vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0025.html
zhangyue 2c8baf104e OBS PERM DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-10-29 16:45:36 +00:00

89 lines
11 KiB
HTML
Raw Blame History

<a name="obs_40_0025"></a><a name="obs_40_0025"></a>
<h1 class="topictitle1">Granting Other Accounts the Read/Write Permission for a Bucket</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0025__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0025__p3431154410448">This topic describes how to grant other accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and the Resources in It</a>.</p>
</div>
<div class="section" id="obs_40_0025__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0025__p103657437515">Use bucket policies to grant permissions to other accounts.</p>
</div>
<div class="section" id="obs_40_0025__section786219432319"><h4 class="sectiontitle">Precautions</h4>
<p id="obs_40_0025__p16477101313289">After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or by adding external buckets through OBS Browser+. Currently, access to buckets of other accounts is not allowed on OBS Console.</p>
<p id="obs_40_0025__p119511212513">When you use OBS Browser+ to access the added external bucket, a message may still be displayed indicating that you do not have required permissions.</p>
<p id="obs_40_0025__p8321172512317">Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.</p>
</div>
<div class="section" id="obs_40_0025__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0025__ol170633855216"><li id="obs_40_0025__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0025__b189344278589">Object Storage</strong>.</span></li><li id="obs_40_0025__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0025__b99118241123829">Overview</strong> page.</span></li><li id="obs_40_0025__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0025__b10549556669050">Permissions</strong>.</span></li><li id="obs_40_0025__li1568715376490"><span>On the <strong id="obs_40_0025__b147605057051039">Bucket Policies</strong> page, click <strong id="obs_40_0025__b195674331451039">Create Bucket Policy</strong> under <strong id="obs_40_0025__b122537408951039">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0025__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0025__fig1852718391218"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0025__image25281839172119" src="en-us_image_0000001436140385.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0025__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0025__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0025__p107559176234"><strong id="obs_40_0025__b126898518751039">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.11999999999999%" id="mcps1.3.4.2.5.2.2.2.3.1.2"><p id="obs_40_0025__p1976317170239"><strong id="obs_40_0025__b100980153351039">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0025__row1246385816164"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0025__p04631584161">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0025__p19463175819166">Select <strong id="obs_40_0025__b26857255751039">Read and write</strong>.</p>
</td>
</tr>
<tr id="obs_40_0025__row8783617122317"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0025__p478519172231">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0025__ul1341145419174"><li id="obs_40_0025__li6417546174">Select <strong id="obs_40_0025__b599782418303">Include</strong> &gt; <strong id="obs_40_0025__b8969142863011">Other account</strong>.</li><li id="obs_40_0025__li4253125801711"><strong id="obs_40_0025__b971085145016">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0025__b2710195119509">My Credentials</strong> page of the account.</li><li id="obs_40_0025__li1530533711817"><strong id="obs_40_0025__b17887923204714">User ID</strong>: Enter the account ID. You can obtain it from the <strong id="obs_40_0025__b789213237479">My Credentials</strong> page of the account.<div class="note" id="obs_40_0025__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0025__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p>
</div></div>
</li></ul>
</td>
</tr>
<tr id="obs_40_0025__row081741752319"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0025__p15821617102320">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0025__ul7274173411710"><li id="obs_40_0025__li260555313171"><strong id="obs_40_0025__b143684652951039">Include</strong></li><li id="obs_40_0025__li1338101719199">Resource Name: Enter *.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0025__li4406132611218"><span>Click <strong id="obs_40_0025__b85420007751039">OK</strong>.</span></li><li id="obs_40_0025__li2201036121111"><span>(Optional) Click <strong id="obs_40_0025__b1325710565310">Create Bucket Policy</strong> again.</span><p><p id="obs_40_0025__p1299963512116">If the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket, you need to add a ListBucket permission.</p>
</p></li><li id="obs_40_0025__li1470617571214"><span>(Optional) Configure the ListBucket permission.</span><p><div class="fignone" id="obs_40_0025__fig12326103116234"><span class="figcap"><b>Figure 2 </b>Configuring the ListBucket permission</span><br><span><img id="obs_40_0025__image1132733113237" src="en-us_image_0000001435981085.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0025__table3706135201215" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0025__row2070620591220"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.8.2.2.2.3.1.1"><p id="obs_40_0025__p1770714531211"><strong id="obs_40_0025__b124334919751039">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.11999999999999%" id="mcps1.3.4.2.8.2.2.2.3.1.2"><p id="obs_40_0025__p47078561217"><strong id="obs_40_0025__b108334254751039">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0025__row3707105161213"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.8.2.2.2.3.1.1 "><p id="obs_40_0025__p1270710541217">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.8.2.2.2.3.1.2 "><p id="obs_40_0025__p1070720571218">Select <strong id="obs_40_0025__b51367155551039">Customized</strong>.</p>
</td>
</tr>
<tr id="obs_40_0025__row0282443111316"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.8.2.2.2.3.1.1 "><p id="obs_40_0025__p1528214351316">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.8.2.2.2.3.1.2 "><p id="obs_40_0025__p628264361310">Select <strong id="obs_40_0025__b188863357851039">Allow</strong>.</p>
</td>
</tr>
<tr id="obs_40_0025__row27071453128"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.8.2.2.2.3.1.1 "><p id="obs_40_0025__p9707195171215">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.8.2.2.2.3.1.2 "><ul id="obs_40_0025__ul1770715511217"><li id="obs_40_0025__li1070775131213">Select <strong id="obs_40_0025__b61874613215">Include</strong> &gt; <strong id="obs_40_0025__b4436195773211">Other account</strong>.</li><li id="obs_40_0025__li117071512129"><strong id="obs_40_0025__b81141511505">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0025__b411513110505">My Credentials</strong> page of the account.</li><li id="obs_40_0025__li4707175171214"><strong id="obs_40_0025__b1177192470">User ID</strong>: Enter the account ID.<div class="note" id="obs_40_0025__note680731913472"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0025__p148071719194710">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p>
</div></div>
</li></ul>
</td>
</tr>
<tr id="obs_40_0025__row187079581216"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.8.2.2.2.3.1.1 "><p id="obs_40_0025__p47071520126">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.8.2.2.2.3.1.2 "><p id="obs_40_0025__p134612281416">Select <strong id="obs_40_0025__b22213759651039">Include</strong> &gt; <strong id="obs_40_0025__b146271765051039">Entire bucket</strong>.</p>
</td>
</tr>
<tr id="obs_40_0025__row16898181610148"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.8.2.2.2.3.1.1 "><p id="obs_40_0025__p989841691413">Actions</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.8.2.2.2.3.1.2 "><ul id="obs_40_0025__ul48235222144"><li id="obs_40_0025__li1182312214143"><strong id="obs_40_0025__b142321748551039">Include</strong></li><li id="obs_40_0025__li1533815258143"><strong id="obs_40_0025__b95857224810">Action Name</strong>: ListBucket</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0025__li1940154881411"><span>(Optional) Click <strong id="obs_40_0025__b181981053184714">OK</strong>.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0024.html">Granting Permissions to Other Accounts</a></div>
</div>
</div>
View Git Blame Copy Permalink