" id="obs_40_0028__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0028__ol745117710219"><li id="obs_40_0028__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0028__b166521479587">Object Storage</strong>.</span></li><li id="obs_40_0028__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0028__b5521423524140">Overview</strong> page.</span></li><li id="obs_40_0028__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0028__b12419074589057">Permissions</strong>.</span></li><li id="obs_40_0028__li1568715376490"><span>On the <strong id="obs_40_0028__b344716607">Bucket Policies</strong> page, click <strong id="obs_40_0028__b14482614015">Create Bucket Policy</strong> under <strong id="obs_40_0028__b04481366013">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0028__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0028__fig7676182754111"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0028__image13678227144115" src="en-us_image_0000001385864766.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0028__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0028__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.82%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0028__p107559176234"><strong id="obs_40_0028__b8746130373493">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0028__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0028__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.82%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0028__p107559176234"><strong id="obs_40_0028__b8746130373493">Parameter</strong></p>
</th> </th>
@ -25,7 +23,7 @@
</tr> </tr>
<tr id="obs_40_0028__row8783617122317"><td class="cellrowborder" valign="top" width="23.82%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0028__p478519172231">Principal</p> <tr id="obs_40_0028__row8783617122317"><td class="cellrowborder" valign="top" width="23.82%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0028__p478519172231">Principal</p>
</td> </td>
<td class="cellrowborder" valign="top" width="76.18%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0028__ul1341145419174"><li id="obs_40_0028__li6417546174">Select <strong id="obs_40_0028__b21387414843493">Include</strong> &gt; <strong id="obs_40_0028__b12867007463493">Other account</strong>.</li><li id="obs_40_0028__li4253125801711"><strong id="obs_40_0028__b3494121513548">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0028__b9495315195418">My Credentials</strong> page of the account.</li><li id="obs_40_0028__li1530533711817"><strong id="obs_40_0028__b7183291173493">User ID</strong>: Enter the account ID, which can be obtained from the <strong id="obs_40_0028__b5979426203493">My Credentials</strong> page of the account.<div class="note" id="obs_40_0028__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0028__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p> <td class="cellrowborder" valign="top" width="76.18%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0028__ul1341145419174"><li id="obs_40_0028__li6417546174">Select <strong id="obs_40_0028__b21387414843493">Include</strong> &gt; <strong id="obs_40_0028__b12867007463493">Other account</strong>.</li><li id="obs_40_0028__li4253125801711"><strong id="obs_40_0028__b3494121513548">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0028__b9495315195418">My Credentials</strong> page of the account.</li><li id="obs_40_0028__li1530533711817"><strong id="obs_40_0028__b6565838221">User ID</strong>: Enter the account ID. You can obtain it from the <strong id="obs_40_0028__b056610381929">My Credentials</strong> page of the account.<div class="note" id="obs_40_0028__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0028__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p>
</div></div> </div></div>
</li></ul> </li></ul>
</td> </td>
@ -40,7 +38,7 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0028__li4406132611218"><span>Click <strong id="obs_40_0028__b913976893493">OK</strong>. The bucket policy is created.</span></li></ol> </p></li><li id="obs_40_0028__li4406132611218"><span>Click <strong id="obs_40_0028__b913976893493">OK</strong>.</span></li></ol>
</div> </div>
</div> </div>
<div> <div>

20
docs/obs/perms-cfg/obs_40_0029.html
View File

@ -1,16 +1,16 @@
<a name="obs_40_0029"></a><a name="obs_40_0029"></a> <a name="obs_40_0029"></a><a name="obs_40_0029"></a>
<h1 class="topictitle1">Granting an Account the Specified Permissions on Certain Objects</h1> <h1 class="topictitle1">Granting Other Accounts Specific Permissions for Specific Objects</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0029__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0029__p1829466339">This case describes how to grant other accounts the specified operation permission on a specified object in an OBS bucket. The following describes how to grant the permission to download an object.</p> <div id="body1588765301379"><div class="section" id="obs_40_0029__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0029__p1829466339">This section describes how to grant other accounts the permissions to download an object from a bucket.</p>
<p id="obs_40_0029__p131221236151420">If you need to configure other permissions, select the corresponding actions from the <strong id="obs_40_0029__b100374449134854">Action Name</strong> drop-down list in the bucket policy. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p> <p id="obs_40_0029__p131221236151420">To grant other permissions, select required actions from <strong id="obs_40_0029__b96795611191">Action Name</strong> in the bucket policy. For details about the actions supported by OBS, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
<p id="obs_40_0029__p3431154410448">For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket</a>.</p> <p id="obs_40_0029__p3431154410448">For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and the Resources in It</a>.</p>
</div> </div>
<div class="section" id="obs_40_0029__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0029__p103657437515">You are advised to use bucket policies to grant permissions to other accounts.</p> <div class="section" id="obs_40_0029__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0029__p103657437515">Use bucket policies to grant permissions to other accounts.</p>
</div> </div>
<div class="section" id="obs_40_0029__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0029__p4883191595712">After the configuration is complete, you can download objects using APIs. However, if you log in to OBS Console or OBS Browser+ to download an object, an error is reported indicating that you do not have required permissions.</p> <div class="section" id="obs_40_0029__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0029__p4883191595712">After configuration, they can download objects using APIs. However, if they download objects using OBS Console or OBS Browser+, a message will be displayed indicating that they do not have required permissions.</p>
<p id="obs_40_0029__p3603656113417">This is because when you log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0029__b787091743816">ListAllMyBuckets</strong> and <strong id="obs_40_0029__b64222195381">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.</p> <p id="obs_40_0029__p3603656113417">When they log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0029__b16431925203612">ListAllMyBuckets</strong> and <strong id="obs_40_0029__b06441825183618">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is displayed.</p>
</div> </div>
<div class="section" id="obs_40_0029__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0029__ol170633855216"><li id="obs_40_0029__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0029__b1591195314582">Object Storage</strong>.</span></li><li id="obs_40_0029__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0029__b14813156103712">Overview</strong> page.</span></li><li id="obs_40_0029__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0029__b10759142594616">Permissions</strong>.</span></li><li id="obs_40_0029__li49461065486"><span>On the <strong id="obs_40_0029__b99977311234">Bucket Policies</strong> page, click <strong id="obs_40_0029__b499853111312">Create Bucket Policy</strong> under <strong id="obs_40_0029__b109980314316">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0029__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0029__fig0845620144418"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0029__image1984812015445" src="en-us_image_0000001386185594.png"></span></div> <div class="section" id="obs_40_0029__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0029__ol170633855216"><li id="obs_40_0029__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0029__b1591195314582">Object Storage</strong>.</span></li><li id="obs_40_0029__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0029__b51079271323834">Overview</strong> page.</span></li><li id="obs_40_0029__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0029__b11470415329058">Permissions</strong>.</span></li><li id="obs_40_0029__li1568715376490"><span>On the <strong id="obs_40_0029__b99977311234">Bucket Policies</strong> page, click <strong id="obs_40_0029__b499853111312">Create Bucket Policy</strong> under <strong id="obs_40_0029__b109980314316">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0029__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0029__fig0845620144418"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0029__image1984812015445" src="en-us_image_0000001386185594.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0029__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0029__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.599999999999998%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0029__p107559176234"><strong id="obs_40_0029__b118020145734854">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0029__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0029__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.599999999999998%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0029__p107559176234"><strong id="obs_40_0029__b118020145734854">Parameter</strong></p>
</th> </th>
@ -30,7 +30,7 @@
</tr> </tr>
<tr id="obs_40_0029__row8783617122317"><td class="cellrowborder" valign="top" width="23.599999999999998%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0029__p478519172231">Principal</p> <tr id="obs_40_0029__row8783617122317"><td class="cellrowborder" valign="top" width="23.599999999999998%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0029__p478519172231">Principal</p>
</td> </td>
<td class="cellrowborder" valign="top" width="76.4%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0029__ul1341145419174"><li id="obs_40_0029__li6417546174">Select <strong id="obs_40_0029__b26863363234854">Include</strong> &gt; <strong id="obs_40_0029__b157525699634854">Other account</strong>.</li><li id="obs_40_0029__li106259549386"><strong id="obs_40_0029__b1928953110544">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0029__b112897315540">My Credentials</strong> page of the account.</li><li id="obs_40_0029__li1530533711817"><strong id="obs_40_0029__b88083778734854">User ID</strong>: Enter the account ID, which can be obtained from the <strong id="obs_40_0029__b135638497834854">My Credentials</strong> page of the account.<div class="note" id="obs_40_0029__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0029__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p> <td class="cellrowborder" valign="top" width="76.4%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0029__ul1341145419174"><li id="obs_40_0029__li6417546174">Select <strong id="obs_40_0029__b26863363234854">Include</strong> &gt; <strong id="obs_40_0029__b157525699634854">Other account</strong>.</li><li id="obs_40_0029__li106259549386"><strong id="obs_40_0029__b1928953110544">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0029__b112897315540">My Credentials</strong> page of the account.</li><li id="obs_40_0029__li1530533711817"><strong id="obs_40_0029__b164461950622">User ID</strong>: Enter the account ID. You can obtain it from the <strong id="obs_40_0029__b2044617509214">My Credentials</strong> page of the account.<div class="note" id="obs_40_0029__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0029__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p>
</div></div> </div></div>
</li></ul> </li></ul>
</td> </td>
@ -51,7 +51,7 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0029__li4406132611218"><span>Click <strong id="obs_40_0029__b164104890034854">OK</strong>. The bucket policy is created.</span></li></ol> </p></li><li id="obs_40_0029__li4406132611218"><span>Click <strong id="obs_40_0029__b164104890034854">OK</strong>.</span></li></ol>
</div> </div>
</div> </div>
<div> <div>

8
docs/obs/perms-cfg/obs_40_0030.html
View File

@ -4,18 +4,18 @@
<div id="body1588765301379"></div> <div id="body1588765301379"></div>
<div> <div>
<ul class="ullinks"> <ul class="ullinks">
<li class="ulchildlink"><strong><a href="obs_40_0031.html">Granting Anonymous Users Public Read Permissions on a Bucket</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0031.html">Granting Anonymous Users the Public Read Permission for a Bucket</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0032.html">Granting Anonymous Users Public Read Permissions on a Directory</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0032.html">Granting Anonymous Users the Read Permission for a Directory</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0033.html">Granting Anonymous Users Public Read Permissions on Certain Objects</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0033.html">Granting Anonymous Users the Read Permission for Certain Objects</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0034.html">Temporarily Sharing Objects with Anonymous Users</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0034.html">Temporarily Sharing Objects with Anonymous Users</a></strong><br>
</li> </li>
</ul> </ul>
<div class="familylinks"> <div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Configuration Cases in Typical Permission Control Scenarios</a></div> <div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Permission Configuration in Typical Scenarios</a></div>
</div> </div>
</div> </div>

53
docs/obs/perms-cfg/obs_40_0031.html
View File

@ -1,59 +1,12 @@
<a name="obs_40_0031"></a><a name="obs_40_0031"></a> <a name="obs_40_0031"></a><a name="obs_40_0031"></a>
<h1 class="topictitle1">Granting Anonymous Users Public Read Permissions on a Bucket</h1> <h1 class="topictitle1">Granting Anonymous Users the Public Read Permission for a Bucket</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0031__section142631357463"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0031__p15459915718">If a bucket needs to be accessed by anonymous users, you can configure a bucket policy and bucket ACL to grant the access permission to anonymous users. The following uses a bucket policy as an example.</p> <div id="body1588765301379"><div class="section" id="obs_40_0031__section142631357463"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0031__p15459915718">If a bucket needs to be accessed by anonymous users, you can configure a bucket policy and bucket ACL to grant the access permission to anonymous users. The following uses a bucket policy as an example.</p>
</div> </div>
<div class="section" id="obs_40_0031__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0031__p1436151622312">The <strong id="obs_40_0031__b175608381563">Public Read</strong> policy allows any user to read objects in a bucket. <strong id="obs_40_0031__b17891815245">Public Read</strong> has the following permissions:</p> <div class="section" id="obs_40_0031__section68804531942"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0031__ol1570512004013"><li id="obs_40_0031__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0031__b160151135915">Object Storage</strong>.</span></li><li id="obs_40_0031__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0031__b23434528723836">Overview</strong> page.</span></li><li id="obs_40_0031__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0031__b857726282910">Permissions</strong>.</span></li><li id="obs_40_0031__li1568715376490"><span>On the <strong id="obs_40_0031__b8147659583330">Bucket Policies</strong> page, click <strong id="obs_40_0031__b11638887203330">Create Bucket Policy</strong> under <strong id="obs_40_0031__b4918743533330">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0031__li179542323403"><span>On the <strong id="obs_40_0031__b42597237711">Bucket Policies</strong> tab page, select the <strong id="obs_40_0031__b598162894">Public Read</strong> policy for the bucket in the <strong id="obs_40_0031__b13341122995">Standard Bucket Policies</strong> area.</span><p><div class="fignone" id="obs_40_0031__fig47171574453"><span class="figcap"><b>Figure 1 </b>Granting public read permissions on buckets to anonymous users</span><br><span><img id="obs_40_0031__image1972015576455" src="en-us_image_0000001436305909.png"></span></div>
<ul id="obs_40_0031__ul979910296419"><li id="obs_40_0031__li979902918414">GetObject: downloading objects</li><li id="obs_40_0031__li2079952914417">GetObjectVersion: downloading versioned objects</li><li id="obs_40_0031__li2079918294411">HeadBucket: checking whether a bucket exists</li><li id="obs_40_0031__li107991329549">ListBucket: listing objects in a bucket and obtaining the bucket metadata<div class="note" id="obs_40_0031__note171618381482"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0031__p101623854811">When you access a bucket through its domain name, the ListBucket permission allows you to list all objects in the bucket. If you want to restrict this permission to specified users under an account, see <a href="#obs_40_0031__section191491712418">Related Scenario: Canceling the ListBucket Permission from the Public Read Policy</a>.</p>
</div></div>
</li></ul>
</div>
<div class="section" id="obs_40_0031__section68804531942"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0031__ol1570512004013"><li id="obs_40_0031__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0031__b160151135915">Object Storage</strong>.</span></li><li id="obs_40_0031__li143061822104011"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0031__b10742152483810">Overview</strong> page.</span></li><li id="obs_40_0031__li125741927104010"><span>In the navigation pane, choose <strong id="obs_40_0031__b162092054144616">Permissions</strong>.</span></li><li id="obs_40_0031__li179542323403"><span>On the <strong id="obs_40_0031__b42597237711">Bucket Policies</strong> tab page, select the <strong id="obs_40_0031__b598162894">Public Read</strong> policy for the bucket in the <strong id="obs_40_0031__b13341122995">Standard Bucket Policies</strong> area.</span><p><div class="fignone" id="obs_40_0031__fig47171574453"><span class="figcap"><b>Figure 1 </b>Granting public read permissions on buckets to anonymous users</span><br><span><img id="obs_40_0031__image1972015576455" src="en-us_image_0000001436305909.png"></span></div>
</p></li></ol> </p></li></ol>
</div> </div>
<div class="section" id="obs_40_0031__section6487417124"><h4 class="sectiontitle">Verification</h4><ol id="obs_40_0031__ol2572461220"><li id="obs_40_0031__li155714141220"><span>After the permission is set, in the <strong id="obs_40_0031__b6691112521111">Basic Information </strong>area of the bucket details page, locate <strong id="obs_40_0031__b1092919328113">Access Domain Name</strong>. Share the URL of the access domain name over the Internet so that all Internet users can access the bucket.</span></li><li id="obs_40_0031__li18579413121"><span>On the <strong id="obs_40_0031__b5887104421216">Objects</strong> tab page of the bucket, click the target object name and find the object link. Share the object link over the Internet so that all Internet users can access the object.</span></li></ol> <div class="section" id="obs_40_0031__section6487417124"><h4 class="sectiontitle">Verification</h4><ol id="obs_40_0031__ol2572461220"><li id="obs_40_0031__li155714141220"><span>After the permission is set, in the <strong id="obs_40_0031__b6691112521111">Basic Information </strong>area of the bucket overview page, locate <strong id="obs_40_0031__b1092919328113">Access Domain Name</strong>. Share the URL of the access domain name over the Internet so that all Internet users can access the bucket.</span></li><li id="obs_40_0031__li18579413121"><span>On the <strong id="obs_40_0031__b5887104421216">Objects</strong> tab page of the bucket, click the target object name and find the object link. Share the object link over the Internet so that all Internet users can access the object.</span></li></ol>
</div>
<div class="section" id="obs_40_0031__section191491712418"><a name="obs_40_0031__section191491712418"></a><a name="section191491712418"></a><h4 class="sectiontitle">Related Scenario: Canceling the ListBucket Permission from the Public Read Policy</h4><p id="obs_40_0031__p56019208246">If you want to restrict the ListBucket permission to specified users under an account, you need to configure another bucket policy.</p>
<ol id="obs_40_0031__ol170633855216"><li id="obs_40_0031__li659013400614"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0031__b55115455918">Object Storage</strong>.</span></li><li id="obs_40_0031__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0031__b2049817312386">Overview</strong> page.</span></li><li id="obs_40_0031__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0031__b9424181334719">Permissions</strong>.</span></li><li id="obs_40_0031__li49461065486"><span>On the <strong id="obs_40_0031__b9734530112714">Bucket Policies</strong> page, click <strong id="obs_40_0031__b3734163017278">Create Bucket Policy</strong> under <strong id="obs_40_0031__b13735103020272">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0031__li1470617571214"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0031__fig163820984812"><span class="figcap"><b>Figure 2 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0031__image46401934816" src="en-us_image_0000001436265909.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0031__table3706135201215" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0031__row2070620591220"><th align="left" class="cellrowborder" valign="top" width="23.72%" id="mcps1.3.5.3.5.2.2.2.3.1.1"><p id="obs_40_0031__p1770714531211">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="76.28%" id="mcps1.3.5.3.5.2.2.2.3.1.2"><p id="obs_40_0031__p47078561217">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0031__row3707105161213"><td class="cellrowborder" valign="top" width="23.72%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0031__p1270710541217">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="76.28%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0031__p1070720571218">Select <strong id="obs_40_0031__b138081140121918">Customized</strong>.</p>
</td>
</tr>
<tr id="obs_40_0031__row0282443111316"><td class="cellrowborder" valign="top" width="23.72%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0031__p1528214351316">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="76.28%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0031__p628264361310">Select <strong id="obs_40_0031__b16649173421917">Deny</strong>.</p>
</td>
</tr>
<tr id="obs_40_0031__row27071453128"><td class="cellrowborder" valign="top" width="23.72%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0031__p9707195171215">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="76.28%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><div class="p" id="obs_40_0031__p6494105119184">Select <strong id="obs_40_0031__b191115411198">Exclude</strong>.<ul id="obs_40_0031__ul480721115180"><li id="obs_40_0031__li1024761941819">Select <strong id="obs_40_0031__b1294415814519">Cloud service user</strong>.</li><li id="obs_40_0031__li4245545161814"><strong id="obs_40_0031__b5401347104513">Account ID</strong>: Enter <strong id="obs_40_0031__b187851783471">*</strong> to indicate all anonymous users.</li><li id="obs_40_0031__li1703812151919"><strong id="obs_40_0031__b9747912195018">User ID</strong>: Enter one or more user IDs separated by a comma (,).</li></ul>
</div>
</td>
</tr>
<tr id="obs_40_0031__row187079581216"><td class="cellrowborder" valign="top" width="23.72%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0031__p47071520126">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="76.28%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0031__p134612281416">Select <strong id="obs_40_0031__b846133113818">Include</strong> &gt; <strong id="obs_40_0031__b164753317383">Entire bucket</strong>.</p>
</td>
</tr>
<tr id="obs_40_0031__row16898181610148"><td class="cellrowborder" valign="top" width="23.72%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0031__p989841691413">Actions</p>
</td>
<td class="cellrowborder" valign="top" width="76.28%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><ul id="obs_40_0031__ul48235222144"><li id="obs_40_0031__li1182312214143"><strong id="obs_40_0031__b5333242143817">Include</strong></li><li id="obs_40_0031__li04383583015"><strong id="obs_40_0031__b15385194483811">Action Name</strong>:<ul id="obs_40_0031__ul7641371302"><li id="obs_40_0031__li1533815258143">ListBucket</li></ul>
</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0031__li1940154881411"><span>Click <strong id="obs_40_0031__b3538154817386">OK</strong>. The bucket policy is created.</span></li></ol>
<p id="obs_40_0031__p20864640131817"><strong id="obs_40_0031__b1441511883919">Verification</strong>: After the permission is set, in the <strong id="obs_40_0031__b1782519507385">Basic Information</strong> area of the bucket details page, locate <strong id="obs_40_0031__b18826165073818">Access Domain Name</strong>. Publish the URL on the Internet, and verify that only specified users can list objects in the bucket.</p>
</div> </div>
</div> </div>
<div> <div>

23
docs/obs/perms-cfg/obs_40_0032.html
View File

@ -1,32 +1,29 @@
<a name="obs_40_0032"></a><a name="obs_40_0032"></a> <a name="obs_40_0032"></a><a name="obs_40_0032"></a>
<h1 class="topictitle1">Granting Anonymous Users Public Read Permissions on a Directory</h1> <h1 class="topictitle1">Granting Anonymous Users the Read Permission for a Directory</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0032__section10302454102718"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0032__p016716217280">If all objects in a folder need to be accessible to anonymous users, you can configure a bucket policy to grant anonymous users the permission to access the folder.</p> <div id="body1588765301379"><div class="section" id="obs_40_0032__section10302454102718"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0032__p016716217280">If all objects in a folder need to be accessible to anonymous users, you can configure a bucket policy to grant anonymous users the permission to access the folder.</p>
</div> </div>
<div class="section" id="obs_40_0032__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0032__p1436151622312">The preset read-only mode of OBS has the following permissions:</p> <div class="section" id="obs_40_0032__section14782838103419"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0032__ol1570512004013"><li id="obs_40_0032__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0032__b8597891590">Object Storage</strong>.</span></li><li id="obs_40_0032__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0032__b140001826023837">Overview</strong> page.</span></li><li id="obs_40_0032__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0032__b2003948925912">Permissions</strong>.</span></li><li id="obs_40_0032__li1568715376490"><span>On the <strong id="obs_40_0032__b1489519200362">Bucket Policies</strong> page, click <strong id="obs_40_0032__b1089592019365">Create Bucket Policy</strong> under <strong id="obs_40_0032__b989662017360">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0032__li2143744184017"><span>Configure parameters according to the following table, so that you can grant anonymous users the permission to access the folder and objects in it.</span><p><div class="fignone" id="obs_40_0032__fig6569962519"><span class="figcap"><b>Figure 1 </b>Granting public read permissions on a specific directory for anonymous users</span><br><span><img id="obs_40_0032__image956918645119" src="en-us_image_0000001436146565.png"></span></div>
<ul id="obs_40_0032__ul12273198112311"><li id="obs_40_0032__li1327378202314">GetObject: downloading objects</li><li id="obs_40_0032__li127318812235">GetObjectVersion: downloading versioned objects</li></ul>
</div>
<div class="section" id="obs_40_0032__section14782838103419"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0032__ol1570512004013"><li id="obs_40_0032__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0032__b8597891590">Object Storage</strong>.</span></li><li id="obs_40_0032__li143061822104011"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0032__b1050710528386">Overview</strong> page.</span></li><li id="obs_40_0032__li125741927104010"><span>In the navigation pane, choose <strong id="obs_40_0032__b1576953414713">Permissions</strong>.</span></li><li id="obs_40_0032__li49461065486"><span>On the <strong id="obs_40_0032__b1489519200362">Bucket Policies</strong> page, click <strong id="obs_40_0032__b1089592019365">Create Bucket Policy</strong> under <strong id="obs_40_0032__b989662017360">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0032__li2143744184017"><span>Configure parameters according to the following table, so that you can grant anonymous users the permission to access the folder and objects in it.</span><p><div class="fignone" id="obs_40_0032__fig6569962519"><span class="figcap"><b>Figure 1 </b>Granting public read permissions on a specific directory for anonymous users</span><br><span><img id="obs_40_0032__image956918645119" src="en-us_image_0000001436146565.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0032__table2481197162816" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for granting the permission to access a specified directory</caption><thead align="left"><tr id="obs_40_0032__row64826712819"><th align="left" class="cellrowborder" valign="top" width="31.71%" id="mcps1.3.3.2.5.2.2.2.3.1.1"><p id="obs_40_0032__p154822742816">Parameter</p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0032__table2481197162816" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for granting the permission to access a specified directory</caption><thead align="left"><tr id="obs_40_0032__row64826712819"><th align="left" class="cellrowborder" valign="top" width="31.71%" id="mcps1.3.2.2.5.2.2.2.3.1.1"><p id="obs_40_0032__p154822742816">Parameter</p>
</th> </th>
<th align="left" class="cellrowborder" valign="top" width="68.28999999999999%" id="mcps1.3.3.2.5.2.2.2.3.1.2"><p id="obs_40_0032__p348297102815">Value</p> <th align="left" class="cellrowborder" valign="top" width="68.28999999999999%" id="mcps1.3.2.2.5.2.2.2.3.1.2"><p id="obs_40_0032__p348297102815">Value</p>
</th> </th>
</tr> </tr>
</thead> </thead>
<tbody><tr id="obs_40_0032__row1148237162814"><td class="cellrowborder" valign="top" width="31.71%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0032__p1348207182816">Policy Mode</p> <tbody><tr id="obs_40_0032__row1148237162814"><td class="cellrowborder" valign="top" width="31.71%" headers="mcps1.3.2.2.5.2.2.2.3.1.1 "><p id="obs_40_0032__p1348207182816">Policy Mode</p>
</td> </td>
<td class="cellrowborder" valign="top" width="68.28999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><p id="obs_40_0032__p174828712280">Select <strong id="obs_40_0032__b213864775734844">Read-only</strong>.</p> <td class="cellrowborder" valign="top" width="68.28999999999999%" headers="mcps1.3.2.2.5.2.2.2.3.1.2 "><p id="obs_40_0032__p174828712280">Select <strong id="obs_40_0032__b213864775734844">Read-only</strong>.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0032__row1248257102810"><td class="cellrowborder" valign="top" width="31.71%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0032__p1848237112812">Principal</p> <tr id="obs_40_0032__row1248257102810"><td class="cellrowborder" valign="top" width="31.71%" headers="mcps1.3.2.2.5.2.2.2.3.1.1 "><p id="obs_40_0032__p1848237112812">Principal</p>
</td> </td>
<td class="cellrowborder" valign="top" width="68.28999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><ul id="obs_40_0032__ul165818244347"><li id="obs_40_0032__li1024761941819">Choose <strong id="obs_40_0032__b22071319115415">Include</strong> &gt; <strong id="obs_40_0032__b1976619136555">Cloud service user</strong>.</li><li id="obs_40_0032__li4245545161814"><strong id="obs_40_0032__b1617217618472">Account ID</strong>: Enter <strong id="obs_40_0032__b10172564478">*</strong> to indicate all anonymous users.</li></ul> <td class="cellrowborder" valign="top" width="68.28999999999999%" headers="mcps1.3.2.2.5.2.2.2.3.1.2 "><ul id="obs_40_0032__ul165818244347"><li id="obs_40_0032__li1024761941819">Choose <strong id="obs_40_0032__b22071319115415">Include</strong> &gt; <strong id="obs_40_0032__b1976619136555">Cloud service user</strong>.</li><li id="obs_40_0032__li4245545161814"><strong id="obs_40_0032__b1617217618472">Account ID</strong>: Enter <strong id="obs_40_0032__b10172564478">*</strong> to indicate all anonymous users.</li></ul>
</td> </td>
</tr> </tr>
<tr id="obs_40_0032__row14826742812"><td class="cellrowborder" valign="top" width="31.71%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0032__p248287202815">Resources</p> <tr id="obs_40_0032__row14826742812"><td class="cellrowborder" valign="top" width="31.71%" headers="mcps1.3.2.2.5.2.2.2.3.1.1 "><p id="obs_40_0032__p248287202815">Resources</p>
</td> </td>
<td class="cellrowborder" valign="top" width="68.28999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><ul id="obs_40_0032__ul1546684213419"><li id="obs_40_0032__li1846617424342"><strong id="obs_40_0032__b197173940834844">Include</strong></li><li id="obs_40_0032__li1046624217342">Select <strong id="obs_40_0032__b38593620234844">Specific resources</strong>.</li><li id="obs_40_0032__li8466144263418">Set this parameter to all objects in the selected folder. If the folder name is <strong id="obs_40_0032__b114874976234844">folder-001</strong>, enter the value <strong id="obs_40_0032__b161441472534844">folder-001/*</strong>.</li></ul> <td class="cellrowborder" valign="top" width="68.28999999999999%" headers="mcps1.3.2.2.5.2.2.2.3.1.2 "><ul id="obs_40_0032__ul1546684213419"><li id="obs_40_0032__li1846617424342"><strong id="obs_40_0032__b197173940834844">Include</strong></li><li id="obs_40_0032__li1046624217342">Select <strong id="obs_40_0032__b38593620234844">Specific resources</strong>.</li><li id="obs_40_0032__li8466144263418">Set this parameter to all objects in the selected folder. If the folder name is <strong id="obs_40_0032__b114874976234844">folder-001</strong>, enter the value <strong id="obs_40_0032__b161441472534844">folder-001/*</strong>.</li></ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>

2
docs/obs/perms-cfg/obs_40_0033.html
View File

@ -1,6 +1,6 @@
<a name="obs_40_0033"></a><a name="obs_40_0033"></a> <a name="obs_40_0033"></a><a name="obs_40_0033"></a>
<h1 class="topictitle1">Granting Anonymous Users Public Read Permissions on Certain Objects</h1> <h1 class="topictitle1">Granting Anonymous Users the Read Permission for Certain Objects</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0033__section168411647181311"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0033__p5371752191310">Enterprise A stores a large volume of map data in OBS, and offers the data for public query. This enterprise sets a read permission for anonymous users, and provides the data URLs on the Internet. Then all users can read or download the data through the URLs.</p> <div id="body1588765301379"><div class="section" id="obs_40_0033__section168411647181311"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0033__p5371752191310">Enterprise A stores a large volume of map data in OBS, and offers the data for public query. This enterprise sets a read permission for anonymous users, and provides the data URLs on the Internet. Then all users can read or download the data through the URLs.</p>
</div> </div>
<div class="section" id="obs_40_0033__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0033__ol1953255192117"><li id="obs_40_0033__li19953165510219"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0033__b26268398246">Object Storage</strong>.</span></li><li id="obs_40_0033__li11242915363"><span>In the bucket list, click the bucket to be operated. The <strong id="obs_40_0033__b1773692772714">Overview</strong> page of the bucket is displayed.</span></li><li id="obs_40_0033__en-us_topic_0066036523_li36003791"><span>In the navigation pane, click <strong id="obs_40_0033__b59428378321">Objects</strong>.</span></li><li id="obs_40_0033__li15268192485317"><span>Click the name of the object to be operated.</span></li><li id="obs_40_0033__li22531610122211"><span>On the <strong id="obs_40_0033__b1722312721714">Object ACL</strong> tab page, click the target object and click <strong id="obs_40_0033__b7908911191716">Object ACL</strong>.</span></li><li id="obs_40_0033__li11266619182214"><span>In <strong id="obs_40_0033__b65336746234847">Public Permissions</strong> &gt; <strong id="obs_40_0033__b10777947734847">Anonymous User</strong>, click <strong id="obs_40_0033__b84420656134847">Edit</strong> and select the object read permission for anonymous users.</span><p><div class="fignone" id="obs_40_0033__fig1549415185311"><span class="figcap"><b>Figure 1 </b>Granting the public read permission on objects to anonymous users</span><br><span><img id="obs_40_0033__image5491015175317" src="en-us_image_0000001436307565.png"></span></div> <div class="section" id="obs_40_0033__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0033__ol1953255192117"><li id="obs_40_0033__li19953165510219"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0033__b26268398246">Object Storage</strong>.</span></li><li id="obs_40_0033__li11242915363"><span>In the bucket list, click the bucket to be operated. The <strong id="obs_40_0033__b1773692772714">Overview</strong> page of the bucket is displayed.</span></li><li id="obs_40_0033__en-us_topic_0066036523_li36003791"><span>In the navigation pane, click <strong id="obs_40_0033__b59428378321">Objects</strong>.</span></li><li id="obs_40_0033__li15268192485317"><span>Click the name of the object to be operated.</span></li><li id="obs_40_0033__li22531610122211"><span>On the <strong id="obs_40_0033__b1722312721714">Object ACL</strong> tab page, click the target object and click <strong id="obs_40_0033__b7908911191716">Object ACL</strong>.</span></li><li id="obs_40_0033__li11266619182214"><span>In <strong id="obs_40_0033__b65336746234847">Public Permissions</strong> &gt; <strong id="obs_40_0033__b10777947734847">Anonymous User</strong>, click <strong id="obs_40_0033__b84420656134847">Edit</strong> and select the object read permission for anonymous users.</span><p><div class="fignone" id="obs_40_0033__fig1549415185311"><span class="figcap"><b>Figure 1 </b>Granting the public read permission on objects to anonymous users</span><br><span><img id="obs_40_0033__image5491015175317" src="en-us_image_0000001436307565.png"></span></div>

6
docs/obs/perms-cfg/obs_40_0034.html
View File

@ -3,9 +3,9 @@
<h1 class="topictitle1">Temporarily Sharing Objects with Anonymous Users</h1> <h1 class="topictitle1">Temporarily Sharing Objects with Anonymous Users</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0034__section25804574200"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0034__p15521311214">If you want to open an object to all users for a limited period of time, you can use the object sharing function.</p> <div id="body1588765301379"><div class="section" id="obs_40_0034__section25804574200"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0034__p15521311214">If you want to open an object to all users for a limited period of time, you can use the object sharing function.</p>
</div> </div>
<div class="section" id="obs_40_0034__section692129689"><h4 class="sectiontitle">Procedure for Sharing a File</h4><ol id="obs_40_0034__ol165136117163"><li id="obs_40_0034__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0034__b1744151175514">Object Storage</strong>.</span></li><li id="obs_40_0034__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0034__b191461316103919">Overview</strong> page.</span></li><li id="obs_40_0034__en-us_topic_0066036523_li36003791"><span>In the navigation pane, click <strong id="obs_40_0034__b1174115514366">Objects</strong>.</span></li><li id="obs_40_0034__en-us_topic_0066036523_li55598663"><span>Locate the file to be shared and click <strong id="obs_40_0034__b15210976095923">Share</strong> in the <strong id="obs_40_0034__b90263948995923">Operation</strong> column.</span><p><p id="obs_40_0034__p654141612312">Once the <strong id="obs_40_0034__b201885158395923">Share File</strong> dialog box is opened, the URL is effective and valid for five minutes by default. If you change the validity period, the authentication information in the URL changes accordingly, and the URL's new validity period starts upon the change.</p> <div class="section" id="obs_40_0034__section692129689"><h4 class="sectiontitle">Procedure for Sharing a File</h4><ol id="obs_40_0034__ol165136117163"><li id="obs_40_0034__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0034__b1744151175514">Object Storage</strong>.</span></li><li id="obs_40_0034__li9637182844515"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0034__b16954162011517">Objects</strong> page.</span></li><li id="obs_40_0034__en-us_topic_0066036523_li55598663"><span>Select the file to be shared and click <strong id="obs_40_0034__b1511014919473">Share</strong> in the <strong id="obs_40_0034__b116191234710">Operation</strong> column.</span><p><p id="obs_40_0034__p654141612312">Once the <strong id="obs_40_0034__b201885158395923">Share File</strong> dialog box is opened, the URL is effective and valid for five minutes by default. If you change the validity period, the authentication information in the URL changes accordingly, and the URL's new validity period starts upon the change.</p>
</p></li><li id="obs_40_0034__li113111832018"><span>Perform URL related operations.</span><p><ul id="obs_40_0034__ul36691545182112"><li id="obs_40_0034__li1167044516212">Click <strong id="obs_40_0034__b120831711595923">Open URL</strong> to preview the file on a new page or directly download it to your default download path.</li><li id="obs_40_0034__li475872122213">Click <strong id="obs_40_0034__b28125390595923">Copy Link</strong> to share the link to other users, so that they can enter the link to a web browser to access the file.</li><li id="obs_40_0034__li18612549152314">Click <strong id="obs_40_0034__b127888500595923">Copy Path</strong> to share the file path to users who have access permissions to the bucket. Then the users can search for the file by pasting the path to the search box of the bucket.</li></ul> </p></li><li id="obs_40_0034__li113111832018"><span>Perform URL related operations.</span><p><ul id="obs_40_0034__ul36691545182112"><li id="obs_40_0034__li1167044516212">Click <strong id="obs_40_0034__b120831711595923">Open in Browser</strong> to preview the file on a new page or directly download it to your default download path.</li><li id="obs_40_0034__li475872122213">Click <strong id="obs_40_0034__b28125390595923">Copy Link</strong> to share the link to other users, so that they can enter the link to a web browser to access the file.</li><li id="obs_40_0034__li18612549152314">Click <strong id="obs_40_0034__b127888500595923">Copy Path</strong> to share the file path to users who have access permissions to the bucket. Then the users can search for the file by pasting the path to the search box of the bucket.</li></ul>
<div class="note" id="obs_40_0034__note27664672718"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0034__p57734614276">Within the validity period of a URL, any user who has the URL can access the file.</p> <div class="note" id="obs_40_0034__note27664672718"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0034__p57734614276">Within the URL validity period, anyone who has the URL can access the file.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>

14
docs/obs/perms-cfg/obs_40_0036.html
View File

@ -1,11 +1,11 @@
<a name="obs_40_0036"></a><a name="obs_40_0036"></a> <a name="obs_40_0036"></a><a name="obs_40_0036"></a>
<h1 class="topictitle1">Preventing Specific IP Addresses from Accessing a Bucket</h1> <h1 class="topictitle1">Restricting Access to a Bucket for Specific IP Addresses</h1>
<div id="body1593486216448"><div class="section" id="obs_40_0036__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0036__p3431154410448">This case describes how to restrict the source IP addresses that can access an OBS bucket. The following shows how to deny a client access whose source IP address is within the range of 114.115.1.0/24.</p> <div id="body1593486216448"><div class="section" id="obs_40_0036__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0036__p3431154410448">This case describes how to restrict the source IP addresses that can access an OBS bucket. The following shows how to deny a client access whose source IP address is within the range of 114.115.1.0/24.</p>
</div> </div>
<div class="section" id="obs_40_0036__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0036__p103657437515">Bucket policy</p> <div class="section" id="obs_40_0036__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0036__p103657437515">Bucket policy</p>
</div> </div>
<div class="section" id="obs_40_0036__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0036__ol170633855216"><li id="obs_40_0036__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0036__b107282205911">Object Storage</strong>.</span></li><li id="obs_40_0036__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0036__b10461155683917">Overview</strong> page.</span></li><li id="obs_40_0036__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0036__b1277821212494">Permissions</strong>.</span></li><li id="obs_40_0036__li49461065486"><span>On the <strong id="obs_40_0036__b0971531143711">Bucket Policies</strong> page, click <strong id="obs_40_0036__b16973131163713">Create Bucket Policy</strong> under <strong id="obs_40_0036__b49748316372">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0036__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0036__fig84467351037"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0036__image94489351433" src="en-us_image_0000001386029478.png"></span></div> <div class="section" id="obs_40_0036__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0036__ol170633855216"><li id="obs_40_0036__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0036__b107282205911">Object Storage</strong>.</span></li><li id="obs_40_0036__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0036__b152428572223838">Overview</strong> page.</span></li><li id="obs_40_0036__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0036__b1865245419914">Permissions</strong>.</span></li><li id="obs_40_0036__li1568715376490"><span>On the <strong id="obs_40_0036__b0971531143711">Bucket Policies</strong> page, click <strong id="obs_40_0036__b16973131163713">Create Bucket Policy</strong> under <strong id="obs_40_0036__b49748316372">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0036__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0036__fig84467351037"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0036__image94489351433" src="en-us_image_0000001386029478.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0036__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0036__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.3.2.5.2.2.2.3.1.1"><p id="obs_40_0036__p107559176234"><strong id="obs_40_0036__b1545917931102217">Parameter</strong></p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0036__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0036__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.3.2.5.2.2.2.3.1.1"><p id="obs_40_0036__p107559176234"><strong id="obs_40_0036__b1545917931102217">Parameter</strong></p>
</th> </th>
@ -40,7 +40,7 @@
</tr> </tr>
<tr id="obs_40_0036__row138371643165416"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0036__p2329115416419">Conditions</p> <tr id="obs_40_0036__row138371643165416"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.3.2.5.2.2.2.3.1.1 "><p id="obs_40_0036__p2329115416419">Conditions</p>
</td> </td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><ul id="obs_40_0036__ul4774185114612"><li id="obs_40_0036__li177741358462"><strong id="obs_40_0036__b783743033102217">Conditional Operator</strong>: <strong id="obs_40_0036__b1437887862102217">IpAddress</strong></li><li id="obs_40_0036__li1764818167461"><strong id="obs_40_0036__b7796443112616">Key</strong>: Select <strong id="obs_40_0036__b1479794342614">SourceIp</strong>.</li><li id="obs_40_0036__li295412744610"><strong id="obs_40_0036__b89081554112617">Value</strong>: Set it to <strong id="obs_40_0036__b199091354132617">114.115.1.0/24</strong>.<div class="note" id="obs_40_0036__note159463615311"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0036__p0954364536">Use commas (,) to separate multiple IP addresses.</p> <td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.3.2.5.2.2.2.3.1.2 "><ul id="obs_40_0036__ul4774185114612"><li id="obs_40_0036__li177741358462"><strong id="obs_40_0036__b783743033102217">Conditional Operator</strong>: <strong id="obs_40_0036__b1437887862102217">IpAddress</strong></li><li id="obs_40_0036__li1764818167461"><strong id="obs_40_0036__b7796443112616">Key</strong>: Select <strong id="obs_40_0036__b1479794342614">SourceIp</strong>.</li><li id="obs_40_0036__li295412744610"><strong id="obs_40_0036__b8342151815327">Value</strong>: Enter <strong id="obs_40_0036__b534351893213">114.115.1.0/24</strong>.<div class="note" id="obs_40_0036__note159463615311"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0036__p0954364536">Use commas (,) to separate multiple IP addresses.</p>
</div></div> </div></div>
</li></ul> </li></ul>
</td> </td>
@ -50,16 +50,16 @@
</div> </div>
<div class="note" id="obs_40_0036__note26171019823"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0036__p13617121915215">If you want to allow clients whose IP addresses are outside the configured range to access your bucket, grant access permissions to anonymous users by referring to <a href="obs_40_0030.html">Granting Permissions to Anonymous Users</a>.</p> <div class="note" id="obs_40_0036__note26171019823"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0036__p13617121915215">If you want to allow clients whose IP addresses are outside the configured range to access your bucket, grant access permissions to anonymous users by referring to <a href="obs_40_0030.html">Granting Permissions to Anonymous Users</a>.</p>
</div></div> </div></div>
</p></li><li id="obs_40_0036__li14457546165717"><span>Click <strong id="obs_40_0036__b8709194992814">OK</strong>. The bucket policy is created.</span></li></ol> </p></li><li id="obs_40_0036__li14457546165717"><span>Click <strong id="obs_40_0036__b8709194992814">OK</strong>.</span></li></ol>
</div> </div>
<div class="section" id="obs_40_0036__section159232335471"><h4 class="sectiontitle">Verification</h4><p id="obs_40_0036__p1589143714477">Initiate an access request from an IP address within the range of 114.115.1.0/24. The access is denied. Initiate an access request from an IP address outside the range of 114.115.1.0/24. The access is allowed.</p> <div class="section" id="obs_40_0036__section159232335471"><h4 class="sectiontitle">Verification</h4><p id="obs_40_0036__p1589143714477">Initiate an access request from an IP address within 114.115.1.0/24. The access is denied. Initiate an access request from an IP address outside 114.115.1.0/24. The access is allowed.</p>
</div> </div>
<div class="section" id="obs_40_0036__section1983162754"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0036__p39523106515">To allow only a specified IP address to access the OBS bucket, set <strong id="obs_40_0036__b165714845102217">Condition Operator</strong> to <strong id="obs_40_0036__b698961474102217">NotIpAddress</strong> and specify the allowed IP address as the <strong id="obs_40_0036__b1257075104102217">Value</strong>.</p> <div class="section" id="obs_40_0036__section1983162754"><h4 class="sectiontitle">Related Scenarios</h4><ul id="obs_40_0036__ul11637161915157"><li id="obs_40_0036__li20637119161513">To allow only a specified IP address to access the OBS bucket, set <strong id="obs_40_0036__b114633711381">Condition Operator</strong> to <strong id="obs_40_0036__b74623716384">NotIpAddress</strong> and specify the allowed IP address as the <strong id="obs_40_0036__b164616378382">Value</strong>.</li></ul>
</div> </div>
</div> </div>
<div> <div>
<div class="familylinks"> <div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Configuration Cases in Typical Permission Control Scenarios</a></div> <div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Permission Configuration in Typical Scenarios</a></div>
</div> </div>
</div> </div>

18
docs/obs/perms-cfg/obs_40_0037.html
View File

@ -1,10 +1,10 @@
<a name="obs_40_0037"></a><a name="obs_40_0037"></a> <a name="obs_40_0037"></a><a name="obs_40_0037"></a>
<h1 class="topictitle1">Granting Temporary Access to OBS</h1> <h1 class="topictitle1">Granting Temporary Access to OBS</h1>
<div id="body1597050561891"><div class="section" id="obs_40_0037__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0037__p3431154410448">This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS in temporary authorization mode.</p> <div id="body1597050561891"><div class="section" id="obs_40_0037__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0037__p3431154410448">This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS.</p>
<p id="obs_40_0037__p1663009161912">Assume that you want to enable an IAM user (user name: APPServer) to access the APPClient folder in bucket <strong id="obs_40_0037__b166099288132">hi-company</strong> and apply for two different temporary access keys to distribute to APP-1 and APP-2. APP-1 can only access files in APPClient/APP-1. APP-2 can access only the files in APPClient/APP-2.</p> <p id="obs_40_0037__p1663009161912">Assume that you want to enable an IAM user (user name: APPServer) to access the APPClient folder in bucket <strong id="obs_40_0037__b166099288132">hi-company</strong> and apply for two different temporary access keys to distribute to APP-1 and APP-2. APP-1 can only access files in APPClient/APP-1. APP-2 can access only the files in APPClient/APP-2.</p>
</div> </div>
<div class="section" id="obs_40_0037__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0037__ol170633855216"><li id="obs_40_0037__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0037__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0037__b1524342811413">Service List</strong> &gt; <strong id="obs_40_0037__b724310286417">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0037__b112433281644">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0037__li54221529115513"><span>Create an IAM user <strong id="obs_40_0037__b14273510475">APPServer</strong>. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/en-us_topic_0046611303.html" target="_blank" rel="noopener noreferrer">Creating a User</a>.</span></li><li id="obs_40_0037__li148774498186"><span>Create a user-defined policy that allows access to the AppClient folder in bucket hi-company.</span><p><ol type="a" id="obs_40_0037__ol294413212193"><li id="obs_40_0037__li1848615103345">In the navigation pane, choose <strong id="obs_40_0037__b8555846143312">Permissions</strong>.</li><li id="obs_40_0037__li1417104719219">Configure parameters for a custom policy.<div class="note" id="obs_40_0037__note16133193719131"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0037__p8133113741313">Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user <strong id="obs_40_0037__b99995311910740">APPServer</strong> only has full permissions on objects in the <strong id="obs_40_0037__b78713857610740">APPClient</strong> folder.</p> <div class="section" id="obs_40_0037__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0037__ol170633855216"><li id="obs_40_0037__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0037__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0037__b1524342811413">Service List</strong> &gt; <strong id="obs_40_0037__b724310286417">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0037__b112433281644">Identity and Access Management</strong>.</span></li><li id="obs_40_0037__li54221529115513"><span>Create an IAM user <strong id="obs_40_0037__b14273510475">APPServer</strong>. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/en-us_topic_0046611303.html" target="_blank" rel="noopener noreferrer">Creating an IAM User</a>.</span></li><li id="obs_40_0037__li148774498186"><span>Create a user-defined policy that allows access to the AppClient folder in bucket hi-company.</span><p><ol type="a" id="obs_40_0037__ol294413212193"><li id="obs_40_0037__li1848615103345">In the navigation pane, choose <strong id="obs_40_0037__b8555846143312">Permissions</strong>.</li><li id="obs_40_0037__li1417104719219">Configure parameters for a custom policy.<div class="note" id="obs_40_0037__note16133193719131"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0037__p8133113741313">Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user <strong id="obs_40_0037__b99995311910740">APPServer</strong> only has full permissions on objects in the <strong id="obs_40_0037__b78713857610740">APPClient</strong> folder.</p>
</div></div> </div></div>
<div class="fignone" id="obs_40_0037__fig16929854596"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0037__image49301051598" src="en-us_image_0000001435988521.png"></span></div> <div class="fignone" id="obs_40_0037__fig16929854596"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0037__image49301051598" src="en-us_image_0000001435988521.png"></span></div>
@ -16,12 +16,12 @@
</thead> </thead>
<tbody><tr id="obs_40_0037__row17375102752819"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0037__row17375102752819"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="78.46%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.2 "><p id="obs_40_0037__p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="78.46%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.2 "><p id="obs_40_0037__p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0037__row1937592712288"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p173753272284">Policy View</p> <tr id="obs_40_0037__row1937592712288"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="78.46%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.2 "><p id="obs_40_0037__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0037__b107464561410740">JSON</strong> is used here.</p> <td class="cellrowborder" valign="top" width="78.46%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.2 "><p id="obs_40_0037__p17375102714285">Select one based on your own habits. <strong id="obs_40_0037__b1682619311312">JSON</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0037__row133751227142812"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p203751027172816">Policy Content</p> <tr id="obs_40_0037__row133751227142812"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p203751027172816">Policy Content</p>
@ -50,11 +50,11 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</li><li id="obs_40_0037__li964374182211">Click <strong id="obs_40_0037__b15661312110740">OK</strong>. The custom policy is created.</li></ol> </li><li id="obs_40_0037__li964374182211">Click <strong id="obs_40_0037__b15661312110740">OK</strong>.</li></ol>
</p></li><li id="obs_40_0037__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0037__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0037__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0037__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0037__li12273529113919"><span>Add the IAM user (<strong id="obs_40_0037__b10471848145518">APPServer</strong>) you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0037__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0037__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0037__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user (APPServer) to the created user group</a>.</span><p><div class="note" id="obs_40_0037__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0037__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li><li id="obs_40_0037__li753752717303"><span><span style="color:#3D3F43;">The IAM user (APPServer) obtains temporary access keys (temporary access keys and security token) for </span><strong style="color:#3D3F43;" id="obs_40_0037__b71217300354">APP-1</strong><span style="color:#3D3F43;"> and </span><strong style="color:#3D3F43;" id="obs_40_0037__b0972183116356">APP-2</strong><span style="color:#3D3F43;">.</span></span><p><p id="obs_40_0037__p13248204142615"><span style="color:#3D3F43;">To obtain temporary access keys with different permissions, you need to set a temporary policy by adding the policy parameter in the request body</span>. For details, see <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a><span style="color:#3D3F43;">.</span></p> </p></li><li id="obs_40_0037__li753752717303"><span>The IAM user (APPServer) obtains temporary access keys (temporary access keys and security token) for <strong id="obs_40_0037__b71217300354">APP-1</strong> and <strong id="obs_40_0037__b0972183116356">APP-2</strong>.</span><p><p id="obs_40_0037__p13248204142615">To obtain temporary access keys with different permissions, you need to set a temporary policy by adding the policy parameter in the request body. For details, see <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>.</p>
<p id="obs_40_0037__p1671713105813">The following is a sample request for obtaining a pair of temporary access keys. The temporary policy parameters are displayed in bold.</p> <p id="obs_40_0037__p1671713105813">The following is a sample request for obtaining a pair of temporary access keys. The temporary policy parameters are displayed in bold.</p>
<p id="obs_40_0037__p181085211581"><strong id="obs_40_0037__b214707742410740">A sample request for obtaining a pair of temporary access keys for the device app </strong><strong id="obs_40_0037__b83903714510740">APP-1</strong><strong id="obs_40_0037__b28790197010740">:</strong></p> <p id="obs_40_0037__p181085211581"><strong id="obs_40_0037__b214707742410740">A sample request for obtaining a pair of temporary access keys for the device app </strong><strong id="obs_40_0037__b83903714510740">APP-1</strong><strong id="obs_40_0037__b28790197010740">:</strong></p>
<pre class="screen" id="obs_40_0037__screen111122027581">{ <pre class="screen" id="obs_40_0037__screen111122027581">{
@ -119,7 +119,7 @@
</div> </div>
<div> <div>
<div class="familylinks"> <div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Configuration Cases in Typical Permission Control Scenarios</a></div> <div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Permission Configuration in Typical Scenarios</a></div>
</div> </div>
</div> </div>

16
docs/obs/perms-cfg/obs_40_0039.html
View File

@ -8,17 +8,23 @@
</th> </th>
</tr> </tr>
</thead> </thead>
<tbody><tr id="obs_40_0039__row17882114844"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="obs_40_0039__p988218141412">2023-02-16</p> <tbody><tr id="obs_40_0039__row1496314111094"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="obs_40_0039__p16727416995">2024-07-23</p>
</td> </td>
<td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="obs_40_0039__p176556119517">This is the second official release.</p> <td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="obs_40_0039__p1772711612914">This issue is the third official release.</p>
<p id="obs_40_0039__p472710161693">This issue incorporates the following changes:</p>
<ul id="obs_40_0039__ul67272167911"><li id="obs_40_0039__li57271161097">Updated description about <strong id="obs_40_0039__b31681448163112">Policy Content</strong> in <a href="obs_40_0023.html">Granting IAM User Groups Specific Permissions on Specific OBS Resources</a> and <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and the Resources in It</a>.</li></ul>
</td>
</tr>
<tr id="obs_40_0039__row17882114844"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="obs_40_0039__p988218141412">2023-02-16</p>
</td>
<td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="obs_40_0039__p176556119517">This issue is the second official release.</p>
<p id="obs_40_0039__p7655131958">This issue incorporates the following changes:</p> <p id="obs_40_0039__p7655131958">This issue incorporates the following changes:</p>
<p id="obs_40_0039__p16323195717818">Updated the application scenario of access control with IAM permissions.</p> <ul id="obs_40_0039__ul84436318472"><li id="obs_40_0039__li10443113110478">Updated the application scenario of access control with IAM permissions.</li><li id="obs_40_0039__li144431131194719">Updated the GUI screenshots and parameter descriptions about bucket policy creation.</li></ul>
<p id="obs_40_0039__p19352886518">Updated the GUI screenshots and parameter descriptions about bucket policy creation.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0039__row526245164"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="obs_40_0039__p52617451866">2022-10-27</p> <tr id="obs_40_0039__row526245164"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="obs_40_0039__p52617451866">2022-10-27</p>
</td> </td>
<td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="obs_40_0039__p727184515610">This is the first official release.</p> <td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="obs_40_0039__p727184515610">This issue is the first official release.</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>

368
docs/obs/perms-cfg/obs_40_0041.html
View File

File diff suppressed because it is too large Load Diff

5
docs/obs/perms-cfg/obs_40_0042.html
View File

@ -1,13 +1,12 @@
<a name="obs_40_0042"></a><a name="obs_40_0042"></a> <a name="obs_40_0042"></a><a name="obs_40_0042"></a>
<h1 class="topictitle1">Appendix</h1> <h1 class="topictitle1">Appendix</h1>
<div id="body0000001132130199"><p id="obs_40_0042__p8060118"></p> <div id="body0000001132130199"></div>
</div>
<div> <div>
<ul class="ullinks"> <ul class="ullinks">
<li class="ulchildlink"><strong><a href="obs_40_0041.html">Bucket Policy Parameters</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0041.html">Bucket Policy Parameters</a></strong><br>
</li> </li>
<li class="ulchildlink"><strong><a href="obs_40_0043.html">Relationship Between Bucket Policies and Bucket ACLs</a></strong><br> <li class="ulchildlink"><strong><a href="obs_40_0043.html">Relationship Between Bucket ACLs and Bucket Policies</a></strong><br>
</li> </li>
</ul> </ul>
</div> </div>

8
docs/obs/perms-cfg/obs_40_0043.html
View File

@ -1,7 +1,7 @@
<a name="obs_40_0043"></a><a name="obs_40_0043"></a> <a name="obs_40_0043"></a><a name="obs_40_0043"></a>
<h1 class="topictitle1">Relationship Between Bucket Policies and Bucket ACLs</h1> <h1 class="topictitle1">Relationship Between Bucket ACLs and Bucket Policies</h1>
<div id="body0000001110930532"><div class="section" id="obs_40_0043__section9370125413594"><h4 class="sectiontitle">Mapping Between Bucket ACLs and Bucket Policies</h4><p id="obs_40_0043__p14426115413593">Bucket ACLs are used to control basic read and write access to buckets. Custom settings of bucket policies support more actions that can be performed on buckets. Bucket ACLs supplement bucket policies, and in many cases, can be replaced by bucket policies to manage access to buckets. <a href="#obs_40_0043__table183716545593">Table 1</a> shows the mapping between bucket ACL access permissions and bucket policy actions.</p> <div id="body0000001110930532"><div class="section" id="obs_40_0043__section9370125413594"><h4 class="sectiontitle">Mapping Between Bucket ACLs and Bucket Policies</h4><p id="obs_40_0043__p14426115413593">Bucket ACLs control read and write permissions on buckets. Custom bucket policies can control more actions on buckets. Bucket ACLs are a supplement to bucket policies, but are usually replaced with bucket policies. <a href="#obs_40_0043__table183716545593">Table 1</a> shows the mapping between bucket ACL permissions and actions in a custom bucket policy.</p>
<div class="tablenoborder"><a name="obs_40_0043__table183716545593"></a><a name="table183716545593"></a><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0043__table183716545593" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Mapping between bucket ACLs and bucket policies</caption><thead align="left"><tr id="obs_40_0043__row10426205416593"><th align="left" class="cellrowborder" valign="top" width="19.191919191919194%" id="mcps1.3.1.3.2.4.1.1"><p id="obs_40_0043__p6426165418599">ACL Permission</p> <div class="tablenoborder"><a name="obs_40_0043__table183716545593"></a><a name="table183716545593"></a><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0043__table183716545593" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Mapping between bucket ACLs and bucket policies</caption><thead align="left"><tr id="obs_40_0043__row10426205416593"><th align="left" class="cellrowborder" valign="top" width="19.191919191919194%" id="mcps1.3.1.3.2.4.1.1"><p id="obs_40_0043__p6426165418599">ACL Permission</p>
</th> </th>
@ -27,12 +27,12 @@
</td> </td>
<td class="cellrowborder" valign="top" width="14.141414141414144%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0043__p1142885415597">Read</p> <td class="cellrowborder" valign="top" width="14.141414141414144%" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0043__p1142885415597">Read</p>
</td> </td>
<td class="cellrowborder" valign="top" width="66.66666666666667%" headers="mcps1.3.1.3.2.4.1.3 "><p id="obs_40_0043__p1842815542599">GetBucketAcl</p> <td class="cellrowborder" valign="top" width="66.66666666666667%" headers="mcps1.3.1.3.2.4.1.3 "><ul id="obs_40_0043__ul1438754418326"><li id="obs_40_0043__li143871444113218">GetBucketAcl</li></ul>
</td> </td>
</tr> </tr>
<tr id="obs_40_0043__row15428654125911"><td class="cellrowborder" valign="top" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0043__p1742825465912">Write</p> <tr id="obs_40_0043__row15428654125911"><td class="cellrowborder" valign="top" headers="mcps1.3.1.3.2.4.1.1 "><p id="obs_40_0043__p1742825465912">Write</p>
</td> </td>
<td class="cellrowborder" valign="top" headers="mcps1.3.1.3.2.4.1.2 "><p id="obs_40_0043__p2429554125918">PutBucketAcl</p> <td class="cellrowborder" valign="top" headers="mcps1.3.1.3.2.4.1.2 "><ul id="obs_40_0043__ul5622846163210"><li id="obs_40_0043__li9622164653220">PutBucketAcl</li></ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>

30
docs/obs/perms-cfg/obs_40_0044.html
View File

@ -1,18 +1,18 @@
<a name="obs_40_0044"></a><a name="obs_40_0044"></a> <a name="obs_40_0044"></a><a name="obs_40_0044"></a>
<h1 class="topictitle1">Granting IAM User Groups Specified Permissions on Certain OBS Folders</h1> <h1 class="topictitle1">Granting IAM User Groups Specific Permissions on a Folder</h1>
<div id="body0000001128664300"><div class="section" id="obs_40_0044__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0044__p3431154410448">This topic describes how to grant certain operation permissions on specific folders in an OBS bucket to multiple IAM users or user groups.</p> <div id="body0000001128664300"><div class="section" id="obs_40_0044__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0044__p3431154410448">This topic describes how to grant specified permissions for a folder in an OBS bucket to multiple IAM users or user groups.</p>
</div> </div>
<div class="section" id="obs_40_0044__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0044__p103657437515">IAM custom policies</p> <div class="section" id="obs_40_0044__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0044__p103657437515">Use an IAM custom policy to configure the permissions.</p>
</div> </div>
<div class="section" id="obs_40_0044__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0044__p817120327254">After the configuration is complete, you can perform allowed operations using APIs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.</p> <div class="section" id="obs_40_0044__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0044__p817120327254">After configuration, IAM users can perform allowed operations using APIs. If they log in to OBS Console or OBS Browser+ to perform those operations, a message will be displayed indicating that they do not have required permissions.</p>
<p id="obs_40_0044__p2095722518592">This is because when you log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0044__b109481258171710">ListAllMyBuckets</strong> and <strong id="obs_40_0044__b767019018182">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.</p> <p id="obs_40_0044__p2095722518592">This is because when they log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0044__b1165119455278">ListAllMyBuckets</strong> and <strong id="obs_40_0044__b1565114512711">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is diplayed.</p>
<p id="obs_40_0044__p7807163365117">To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the <strong id="obs_40_0044__b1023814132458">obs:bucket:ListAllMyBuckets</strong> and <strong id="obs_40_0044__b423961364510">obs:bucket:ListBucket</strong> permissions to the custom policy. (In this case, these two permissions are configured in permission 2 and 3.)</p> <p id="obs_40_0044__p7807163365117">To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the <strong id="obs_40_0044__b1023814132458">obs:bucket:ListAllMyBuckets</strong> and <strong id="obs_40_0044__b423961364510">obs:bucket:ListBucket</strong> permissions to the custom policy. (In this case, these two permissions are configured in permissions 2 and 3.)</p>
<div class="note" id="obs_40_0044__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p1518015112445"><strong id="obs_40_0044__b1175714464297">obs:bucket:ListAllMyBuckets</strong> applies to all resources. You need to select all resources.</p> <div class="note" id="obs_40_0044__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p1518015112445"><strong id="obs_40_0044__b1175714464297">obs:bucket:ListAllMyBuckets</strong> applies to all resources. You need to select all resources.</p>
<p id="obs_40_0044__p256692825216"><strong id="obs_40_0044__b173404902917">obs:bucket:ListBucket</strong> applies only to the authorized bucket. You can select all resources or a specified bucket as needed.</p> <p id="obs_40_0044__p256692825216"><strong id="obs_40_0044__b173404902917">obs:bucket:ListBucket</strong> applies only to the authorized bucket. You can select all resources or a specified bucket as needed.</p>
</div></div> </div></div>
</div> </div>
<div class="section" id="obs_40_0044__section1565643713464"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0044__ol170633855216"><li id="obs_40_0044__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0044__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0044__b2096717161570">Service List</strong> &gt; <strong id="obs_40_0044__b196721655710">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0044__b6967131605713">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0044__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0044__b17330625152910">Permissions</strong>.</span></li><li id="obs_40_0044__li1388483016366"><span>Click <strong id="obs_40_0044__b3955112255715">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0044__li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0044__fig61012351811"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0044__image1010283101813" src="en-us_image_0000001386340170.png"></span></div> <div class="section" id="obs_40_0044__section1565643713464"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0044__ol170633855216"><li id="obs_40_0044__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0044__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0044__b2096717161570">Service List</strong> &gt; <strong id="obs_40_0044__b196721655710">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0044__b6967131605713">Identity and Access Management</strong>.</span></li><li id="obs_40_0044__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0044__b17330625152910">Permissions</strong>.</span></li><li id="obs_40_0044__li1388483016366"><span>Click <strong id="obs_40_0044__b3955112255715">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0044__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0044__fig61012351811"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0044__image1010283101813" src="en-us_image_0000001386340170.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0044__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0044__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.25%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0044__p23757272286">Parameter</p> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0044__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0044__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.25%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0044__p23757272286">Parameter</p>
</th> </th>
@ -22,12 +22,12 @@
</thead> </thead>
<tbody><tr id="obs_40_0044__row17375102752819"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p1737572772816">Policy Name</p> <tbody><tr id="obs_40_0044__row17375102752819"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p1737572772816">Policy Name</p>
</td> </td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p83758278280">Name of the custom policy</p> <td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p83758278280">Enter a policy name.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0044__row1937592712288"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p173753272284">Policy View</p> <tr id="obs_40_0044__row1937592712288"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p173753272284">Policy View</p>
</td> </td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0044__b2790543214">Visual editor</strong> is used here.</p> <td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p17375102714285">Select one based on your own habits. <strong id="obs_40_0044__b12251105612819">Visual editor</strong> is used here.</p>
</td> </td>
</tr> </tr>
<tr id="obs_40_0044__row133751227142812"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p203751027172816">Policy Content</p> <tr id="obs_40_0044__row133751227142812"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p203751027172816">Policy Content</p>
@ -42,7 +42,7 @@
<p id="obs_40_0044__p1094344019260">[Permission 2] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.</p> <p id="obs_40_0044__p1094344019260">[Permission 2] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.</p>
<ul id="obs_40_0044__ul17943540162618"><li id="obs_40_0044__li10943104052620">Select <strong id="obs_40_0044__b195554342271">Allow</strong>.</li><li id="obs_40_0044__li9943184022620">Select <strong id="obs_40_0044__b152051737162710">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0044__li19883155554614">Select <strong id="obs_40_0044__b12933739192712">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0044__li1991741116547">On the <strong id="obs_40_0044__b2116731162813">All</strong> tab, choose <strong id="obs_40_0044__b14118143182811">Specific</strong> &gt; <strong id="obs_40_0044__b3120113116285">Specify resource path</strong> to specify a bucket.<p id="obs_40_0044__p2045623815299">[Path Format]</p> <ul id="obs_40_0044__ul17943540162618"><li id="obs_40_0044__li10943104052620">Select <strong id="obs_40_0044__b195554342271">Allow</strong>.</li><li id="obs_40_0044__li9943184022620">Select <strong id="obs_40_0044__b152051737162710">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0044__li19883155554614">Select <strong id="obs_40_0044__b12933739192712">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0044__li1991741116547">On the <strong id="obs_40_0044__b2116731162813">All</strong> tab, choose <strong id="obs_40_0044__b14118143182811">Specific</strong> &gt; <strong id="obs_40_0044__b3120113116285">Specify resource path</strong> to specify a bucket.<p id="obs_40_0044__p2045623815299">[Path Format]</p>
<p id="obs_40_0044__p74565384297"><strong id="obs_40_0044__b172671627397">obs:*:*:bucket:</strong><em id="obs_40_0044__i734662053613">Bucket name</em></p> <p id="obs_40_0044__p74565384297"><strong id="obs_40_0044__b172671627397">obs:*:*:bucket:</strong><em id="obs_40_0044__i734662053613">Bucket name</em></p>
</li><li id="obs_40_0044__li1588752312315">On the <strong id="obs_40_0044__b17782230124419">(Optional) Add request condition</strong> tab, click <strong id="obs_40_0044__b2448123915442">Add Request Condition</strong>.<ul id="obs_40_0044__ul12427164311341"><li id="obs_40_0044__li347333313220"><strong id="obs_40_0044__b4846192444519">Condition key</strong>: Select <strong id="obs_40_0044__b124631354154516">obs:prefix</strong> from the drop-down list.</li><li id="obs_40_0044__li988010439332"><strong id="obs_40_0044__b2751199114613">Operator</strong>: Select <strong id="obs_40_0044__b1560329114613">StringStartWith</strong> from the drop-down list.</li><li id="obs_40_0044__li1167275203417"><strong id="obs_40_0044__en-us_topic_0104029905_b33832910436">Value</strong>: <em id="obs_40_0044__en-us_topic_0104029905_en-us_topic_0101094788_i102251116161316">Folder name</em><strong id="obs_40_0044__b15352191112476">/</strong></li></ul> </li><li id="obs_40_0044__li1588752312315">On the <strong id="obs_40_0044__b17782230124419">(Optional) Add request condition</strong> tab, click <strong id="obs_40_0044__b2448123915442">Add Request Condition</strong>.<ul id="obs_40_0044__ul12427164311341"><li id="obs_40_0044__li347333313220"><strong id="obs_40_0044__b4846192444519">Condition key</strong>: Select <strong id="obs_40_0044__b124631354154516">obs:prefix</strong> from the drop-down list.</li><li id="obs_40_0044__li988010439332"><strong id="obs_40_0044__b2751199114613">Operator</strong>: Select <strong id="obs_40_0044__b1560329114613">StringMatch</strong> from the drop-down list.</li><li id="obs_40_0044__li1167275203417"><strong id="obs_40_0044__en-us_topic_0104029905_b33832910436">Value</strong>: <em id="obs_40_0044__en-us_topic_0104029905_en-us_topic_0101094788_i102251116161316">Folder name</em><strong id="obs_40_0044__b15352191112476">/</strong></li></ul>
<p id="obs_40_0044__p10505450163414">[Notes]</p> <p id="obs_40_0044__p10505450163414">[Notes]</p>
<p id="obs_40_0044__p4861328352">If you want a user to have only the permission to list a folder in the bucket, add a request condition for action <strong id="obs_40_0044__b2027203614487">obs:bucket:ListBucket</strong>. <strong id="obs_40_0044__b789255075811">prefix</strong> is included in the request for listing objects in a bucket. In this way, when you specify <strong id="obs_40_0044__b1932193919597">prefix</strong> to list objects whose names start with <em id="obs_40_0044__i174551427143719">Folder name</em><strong id="obs_40_0044__b156943360360">/</strong>, the objects in the bucket can be listed.</p> <p id="obs_40_0044__p4861328352">If you want a user to have only the permission to list a folder in the bucket, add a request condition for action <strong id="obs_40_0044__b2027203614487">obs:bucket:ListBucket</strong>. <strong id="obs_40_0044__b789255075811">prefix</strong> is included in the request for listing objects in a bucket. In this way, when you specify <strong id="obs_40_0044__b1932193919597">prefix</strong> to list objects whose names start with <em id="obs_40_0044__i174551427143719">Folder name</em><strong id="obs_40_0044__b156943360360">/</strong>, the objects in the bucket can be listed.</p>
</li></ul> </li></ul>
@ -58,16 +58,16 @@
</tbody> </tbody>
</table> </table>
</div> </div>
</p></li><li id="obs_40_0044__li1293324623719"><span>Click <strong id="obs_40_0044__b32951079577">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0044__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0044__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p> </p></li><li id="obs_40_0044__li1293324623719"><span>Click <strong id="obs_40_0044__b165709613316">OK</strong>.</span></li><li id="obs_40_0044__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0044__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0044__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0044__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p> </p></li><li id="obs_40_0044__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0044__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>
<div class="section" id="obs_40_0044__section15823527415"><h4 class="sectiontitle">Verification</h4><ol id="obs_40_0044__ol5278184513146"><li id="obs_40_0044__li027864581416"><span>Log in to OBS Console as an IAM user.</span></li><li id="obs_40_0044__li187691522131319"><span>In the bucket list, click bucket <strong id="obs_40_0044__b1120725410174">example-002</strong> to go to the overview page.</span><p><div class="note" id="obs_40_0044__note1582471119493"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p78251911174916">After the configuration is complete, it is normal if the system still displays a message indicating that you do not have required permissions, because OBS Console also calls other APIs for advanced settings, but you can still perform the operations allowed on the folder.</p> <div class="section" id="obs_40_0044__section15823527415"><h4 class="sectiontitle">Verification</h4><ol id="obs_40_0044__ol5278184513146"><li id="obs_40_0044__li027864581416"><span>Log in to OBS Console as an IAM user.</span></li><li id="obs_40_0044__li187691522131319"><span>In the bucket list, click bucket <strong id="obs_40_0044__b1120725410174">example-002</strong> to go to the <strong id="obs_40_0044__b860791133215">Overview</strong> page.</span><p><div class="note" id="obs_40_0044__note1582471119493"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p78251911174916">After the configuration is complete, it is normal if the system still displays a message indicating that you do not have required permissions, because OBS Console also calls other APIs for advanced settings, but you can still perform the operations allowed on the folder.</p>
</div></div> </div></div>
</p></li><li id="obs_40_0044__li11765154017509"><span>In the navigation pane, select <strong id="obs_40_0044__b430811332119">Objects</strong>. It is normal that a message indicating no permission is displayed and no object can be viewed.</span><p><div class="note" id="obs_40_0044__note3156142165415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p141561321195411">The reason why there is no required permission is that listing objects on OBS Console is to list objects in the root folder. This rule does not match the configured custom policy for listing objects in folder <strong id="obs_40_0044__b13188125619298">folder-001/</strong>.</p> </p></li><li id="obs_40_0044__li11765154017509"><span>In the navigation pane, select <strong id="obs_40_0044__b430811332119">Objects</strong>. If a message indicating no sufficient is available and no object can be viewed, ignore the message and continue with the operations.</span><p><div class="note" id="obs_40_0044__note3156142165415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p141561321195411">The reason why there is no required permission is that listing objects on OBS Console is to list objects in the root folder. This is different from the configured custom policy (listing objects in folder <strong id="obs_40_0044__b13188125619298">folder-001/</strong>).</p>
</div></div> </div></div>
</p></li><li id="obs_40_0044__li7706170175111"><span>In the search box, enter <strong id="obs_40_0044__b1593118142616">folder-001/</strong> to view the list of objects in <strong id="obs_40_0044__b182861144132616">folder-001</strong>. Objects <strong id="obs_40_0044__b1273081272711">222.txt</strong> and <strong id="obs_40_0044__b18722131532719">111.txt</strong> are displayed.</span></li><li id="obs_40_0044__li584842925718"><span>Click <strong id="obs_40_0044__b12655185116331">Create Folder</strong> to create folder <strong id="obs_40_0044__b185938552336">folder-002</strong>.</span></li><li id="obs_40_0044__li1629212395918"><span>Click <strong id="obs_40_0044__b587712754116">Upload Object</strong> to upload file <strong id="obs_40_0044__b11764182154111">333.txt</strong>.</span><p><div class="note" id="obs_40_0044__note127411448185420"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p137411348205417">If some other permissions are required, hover your cursor over the username and choose <strong id="obs_40_0044__b1419118113463">Identity and Access Management</strong> &gt; <strong id="obs_40_0044__b16592553462">Permissions</strong>, and then repeat the operations above to configure custom policies as needed.</p> </p></li><li id="obs_40_0044__li7706170175111"><span>In the search box, enter <strong id="obs_40_0044__b1593118142616">folder-001/</strong> to view the list of objects in <strong id="obs_40_0044__b182861144132616">folder-001</strong>. Objects <strong id="obs_40_0044__b1273081272711">222.txt</strong> and <strong id="obs_40_0044__b18722131532719">111.txt</strong> are displayed.</span></li><li id="obs_40_0044__li584842925718"><span>Click <strong id="obs_40_0044__b12655185116331">Create Folder</strong> to create folder <strong id="obs_40_0044__b185938552336">folder-002</strong>.</span></li><li id="obs_40_0044__li1629212395918"><span>Click <strong id="obs_40_0044__b587712754116">Upload Object</strong> to upload file <strong id="obs_40_0044__b11764182154111">333.txt</strong>.</span><p><div class="note" id="obs_40_0044__note127411448185420"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p137411348205417">If some other permissions are required, hover over the username and choose <strong id="obs_40_0044__b1419118113463">Identity and Access Management</strong> &gt; <strong id="obs_40_0044__b16592553462">Permissions</strong>, and then repeat the operations above to configure custom policies as needed.</p>
</div></div> </div></div>
</p></li></ol> </p></li></ol>
</div> </div>