vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0017.html
zhangyue 2c8baf104e OBS PERM DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-10-29 16:45:36 +00:00

91 lines
14 KiB
HTML
Raw Blame History

<a name="obs_40_0017"></a><a name="obs_40_0017"></a>
<h1 class="topictitle1">Granting an IAM User the Read Permissions on Specific Objects</h1>
<div id="body1588765301378"><div class="section" id="obs_40_0017__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0017__p3431154410448">This topic describes how to grant an IAM user the read permissions on an object or a set of objects in an OBS bucket.</p>
</div>
<div class="section" id="obs_40_0017__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0017__p103657437515">To grant resource-level permissions to an IAM user, use a bucket policy.</p>
</div>
<div class="section" id="obs_40_0017__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0017__p817120327254">After configuration, the IAM user can download specific objects using APIs. However, if they download an object from OBS Console or OBS Browser+, a message will be displayed, indicating that they do not have required permissions.</p>
<p id="obs_40_0017__p268581111517">This is because when they log in to OBS Console or OBS Browser+, the <strong id="obs_40_0017__b1397294793312">ListAllMyBuckets</strong> API is called to load the bucket list and some other APIs will also be called on other pages. In such case, the message is displayed.</p>
<p id="obs_40_0017__p7807163365117">If you want an IAM user to perform read operations on OBS Console or OBS Browser+, you need to configure custom IAM policies by referring to <a href="#obs_40_0017__section220405220511">Follow-up Procedure</a>.</p>
</div>
<div class="section" id="obs_40_0017__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0017__ol170633855216"><li id="obs_40_0017__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0017__b16597141685817">Object Storage</strong>.</span></li><li id="obs_40_0017__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0017__b9870182015355">Overview</strong> page.</span></li><li id="obs_40_0017__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0017__b3163980319046">Permissions</strong>.</span></li><li id="obs_40_0017__li1568715376490"><span>On the <strong id="obs_40_0017__b1547546924114540">Bucket Policies</strong> page, click <strong id="obs_40_0017__b541037169114540">Create Bucket Policy</strong> under <strong id="obs_40_0017__b806325171114540">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0017__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0017__fig105401899251"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0017__image1154299192512" src="en-us_image_0000001385525368.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0017__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0017__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.82%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0017__p107559176234"><strong id="obs_40_0017__b400363316114540">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="76.18%" id="mcps1.3.4.2.5.2.2.2.3.1.2"><p id="obs_40_0017__p1976317170239"><strong id="obs_40_0017__b1262942140114540">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0017__row1246385816164"><td class="cellrowborder" valign="top" width="23.82%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0017__p04631584161">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="76.18%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0017__p19463175819166">Select <strong id="obs_40_0017__b19169193982917">Read-only</strong>.</p>
</td>
</tr>
<tr id="obs_40_0017__row8783617122317"><td class="cellrowborder" valign="top" width="23.82%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0017__p478519172231">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="76.18%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0017__ul1341145419174"><li id="obs_40_0017__li1024761941819">Choose <strong id="obs_40_0017__b18642175541516">Include</strong> &gt; <strong id="obs_40_0017__b5643455151518">Cloud service user</strong>.</li><li id="obs_40_0017__li4245545161814"><strong id="obs_40_0017__b112501158121513">Account ID</strong>: Enter one account ID only, or enter an asterisk (*) to indicate that the policy takes effect on all users (including both registered and anonymous users).</li><li id="obs_40_0017__li1703812151919"><strong id="obs_40_0017__b12194150131618">User ID</strong>: Enter one or more user IDs separated by a comma (,).</li></ul>
</td>
</tr>
<tr id="obs_40_0017__row081741752319"><td class="cellrowborder" valign="top" width="23.82%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0017__p15821617102320">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="76.18%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0017__ul7274173411710"><li id="obs_40_0017__li260555313171"><strong id="obs_40_0017__b1620144468114540">Include</strong></li><li id="obs_40_0017__li1338101719199"><strong id="obs_40_0017__b161193814258">Resource Name</strong>: Enter the object or the set of objects that will be accessed.<p id="obs_40_0017__p12830717162315">For one object, enter <em id="obs_40_0017__i1594518488260">object name</em>.</p>
<p id="obs_40_0017__p68341917112319">For a set of objects, enter <em id="obs_40_0017__i126331992468">object name prefix + *, * + object name suffix, or *</em>.</p>
</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0017__li4406132611218"><span>Click <strong id="obs_40_0017__b682380655114540">OK</strong>.</span></li></ol>
</div>
<div class="section" id="obs_40_0017__section220405220511"><a name="obs_40_0017__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0017__p349115115368">To perform read operations on OBS Console or OBS Browser+, you must add the <strong id="obs_40_0017__b167361655103520">obs:bucket:ListAllMyBuckets</strong> (for listing buckets) and <strong id="obs_40_0017__b1351213017361">obs:bucket:ListBucket</strong> (for listing objects in a bucket) permissions to the custom IAM policy.</p>
<div class="note" id="obs_40_0017__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0017__p256692825216"><strong id="obs_40_0017__b1645510352914">obs:bucket:ListAllMyBuckets</strong> applies to all resources, while <strong id="obs_40_0017__b745513319291">obs:bucket:ListBucket</strong> applies only to the authorized bucket. Therefore, you need to add these two permissions to the policy.</p>
</div></div>
<ol id="obs_40_0017__ol8623195417319"><li id="obs_40_0017__obs_40_0015_li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0017__obs_40_0015_li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0017__obs_40_0015_b1624185733610">Service List</strong> &gt; <strong id="obs_40_0017__obs_40_0015_b112511573364">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0017__obs_40_0015_b17257573368">Identity and Access Management</strong>.</span></li><li id="obs_40_0017__obs_40_0015_li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0017__obs_40_0015_b757714919113">Permissions</strong>.</span></li><li id="obs_40_0017__obs_40_0015_li1388483016366"><span>Click <strong id="obs_40_0017__obs_40_0015_b118613715375">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0017__obs_40_0015_li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0017__obs_40_0015_fig1814219521628"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0017__obs_40_0015_image101432052622" src="en-us_image_0000001385676688.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0017__obs_40_0015_table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0017__obs_40_0015_row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.79%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0017__obs_40_0015_p23757272286"><strong id="obs_40_0017__obs_40_0015_b68930084110101">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="75.21%" id="mcps1.3.5.4.5.2.2.2.3.1.2"><p id="obs_40_0017__obs_40_0015_p63751027152820"><strong id="obs_40_0017__obs_40_0015_b186447081110101">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0017__obs_40_0015_row17375102752819"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p1737572772816">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p83758278280">Enter a policy name.</p>
</td>
</tr>
<tr id="obs_40_0017__obs_40_0015_row1937592712288"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p173753272284">Policy View</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p17375102714285">Select one based on your own habits. <strong id="obs_40_0017__obs_40_0015_b8703205911914">Visual editor</strong> is used here.</p>
</td>
</tr>
<tr id="obs_40_0017__obs_40_0015_row133751227142812"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p203751027172816">Policy Content</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p1928318374535">[Permission 1]</p>
<ul id="obs_40_0017__obs_40_0015_ul312618263319"><li id="obs_40_0017__obs_40_0015_li112652673110">Select <strong id="obs_40_0017__obs_40_0015_b1442421510101">Allow</strong>.</li><li id="obs_40_0017__obs_40_0015_li1952919359">Select <strong id="obs_40_0017__obs_40_0015_b1420920813562">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0017__obs_40_0015_li813512281313">Select <strong id="obs_40_0017__obs_40_0015_b727714444551">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0017__obs_40_0015_li1991741116547">Select <strong id="obs_40_0017__obs_40_0015_b823218256422">All</strong> for resources.</li></ul>
<p id="obs_40_0017__obs_40_0015_p148511375414">[Permission 2]</p>
<ul id="obs_40_0017__obs_40_0015_ul127691549205313"><li id="obs_40_0017__obs_40_0015_li167691496533">Select <strong id="obs_40_0017__obs_40_0015_b49081477010101">Allow</strong>.</li><li id="obs_40_0017__obs_40_0015_li1676910494536">Select <strong id="obs_40_0017__obs_40_0015_b2053811501566">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0017__obs_40_0015_li18769949195314">Select <strong id="obs_40_0017__obs_40_0015_b1869165519563">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0017__obs_40_0015_li77691949175310">Select <strong id="obs_40_0017__obs_40_0015_b14645193125717">Specific</strong> for <strong id="obs_40_0017__obs_40_0015_b1424511203473">Resources</strong> and select <strong id="obs_40_0017__obs_40_0015_b12150205824715">Specify resource path</strong> for <strong id="obs_40_0017__obs_40_0015_b9449403471">Bucket</strong>. Click <strong id="obs_40_0017__obs_40_0015_b3143112410489">Add Resource Path</strong>. Enter the bucket name in the <strong id="obs_40_0017__obs_40_0015_b4841111134916">Path</strong> text box for applying the policy only to this bucket.</li></ul>
</td>
</tr>
<tr id="obs_40_0017__obs_40_0015_row81414412509"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0017__obs_40_0015_p83756273285">Scope</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0017__obs_40_0015_p1037542711283">Use the default value <strong id="obs_40_0017__obs_40_0015_b137650311419">Global services</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0017__obs_40_0015_li1293324623719"><span>Click <strong id="obs_40_0017__obs_40_0015_b117724509310101">OK</strong>.</span></li><li id="obs_40_0017__obs_40_0015_li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0017__obs_40_0015_p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0017__obs_40_0015_li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0017__obs_40_0015_note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0017__obs_40_0015_p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0013.html">Granting Permissions to an IAM User Under the Account</a></div>
</div>
</div>
View Git Blame Copy Permalink