vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0041.html
zhangyue 2c8baf104e OBS PERM DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-10-29 16:45:36 +00:00

817 lines
74 KiB
HTML
Raw Blame History

<a name="obs_40_0041"></a><a name="obs_40_0041"></a>
<h1 class="topictitle1">Bucket Policy Parameters</h1>
<div id="body0000001132232227"><p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p6480821">A bucket policy in JSON format:</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen1671243035119">{
"Statement" : [{
statement1
},
{
statement2
},
......
]
}</pre>
<div class="p" id="obs_40_0041__en-us_topic_0118394684_p578602465111">Example:<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen19171223203611">{
"Statement" : [{
"Sid": "ExampleStatementID1",
"Principal": "*",
"Effect": "Allow",
"Action": ["ListBucket"],
"Resource": "examplebucket",
"Condition": "some conditions"
},
{
"Sid": "ExampleStatementID2",
"Principal": "*",
"Effect": "Allow",
"Action": ["PutObject"],
"Resource": "examplebucket",
"Condition": "some conditions"
},
......
]
}</pre>
</div>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p26302712">A policy consists of one or more statements. Each statement contains the following elements:</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__en-us_topic_0118394684_table35397823" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Elements of a bucket policy statement</caption><thead align="left"><tr id="obs_40_0041__en-us_topic_0118394684_row21716226"><th align="left" class="cellrowborder" valign="top" width="16.33%" id="mcps1.3.5.2.4.1.1"><p id="obs_40_0041__en-us_topic_0118394684_p14183880">Element</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="62.239999999999995%" id="mcps1.3.5.2.4.1.2"><p id="obs_40_0041__en-us_topic_0118394684_p5283556">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21.43%" id="mcps1.3.5.2.4.1.3"><p id="obs_40_0041__en-us_topic_0118394684_p26507476">Mandatory/Optional</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__en-us_topic_0118394684_row66730779"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p36484039">Sid</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p2417216">ID of the statement. The value is a string that describes the statement.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p61576813">Optional</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row17320411"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p60776050">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p23913009">Domains and users that a statement applies to. The value can be a wildcard (*), indicating all users. To grant permissions to all users in a domain, set <strong id="obs_40_0041__b1270895110351">Principal</strong> to <strong id="obs_40_0041__b1563416151391">domain/</strong><em id="obs_40_0041__i770855173518">domainid</em><strong id="obs_40_0041__b76352151395">:user/*</strong>. To grant permissions to a specific user in a domain, set <strong id="obs_40_0041__b1370955153513">Principal</strong> to <strong id="obs_40_0041__b1652552193913">domain/</strong><em id="obs_40_0041__i770919517355">domainid</em><strong id="obs_40_0041__b10131425133910">:user/</strong><em id="obs_40_0041__i3709145123513">userId</em> or <strong id="obs_40_0041__b111641281398">domain/</strong><em id="obs_40_0041__i10709151173519">domainid</em><strong id="obs_40_0041__b2206103093914">:user/</strong><em id="obs_40_0041__i13710851183518">userName</em>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p1708187">Optional. Select either <strong id="obs_40_0041__b335344343417">Principal</strong> or <strong id="obs_40_0041__b123561543103416">NotPrincipal</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row15373683"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p37308772">NotPrincipal</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p2111686">Users that the statement does not apply to. Its value has the same format as <strong id="obs_40_0041__b93347353439">Principal</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p36828864">Optional. Select either <strong id="obs_40_0041__b6701151211415">NotPrincipal</strong> or <strong id="obs_40_0041__b77011127142">Principal</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row63024326"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p4696792">Action</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p44895895">Actions that the statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. The value can be a wildcard character (*) that indicates all operations. For example: <strong id="obs_40_0041__b1416574162611">"Action":["List*","Get*"]</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p12688874">Optional. Select either <strong id="obs_40_0041__b269519307142">Action</strong> or <strong id="obs_40_0041__b769519302146">NotAction</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row47091007"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p56275212">NotAction</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p61998305">Actions that are not controlled by this statement. Its value has the same format as <strong id="obs_40_0041__b1797817478236">Action</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p55806823">Optional. Select either <strong id="obs_40_0041__b17677201132412">Action</strong> or <strong id="obs_40_0041__b20677141102420">NotAction</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row32499364"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p15202805">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p23467724">Whether the permission in a statement is <strong id="obs_40_0041__b173465263109">Allow</strong> or <strong id="obs_40_0041__b173112711106">Deny</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p21837454">Mandatory</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row62319364"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p14703700">Resource</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p50149061">Resources that the statement will apply to. You can use a wildcard (*) to indicate all resources.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p35542142">Optional. Select either <strong id="obs_40_0041__b167101454142714">Resource</strong> or <strong id="obs_40_0041__b37161954132710">NotResource</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row51443830"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p6200687">NotResource</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p32493637">Resources that the statement will not apply to. Its value has the same format as <strong id="obs_40_0041__b186015872818">Resource</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p14738911">Optional. Select either <strong id="obs_40_0041__b151601317289">Resource</strong> or <strong id="obs_40_0041__b416014318283">NotResource</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row65541337"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p7248085">Condition</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p50224009">Conditions for the statement to take effect.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p41612958">Optional</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="obs_40_0041__en-us_topic_0118394684_note38972308"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="obs_40_0041__en-us_topic_0118394684_p15206460">A statement must contain <strong id="obs_40_0041__b6244131833513">Action</strong> or <strong id="obs_40_0041__b102503182359">NotAction</strong>, <strong id="obs_40_0041__b525031893518">Resource</strong> or <strong id="obs_40_0041__b112515185357">NotResource</strong>, and <strong id="obs_40_0041__b172517184354">Principal</strong> or <strong id="obs_40_0041__b14251118103512">NotPrincipal</strong>.</p>
</div></div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section5503115113418"><h4 class="sectiontitle">Principal/NotPrincipal</h4><p id="obs_40_0041__en-us_topic_0118394684_p1896975443412"><strong id="obs_40_0041__b773733315359">Principal</strong> or <strong id="obs_40_0041__b19738233153516">NotPrincipal</strong> can be anonymous users, specific tenants, specific users, federated users, or agencies.</p>
</div>
<ul id="obs_40_0041__en-us_topic_0118394684_ul11997279325"><li id="obs_40_0041__en-us_topic_0118394684_li919914277321">All (anonymous users)<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen11878413">"Principal": {"ID": "*"}</pre>
<p id="obs_40_0041__en-us_topic_0118394684_p02001827163219">In the example, the wildcard (*) indicates Everyone/Anonymous. Do not use the wildcard for <strong id="obs_40_0041__b73498579379">Principal</strong> of the role's trust policy unless you have restricted access by using the <strong id="obs_40_0041__b8355165716373">Condition</strong> element in the policy.</p>
</li></ul>
<ul id="obs_40_0041__en-us_topic_0118394684_ul18200162773217"><li id="obs_40_0041__en-us_topic_0118394684_li15200162713322">Specific tenants<p id="obs_40_0041__en-us_topic_0118394684_p112007279329"><a name="obs_40_0041__en-us_topic_0118394684_li15200162713322"></a><a name="en-us_topic_0118394684_li15200162713322"></a>If a tenant identifier is used as the <strong id="obs_40_0041__b125241872614">Principal</strong> of a policy, permissions are granted to all users of this tenant. This includes all subscribers under the account. The following example demonstrates how to specify an account as an authorized person.</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen19670056163418">"Principal": { "ID": " domain/domainIdxxxx:user/*" }</pre>
<p id="obs_40_0041__en-us_topic_0118394684_p17200132793218">You can also grant permissions to multiple tenants at a time:</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen11252153883617">"Principal": {
"ID": [
"domain/domainIDxx1:user/useridxxxx",
"domain/domainIDxx2:user/*"
]
}</pre>
</li></ul>
<ul id="obs_40_0041__en-us_topic_0118394684_ul8201027193218"><li id="obs_40_0041__en-us_topic_0118394684_li12013277323">Specific users<p id="obs_40_0041__en-us_topic_0118394684_p7201927173212"><a name="obs_40_0041__en-us_topic_0118394684_li12013277323"></a><a name="en-us_topic_0118394684_li12013277323"></a>User names in the <strong id="obs_40_0041__b99361919144513">Principal</strong> element are case-sensitive.</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen7831174053613">"Principal": {"ID": "domain/domainIDxxx:user/user-name" }
"Principal": {
"ID": [
"domain/domainIDxxx:user/UserID1",
"domain/domainIDxxx:user/UserID2"
]
}</pre>
</li></ul>
<ul id="obs_40_0041__en-us_topic_0118394684_ul10202132719321"><li id="obs_40_0041__en-us_topic_0118394684_li620212753212">Federated users (using SAML identity provider)<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen624312319373">"Principal": { "Federated": "domain/domainIDxxx:identity-provider/provider-name" }
"Principal": { "Federated": "domain/domainIDxxx:group/groupname" }</pre>
</li><li id="obs_40_0041__en-us_topic_0118394684_li1520213277321">Agencies<div class="p" id="obs_40_0041__p16356541512"><a name="obs_40_0041__en-us_topic_0118394684_li1520213277321"></a><a name="en-us_topic_0118394684_li1520213277321"></a><strong id="obs_40_0041__b1656710303351">*</strong> indicates all agencies of a tenant.<pre class="screen" id="obs_40_0041__screen17761165285118">"Principal": { "ID": "domain/domainIDxxx:agency/agencyname" }
"Principal": { "ID": "domain/domainIDxxx:agency/*" }</pre>
</div>
</li></ul>
<p id="obs_40_0041__p84772255592">The principals on OBS Console refer to the users that the bucket policies apply to. These users can be accounts, federated users or federated user groups, or IAM users. You can specify the principals to include or exclude.</p>
<ul id="obs_40_0041__ul108801826115212"><li id="obs_40_0041__li7880926165213"><strong id="obs_40_0041__b8689157194718">Include</strong>: The policy applies to specified users.</li><li id="obs_40_0041__li1488092635210"><strong id="obs_40_0041__b15966548194719">Exclude</strong>: The policy applies to users except the specified ones.</li></ul>
<p id="obs_40_0041__p13981044541"><strong id="obs_40_0041__b15754250115719">Specifying IAM users under the current account</strong></p>
<p id="obs_40_0041__p180315561844">You can set <strong id="obs_40_0041__b195153119474">Principal</strong> to <strong id="obs_40_0041__b1751611114478">Current account</strong> and select one or more IAM users under this account, so that the bucket policy applies to the selected IAM users.</p>
<p id="obs_40_0041__p12891650154713"><strong id="obs_40_0041__b95775202518">Specifying another account</strong></p>
<p id="obs_40_0041__p69291443104715">You can set <strong id="obs_40_0041__b4886225184814">Principal</strong> to <strong id="obs_40_0041__b2887162584819">Other account</strong>, enter an account ID, and then enter one or more user IDs to apply the bucket policy to only the IAM users under that account. You need to use commas (,) to separate user IDs.</p>
<div class="note" id="obs_40_0041__note81331511189"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0041__p18133185201812">To obtain the account ID and user ID, log in to the console as an IAM user and go to the <strong id="obs_40_0041__b46913501486">My Credentials</strong> page to obtain them.</p>
</div></div>
<p id="obs_40_0041__p13685381141"><strong id="obs_40_0041__b1425214111519">Specifying </strong><strong id="obs_40_0041__b92521211952">anonymous users</strong><strong id="obs_40_0041__b1025211858"></strong></p>
<p id="obs_40_0041__p2088114267528">To grant access to anyone, set <strong id="obs_40_0041__b12271754661">Principal</strong> to <strong id="obs_40_0041__b6345542618">Other account</strong> and enter a wildcard (*) as the account ID.</p>
<div class="notice" id="obs_40_0041__note198214105314"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="obs_40_0041__p149831448536">Exercise caution when granting permissions to anonymous users. If you grant the permissions to anonymous users, anyone can access your bucket. You are advised to restrict access requests. For example, you can allow access only from a specific IP address.</p>
</div></div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section1623516525350"><a name="obs_40_0041__en-us_topic_0118394684_section1623516525350"></a><a name="en-us_topic_0118394684_section1623516525350"></a><h4 class="sectiontitle">Action/NotAction</h4><p id="obs_40_0041__p205313416552">If a policy applies to a bucket, configure bucket-related actions. If the policy applies to the objects in a bucket, configure object-related actions.</p>
<p id="obs_40_0041__p77695354145">Actions can be specified in either of the following ways:</p>
<ul id="obs_40_0041__ul108291819152819"><li id="obs_40_0041__li100102451519"><strong id="obs_40_0041__b375145299">Include</strong>: The bucket policy applies to specified actions.</li><li id="obs_40_0041__li12829619172810"><strong id="obs_40_0041__b93501416142911">Exclude</strong>: The bucket policy applies to actions except the specified ones.</li></ul>
</div>
<p id="obs_40_0041__p2166204972813"><strong id="obs_40_0041__b7865849122419">Bucket Actions</strong></p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table13827194016555" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Description of bucket-related actions</caption><thead align="left"><tr id="obs_40_0041__row85334118557"><th align="left" class="cellrowborder" valign="top" width="16.16%" id="mcps1.3.24.2.4.1.1"><p id="obs_40_0041__p195334120552">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="30.220000000000002%" id="mcps1.3.24.2.4.1.2"><p id="obs_40_0041__p175354120557">Value</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="53.620000000000005%" id="mcps1.3.24.2.4.1.3"><p id="obs_40_0041__p1453144125511">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row453184117553"><td class="cellrowborder" rowspan="4" valign="top" width="16.16%" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p5531411558">General</p>
</td>
<td class="cellrowborder" valign="top" width="30.220000000000002%" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p453174113553">*</p>
</td>
<td class="cellrowborder" valign="top" width="53.620000000000005%" headers="mcps1.3.24.2.4.1.3 "><p id="obs_40_0041__p135334117553">Indicates all actions on a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1453124118553"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p15334135514">Get*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1153041155513">Indicates all GET actions on a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row55304185517"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p1553124165517">Put*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p13535414553">Indicates all PUT actions on a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1053184119554"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p853741105510">List*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p653441185516">Indicates all LIST actions on a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1746441913813"><td class="cellrowborder" rowspan="19" valign="top" width="16.16%" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p15464419123810">Bucket</p>
</td>
<td class="cellrowborder" valign="top" width="30.220000000000002%" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p3597524183813">CreateBucket</p>
</td>
<td class="cellrowborder" valign="top" width="53.620000000000005%" headers="mcps1.3.24.2.4.1.3 "><p id="obs_40_0041__p17597424103818">Creates a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row6531441135518"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p19531141125518">DeleteBucket</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p175384145515">Deletes a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1154041115519"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p9541741175510">ListBucket</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1154134112551">Lists objects in a bucket, and obtains the bucket metadata.</p>
</td>
</tr>
<tr id="obs_40_0041__row95474110559"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p20541041185513">ListBucketVersions</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1254144145510">Lists versioned objects in a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row12542041195514"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p135413411555">ListBucketMultipartUploads</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p954184135510">Lists multipart upload tasks.</p>
</td>
</tr>
<tr id="obs_40_0041__row3541541155515"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p45474113559">GetBucketAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1545412557">Gets the ACL information of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1541541125517"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p1854144125519">PutBucketAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p185424175514">Configures ACL for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row19548412556"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p17546419559">GetBucketCORS</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p17545414556">Gets the CORS configuration of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row154174165511"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p13545418559">PutBucketCORS</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1554341195517">Configures CORS for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row18541541155513"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p35424175510">GetBucketVersioning</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p25694120558">Gets the versioning information of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1556124110550"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p256114114557">PutBucketVersioning</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p8561041165514">Configures versioning for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1956174175518"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p105616414553">GetBucketLocation</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p65684195517">Gets the location of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row65694112559"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p19567419551">GetBucketLogging</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p20561941195520">Gets the logs of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row25624135520"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p8576412557">PutBucketLogging</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p65794105515">Configures logging for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1457341125512"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p125714418556">GetBucketWebsite</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p145710418554">Obtains the static website configuration of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row135744120554"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p957184112553">PutBucketWebsite</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1457154115555">Configures static website hosting for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row8571941185515"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p757164111551">DeleteBucketWebsite</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p11573417559">Cancels static website hosting for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row165719411553"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p1357104117554">GetLifecycleConfiguration</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p5581441145518">Obtains the lifecycle rules of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row658341115520"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p1358124115511">PutLifecycleConfiguration</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1558941115516">Configures a lifecycle rule for a bucket.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="obs_40_0041__p127181542914"><strong id="obs_40_0041__b1475811413240">Object Actions</strong></p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table1020518423242" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Description of object-related actions</caption><thead align="left"><tr id="obs_40_0041__row1620644218243"><th align="left" class="cellrowborder" valign="top" width="16.16%" id="mcps1.3.26.2.4.1.1"><p id="obs_40_0041__p120612421243">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="30.3%" id="mcps1.3.26.2.4.1.2"><p id="obs_40_0041__p1920614217245">Value</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="53.54%" id="mcps1.3.26.2.4.1.3"><p id="obs_40_0041__p4206442152416">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row5206204282412"><td class="cellrowborder" rowspan="4" valign="top" width="16.16%" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p112069421244">General</p>
</td>
<td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p17206342142415">*</p>
</td>
<td class="cellrowborder" valign="top" width="53.54%" headers="mcps1.3.26.2.4.1.3 "><p id="obs_40_0041__p320664292412">Indicates all actions on an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row620624218240"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p1720611423245">Get*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p1320617422244">Indicates all GET actions on an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row1220634216241"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p7206134202415">Put*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p620616420248">Indicates all PUT actions on an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row5206164262415"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p19206144252410">List*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p152061042112416">Indicates all LIST actions on an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row13206342192416"><td class="cellrowborder" rowspan="11" valign="top" width="16.16%" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p9206144211241">Object</p>
</td>
<td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p7206134213245">GetObject</p>
</td>
<td class="cellrowborder" valign="top" width="53.54%" headers="mcps1.3.26.2.4.1.3 "><p id="obs_40_0041__p8206242122419">Gets the content and metadata of an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row120674272415"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p162069427248">GetObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p620684210243">Gets the content and metadata of a specified object version.</p>
</td>
</tr>
<tr id="obs_40_0041__row17207842192410"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p142073426242">PutObject</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p220794282413">Performs PUT upload, POST upload, multipart upload, initialization of uploaded parts, and merging of parts.</p>
</td>
</tr>
<tr id="obs_40_0041__row3207144232415"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p132071542162416">GetObjectAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p120704242415">Gets the ACL information of an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row3207144272419"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p8207194212243">GetObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p172071042192415">Gets the ACL information of a specified object version.</p>
</td>
</tr>
<tr id="obs_40_0041__row202072042172419"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p52071642162419">PutObjectAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p420704222419">Configures ACL for an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row720715423242"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p12071942182413">PutObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p120744282411">Configures ACL for a specified object version.</p>
</td>
</tr>
<tr id="obs_40_0041__row1120704216242"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p520716423242">DeleteObject</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p142071342192417">Deletes an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row1320714423244"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p10207842172412">DeleteObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p1120794212240">Deletes a specified object version.</p>
</td>
</tr>
<tr id="obs_40_0041__row92071342112420"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p1620711424248">ListMultipartUploadParts</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p1208164202420">Lists uploaded parts.</p>
</td>
</tr>
<tr id="obs_40_0041__row1420864214247"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p2208184292413">AbortMultipartUpload</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p5208174242416">Cancels a multipart upload.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section12213204018369"><h4 class="sectiontitle">Resource/NotResource</h4><p id="obs_40_0041__p20757629185113">The resources supported by OBS are as follows:</p>
</div>
<ul id="obs_40_0041__en-us_topic_0118394684_ul093644813162"><li class="msonormal" id="obs_40_0041__en-us_topic_0118394684_li13934114841610"><em id="obs_40_0041__i178819184217">bucketname</em>: The <strong id="obs_40_0041__b1188814116424">Action</strong> drop-down list box lists all actions allowed on a bucket. To allow an action on a bucket, set <strong id="obs_40_0041__b1588819112423">Resource</strong> to the bucket name.</li><li class="msonormal" id="obs_40_0041__en-us_topic_0118394684_li1093617484167"><em id="obs_40_0041__i6656162713427">bucketname/objectname</em>: The <strong id="obs_40_0041__b7663172716424">Action</strong> drop-down list box lists all actions allowed on an object. To allow an action on an object in a bucket, set <strong id="obs_40_0041__b116641027164217">Resource</strong> to <em id="obs_40_0041__i1366516271427">bucketname/objectname</em>. You can use a wildcard for <strong id="obs_40_0041__b4119394440">objectname</strong> to allow an action on all objects in the bucket. For example, if you want to allow an action on all objects in a directory of a bucket, set <strong id="obs_40_0041__b511917913442">Resource</strong> to <em id="obs_40_0041__i1797874424411">"bucketname/directory/*"</em>. If you have permissions on all the objects in a bucket, set <strong id="obs_40_0041__b16120119114414">Resource</strong> to <em id="obs_40_0041__i532652617454">"bucketname/*"</em>. If you want to allow an action on both a bucket and its objects, set <strong id="obs_40_0041__b1312115910448">Resource</strong> to <strong id="obs_40_0041__b91216915445">["examplebucket/*","examplebucket"]</strong>.</li></ul>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p28339309">The following example policy grants the permissions to allow user1 with the ID of <strong id="obs_40_0041__b172018439425">71f3901173514e6988115ea2c26d1999</strong> under account <strong id="obs_40_0041__b420264324211">b4bf1b36d9ca43d984fbcb9491b6fce9</strong> (account ID) to take all actions on the <strong id="obs_40_0041__b17194943114214">examplebucket</strong> bucket and all objects in it.</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen137871136173612">{
"Statement":[
{
"Sid":"test",
"Effect":"Allow",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["*"],
"Resource":["examplebucket/*","examplebucket"]
}
]
}</pre>
<p id="obs_40_0041__p27361558140">On OBS Console, you can apply a bucket policy to the following resources: the current bucket, and all objects in a bucket.</p>
<p id="obs_40_0041__p3201152310539">You can specify the resources to include or exclude:</p>
<ul id="obs_40_0041__ul18201323125311"><li id="obs_40_0041__li1620132355317"><strong id="obs_40_0041__b16499151914457">Include</strong>: The bucket policy applies to specified OBS resources.</li><li id="obs_40_0041__li31631932182413"><strong id="obs_40_0041__b59251524104514">Exclude</strong>: The bucket policy applies to OBS resources except the specified ones.</li></ul>
<p id="obs_40_0041__p4748115711511"><strong id="obs_40_0041__b1421592619112">Applying a bucket policy to a bucket</strong></p>
<p id="obs_40_0041__p7692111610414">To apply a bucket policy to the current bucket, keep the resource text box empty. When configuring actions for the policy, select bucket related actions.</p>
<p id="obs_40_0041__p1858224595420"><strong id="obs_40_0041__b1211925451115">Applying a bucket policy to specified objects</strong></p>
<p id="obs_40_0041__p1020118236532">To apply a bucket policy to specified objects in a bucket, object-related actions must be configured in the policy. </p>
<ul id="obs_40_0041__ul1620119232537"><li id="obs_40_0041__li72011823155312">For an object, enter the object name (including its folder name if any). For example, if the resource is the <strong id="obs_40_0041__b0225719165314">example.jpg</strong> file in the <strong id="obs_40_0041__b112321919185319">imgs-folder</strong> folder in the bucket, enter the following in the resource text box:<p id="obs_40_0041__p182671834115620"><strong id="obs_40_0041__b11371825121318">imgs-folder/example.jpg</strong></p>
</li><li id="obs_40_0041__li8201623115313">For an object set, use the wildcard asterisk (*). The asterisk (*) indicates an empty string or any combination of characters.<ul id="obs_40_0041__ul15201192315537"><li id="obs_40_0041__li1220282315531">Use only one asterisk (*) to indicate all objects in a bucket.</li><li id="obs_40_0041__li52024233535">Use <em id="obs_40_0041__i1072152911147">Object name prefix</em>* to indicate objects with this prefix in a bucket. Example:<p id="obs_40_0041__p148641724165711">imgs*</p>
</li></ul>
<ul id="obs_40_0041__ul1520213232535"><li id="obs_40_0041__li7202112335317">Use *<em id="obs_40_0041__i373552281518">Object name suffix</em> to indicate objects with this suffix in a bucket. Example:<p id="obs_40_0041__p19330184135712">*.jpg</p>
</li></ul>
</li></ul>
<div class="note" id="obs_40_0041__note1484124911416"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0041__p11485104918419">Use commas (,) to separate one object (or object set) from another.</p>
</div></div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section14714311143713"><h4 class="sectiontitle">Condition</h4><p id="obs_40_0041__p175010131315">In addition to the effect, principals, resources, and actions, you can also specify the conditions for a bucket policy to take effect. The bucket policy is applied only when its condition expressions match the values contained in the request. Conditions are optional. You can choose whether to configure them.</p>
<p id="obs_40_0041__p192962645715">For example, if account A needs to have full control over an object uploaded by account B to bucket <strong id="obs_40_0041__b370165272420">example</strong> of account A, the <strong id="obs_40_0041__b87085213247">x-obs-acl</strong> key must be specified in the upload request and the policy effect must be set to <strong id="obs_40_0041__b0701752182411">Allow</strong> for account A. The complete condition expression is as follows:</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table4665122635716" frame="border" border="1" rules="all"><thead align="left"><tr id="obs_40_0041__row18929192605713"><th align="left" class="cellrowborder" valign="top" width="26.529999999999998%" id="mcps1.3.40.4.1.4.1.1"><p id="obs_40_0041__p1692982625718">Condition Operator</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35.709999999999994%" id="mcps1.3.40.4.1.4.1.2"><p id="obs_40_0041__p1192982612571">Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="37.76%" id="mcps1.3.40.4.1.4.1.3"><p id="obs_40_0041__p792920265579">Value</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row1793012695713"><td class="cellrowborder" valign="top" width="26.529999999999998%" headers="mcps1.3.40.4.1.4.1.1 "><p id="obs_40_0041__p09301626135716">StringEquals</p>
</td>
<td class="cellrowborder" valign="top" width="35.709999999999994%" headers="mcps1.3.40.4.1.4.1.2 "><p id="obs_40_0041__p12930192616574">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" width="37.76%" headers="mcps1.3.40.4.1.4.1.3 "><p id="obs_40_0041__p693019269573">bucket-owner-full-control</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="obs_40_0041__p7700134281412">A condition consists of condition operator, key, and value. If there are multiple identical keys in the same condition operator, only the last key is retained. Condition operators and keys are correlated. If you select a string type, for example, <strong id="obs_40_0041__b137401538165220">StringEquals</strong>, for a condition operator, the key can only be a string type, for example, <strong id="obs_40_0041__b198248536537">UserAgent</strong>. Likewise, if you select a key of the date type, for example, <strong id="obs_40_0041__b2037117113512">CurrentTime</strong>, the condition operator can only be a date type, for example, <strong id="obs_40_0041__b23711711135110">DateEquals</strong>.</p>
<ul id="obs_40_0041__ul12880010115914"><li id="obs_40_0041__li171351258144318"><strong id="obs_40_0041__b126611471402">Condition operators</strong><p id="obs_40_0041__p209907974412">A condition operator, a condition key, and a condition value together constitute a complete condition statement. A policy can be applied only when its request conditions are met. <a href="#obs_40_0041__en-us_topic_0118394684_table18965458">Table 4</a> lists the condition operators available for statements. String condition operators are not case-sensitive unless otherwise specified.</p>
<p id="obs_40_0041__p166041357121018"></p>
</li></ul>
</div>
<div class="tablenoborder"><a name="obs_40_0041__en-us_topic_0118394684_table18965458"></a><a name="en-us_topic_0118394684_table18965458"></a><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__en-us_topic_0118394684_table18965458" frame="border" border="1" rules="all"><caption><b>Table 4 </b>Condition operators</caption><thead align="left"><tr id="obs_40_0041__en-us_topic_0118394684_row16641116"><th align="left" class="cellrowborder" valign="top" width="14.280000000000001%" id="mcps1.3.41.2.4.1.1"><p id="obs_40_0041__en-us_topic_0118394684_p5753193">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35.72%" id="mcps1.3.41.2.4.1.2"><p id="obs_40_0041__en-us_topic_0118394684_p33328392">Element</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.41.2.4.1.3"><p id="obs_40_0041__en-us_topic_0118394684_p2989297">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__en-us_topic_0118394684_row31714287"><td class="cellrowborder" rowspan="6" valign="top" width="14.280000000000001%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p18720486">String</p>
</td>
<td class="cellrowborder" valign="top" width="35.72%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p39964360">StringEquals</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p15887743">Strict matching. Short version: streq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row8771966"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p39440655">StringNotEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p40576488">Strict negated matching. Short version: strneq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row29644080"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p52360265">StringEqualsIgnoreCase</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p13323071">Strict matching, ignoring case. Short version: streqi</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row52798776"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p48842435">StringNotEqualsIgnoreCase</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p63923167">Strict negated matching, ignoring case. Short version: strneqi</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row38437595"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p26437458">StringLike</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p61059374">Loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strl</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row12663462"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p19107476">StringNotLike</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p4201690">Negated loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strnl</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row37815214"><td class="cellrowborder" rowspan="6" valign="top" width="14.280000000000001%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p43133484">Numeric</p>
</td>
<td class="cellrowborder" valign="top" width="35.72%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p4151319">NumericEquals</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p712534">Matching. Short version: numeq</p>
<p id="obs_40_0041__p4564172263319"><strong id="obs_40_0041__b13935193711456">Numeric</strong> indicates a data type expressed in numbers.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row6412809"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p49675490">NumericNotEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p64291715">Negated matching. Short version: numneq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row41754526"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p26673471">NumericLessThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p13067581">"Less than" matching. Short version: numlt</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row50499370"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p63917182">NumericLessThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p9909217">"Less than or equals" matching. Short version: numlteq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row22074097"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p43171441">NumericGreaterThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p7225813">"Greater than" matching. Short version: numgt</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row65032320"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p33126582">NumericGreaterThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p66007492">"Greater than or equals" matching. Short version: numgteq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row57196524"><td class="cellrowborder" rowspan="6" valign="top" width="14.280000000000001%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p2406899">Date</p>
</td>
<td class="cellrowborder" valign="top" width="35.72%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p60741093">DateEquals</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p21081516">Matching a specific date. Short version: dateeq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row55515923"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p495924">DateNotEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p40169885">Negated matching. Short version: dateneq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row25984653"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p24382134">DateLessThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p28795836">The date is earlier than a specific date. Short version: datelt</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row57835933"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p54198968">DateLessThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p28040292">The date is earlier than or equal to a specific date. Short version: datelteq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row51036040"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p40278543">DateGreaterThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p41336571">The date is later than a specific date. Short version: dategt</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row36484827"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p2480985">DateGreaterThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p66742063">The date is later than or equal to a specific date. Short version: dategteq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row63807659"><td class="cellrowborder" valign="top" width="14.280000000000001%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p1037881">Boolean</p>
</td>
<td class="cellrowborder" valign="top" width="35.72%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p16959540">Bool</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p31545475">Strict Boolean matching</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row15473822"><td class="cellrowborder" rowspan="2" valign="top" width="14.280000000000001%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p45420039">IP address</p>
</td>
<td class="cellrowborder" valign="top" width="35.72%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p55144504">IpAddress</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p37519834">Specified IP address or range</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row2134188"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p38651578">NotIpAddress</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p43770124">All IP addresses excluding the specified IP address or range</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="obs_40_0041__en-us_topic_0118394684_note58386803"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="obs_40_0041__en-us_topic_0118394684_p55719179">Elements in a condition are case sensitive. The date format complies with the ISO 8601 standard, for example, <strong id="obs_40_0041__b54758891817">2015-07-01T12:00:00Z</strong>.</p>
</div></div>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p15551392">Each condition can contain multiple key-value pairs. The <strong id="obs_40_0041__b12341145713425">Condition</strong> combination in the following figure indicates that the request time ranges from <strong id="obs_40_0041__b10341115774215">2015-07-01T12:00:00Z</strong> to <strong id="obs_40_0041__b143411757194214">2018-04-16T15:00:00Z</strong> and the request IP address range is <strong id="obs_40_0041__b1434195718423">192.168.176.0/24</strong> or <strong id="obs_40_0041__b1734275720421">192.168.143.0/24</strong>.</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen23965442">"Condition" : {
"DateGreaterThan" : {
"CurrentTime" : "2015-07-01T12:00:00Z"
},
"DateLessThan": {
"CurrentTime" : "2018-04-16T15:00:00Z"
},
"IpAddress" : {
"SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
}
}</pre>
<ul id="obs_40_0041__ul13820737111618"><li id="obs_40_0041__li582083701610"><strong id="obs_40_0041__b6644721155016">Condition keys</strong></li></ul>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p14362392">Keys in a condition can be classified into general keys, keys related to actions on buckets, and keys related to actions on objects.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p62152665">The following table lists the keys that are not related to actions.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table6707152645718" frame="border" border="1" rules="all"><caption><b>Table 5 </b>General keys</caption><thead align="left"><tr id="obs_40_0041__row1935926135711"><th align="left" class="cellrowborder" valign="top" width="15.160000000000002%" id="mcps1.3.48.2.4.1.1"><p id="obs_40_0041__p1793592611576">Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="19.11%" id="mcps1.3.48.2.4.1.2"><p id="obs_40_0041__p793514267571">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="65.73%" id="mcps1.3.48.2.4.1.3"><p id="obs_40_0041__p3935122615719">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row3935172613579"><td class="cellrowborder" valign="top" width="15.160000000000002%" headers="mcps1.3.48.2.4.1.1 "><p id="obs_40_0041__p89351926115716">CurrentTime</p>
</td>
<td class="cellrowborder" valign="top" width="19.11%" headers="mcps1.3.48.2.4.1.2 "><p id="obs_40_0041__p8935226155711">Date</p>
</td>
<td class="cellrowborder" valign="top" width="65.73%" headers="mcps1.3.48.2.4.1.3 "><p id="obs_40_0041__p129353268579">Date when the request is received by the server. The date format must comply with ISO 8601.</p>
</td>
</tr>
<tr id="obs_40_0041__row99361826135711"><td class="cellrowborder" valign="top" width="15.160000000000002%" headers="mcps1.3.48.2.4.1.1 "><p id="obs_40_0041__p893662675713">EpochTime</p>
</td>
<td class="cellrowborder" valign="top" width="19.11%" headers="mcps1.3.48.2.4.1.2 "><p id="obs_40_0041__p17936626155716">Numeric</p>
</td>
<td class="cellrowborder" valign="top" width="65.73%" headers="mcps1.3.48.2.4.1.3 "><p id="obs_40_0041__p893610266576">Time when the request is received by the server, which is expressed as seconds since 1970.01.01 00:00:00 UTC, regardless of the leap seconds</p>
</td>
</tr>
<tr id="obs_40_0041__row159361226145714"><td class="cellrowborder" valign="top" width="15.160000000000002%" headers="mcps1.3.48.2.4.1.1 "><p id="obs_40_0041__p893692618570">SecureTransport</p>
</td>
<td class="cellrowborder" valign="top" width="19.11%" headers="mcps1.3.48.2.4.1.2 "><p id="obs_40_0041__p4936182635719">Bool</p>
</td>
<td class="cellrowborder" valign="top" width="65.73%" headers="mcps1.3.48.2.4.1.3 "><p id="obs_40_0041__p1936172613574">Whether the request is encrypted using SSL</p>
<div class="note" id="obs_40_0041__note159745016350"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0041__p497417063515">The value can be either <strong id="obs_40_0041__b526125291414">true</strong> or <strong id="obs_40_0041__b10635115412141">false</strong>. Any other values you enter will become <strong id="obs_40_0041__b35601917162215">false</strong> by default.</p>
</div></div>
</td>
</tr>
<tr id="obs_40_0041__row1936326155719"><td class="cellrowborder" valign="top" width="15.160000000000002%" headers="mcps1.3.48.2.4.1.1 "><p id="obs_40_0041__p1693616267579">SourceIp</p>
</td>
<td class="cellrowborder" valign="top" width="19.11%" headers="mcps1.3.48.2.4.1.2 "><p id="obs_40_0041__p1993652625717">IP address</p>
</td>
<td class="cellrowborder" valign="top" width="65.73%" headers="mcps1.3.48.2.4.1.3 "><p id="obs_40_0041__p1693692615716">Source (client) IP address of the request</p>
</td>
</tr>
<tr id="obs_40_0041__row1193652695714"><td class="cellrowborder" valign="top" width="15.160000000000002%" headers="mcps1.3.48.2.4.1.1 "><p id="obs_40_0041__p129361426125712">UserAgent</p>
</td>
<td class="cellrowborder" valign="top" width="19.11%" headers="mcps1.3.48.2.4.1.2 "><p id="obs_40_0041__p393662612574">String</p>
</td>
<td class="cellrowborder" valign="top" width="65.73%" headers="mcps1.3.48.2.4.1.3 "><p id="obs_40_0041__p159364265574">Requested client software agent</p>
</td>
</tr>
<tr id="obs_40_0041__row293620261576"><td class="cellrowborder" valign="top" width="15.160000000000002%" headers="mcps1.3.48.2.4.1.1 "><p id="obs_40_0041__p493602675716">Referer</p>
</td>
<td class="cellrowborder" valign="top" width="19.11%" headers="mcps1.3.48.2.4.1.2 "><p id="obs_40_0041__p14936172685719">String</p>
</td>
<td class="cellrowborder" valign="top" width="65.73%" headers="mcps1.3.48.2.4.1.3 "><p id="obs_40_0041__p893617261578">Link from which the request is sent</p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p24480756">Keys in a condition must be used in certain actions. The following table lists the mapping between actions and the keys in a condition.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table1972610267573" frame="border" border="1" rules="all"><caption><b>Table 6 </b>Keys related to bucket actions</caption><thead align="left"><tr id="obs_40_0041__row6936152645711"><th align="left" class="cellrowborder" valign="top" width="19.58804119588041%" id="mcps1.3.50.2.5.1.1"><p id="obs_40_0041__p8937726175712">Action</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.808519148085193%" id="mcps1.3.50.2.5.1.2"><p id="obs_40_0041__p9937182635715">Optional Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="43.05569443055695%" id="mcps1.3.50.2.5.1.3"><p id="obs_40_0041__p10937826175712">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="22.547745225477453%" id="mcps1.3.50.2.5.1.4"><p id="obs_40_0041__p1096873771416">Remarks</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row593712616576"><td class="cellrowborder" rowspan="3" valign="top" width="19.58804119588041%" headers="mcps1.3.50.2.5.1.1 "><p id="obs_40_0041__p59379267576">ListBucket</p>
</td>
<td class="cellrowborder" valign="top" width="14.808519148085193%" headers="mcps1.3.50.2.5.1.2 "><p id="obs_40_0041__p13937182675716">prefix</p>
</td>
<td class="cellrowborder" valign="top" width="43.05569443055695%" headers="mcps1.3.50.2.5.1.3 "><p id="obs_40_0041__p9937926155719">Type: String. Lists objects with the specified prefix.</p>
</td>
<td class="cellrowborder" rowspan="6" valign="top" width="22.547745225477453%" headers="mcps1.3.50.2.5.1.4 "><p id="obs_40_0041__p175983818155">If <strong id="obs_40_0041__b4319102110504">prefix</strong>, <strong id="obs_40_0041__b15319182112508">delimiter</strong>, and <strong id="obs_40_0041__b13320202135016">max-keys</strong> are configured for a bucket policy, the List requests must contain the matched key-value pair.</p>
<p id="obs_40_0041__p153725312183">For example, if a bucket policy (with the condition operator set to <strong id="obs_40_0041__b517832711178">NumericEquals</strong>, the key to <strong id="obs_40_0041__b41841527191712">max-keys</strong>, and the value to <strong id="obs_40_0041__b2018412713176">100</strong>) is configured to allow anonymous users to read data from a bucket, the List requests from the anonymous users must have <strong id="obs_40_0041__b01677330176">?max-keys=100</strong> at the end of the bucket domain name. The listed objects are the first 100 objects in alphabetic order.</p>
</td>
</tr>
<tr id="obs_40_0041__row993792685715"><td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.1 "><p id="obs_40_0041__p69371126115716">delimiter</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.2 "><p id="obs_40_0041__p7937172675719">Type: String. Groups objects in a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row13937226115711"><td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.1 "><p id="obs_40_0041__p293712266579">max-keys</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.2 "><p id="obs_40_0041__p2093752619576">Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.</p>
</td>
</tr>
<tr id="obs_40_0041__row8937926195711"><td class="cellrowborder" rowspan="3" valign="top" headers="mcps1.3.50.2.5.1.1 "><p id="obs_40_0041__p393712675711">ListBucketVersions</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.2 "><p id="obs_40_0041__p09372264575">prefix</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.3 "><p id="obs_40_0041__p693772615577">Type: String. Lists multi-version objects with the specified prefix.</p>
</td>
</tr>
<tr id="obs_40_0041__row993715262572"><td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.1 "><p id="obs_40_0041__p119371326175713">delimiter</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.2 "><p id="obs_40_0041__p6937162615576">Type: String. Groups objects of different versions in a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row693722612571"><td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.1 "><p id="obs_40_0041__p15937326155717">max-keys</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.5.1.2 "><p id="obs_40_0041__p12938122617571">Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.</p>
</td>
</tr>
<tr id="obs_40_0041__row193842612574"><td class="cellrowborder" valign="top" width="19.58804119588041%" headers="mcps1.3.50.2.5.1.1 "><p id="obs_40_0041__p1793819263575">PutBucketAcl</p>
</td>
<td class="cellrowborder" valign="top" width="14.808519148085193%" headers="mcps1.3.50.2.5.1.2 "><p id="obs_40_0041__p139381226195719">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" width="43.05569443055695%" headers="mcps1.3.50.2.5.1.3 "><p id="obs_40_0041__p793892605711">Type: String. Configures the bucket ACL. When modifying a bucket ACL, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: <strong id="obs_40_0041__b68479615188">private|public-read|public-read-write|bucketowner-read|log-delivery-write</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="22.547745225477453%" headers="mcps1.3.50.2.5.1.4 "><p id="obs_40_0041__p9968173791419">None</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table14742526145718" frame="border" border="1" rules="all"><caption><b>Table 7 </b>Keys related to object actions</caption><thead align="left"><tr id="obs_40_0041__row293802635716"><th align="left" class="cellrowborder" valign="top" width="23.47%" id="mcps1.3.51.2.4.1.1"><p id="obs_40_0041__p99381026135710">Action</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="27.55%" id="mcps1.3.51.2.4.1.2"><p id="obs_40_0041__p2938132618576">Optional Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="48.980000000000004%" id="mcps1.3.51.2.4.1.3"><p id="obs_40_0041__p19938726175710">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row19939182618579"><td class="cellrowborder" rowspan="4" valign="top" width="23.47%" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p893942695710">PutObject</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p493902613571">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.51.2.4.1.3 "><p id="obs_40_0041__p861813885512">Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: <strong id="obs_40_0041__b7231133602115">private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row293932619571"><td class="cellrowborder" valign="top" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p19391026155720">x-obs-copy-source</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p393942620578">Type: String. Specifies names of the source bucket and the source object. Format: <strong id="obs_40_0041__b203521941102120">/</strong><em id="obs_40_0041__i10352341152119">bucketname</em><strong id="obs_40_0041__b163532418219">/</strong><em id="obs_40_0041__i14353174117217">keyname</em></p>
</td>
</tr>
<tr id="obs_40_0041__row3939626125711"><td class="cellrowborder" valign="top" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p15939726165718">x-obs-metadata-directive</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p1293962614575">Type: String. Specifies whether to copy the metadata of the source object or replace with the metadata in the request. The value can be <strong id="obs_40_0041__b479062416226">COPY</strong> or <strong id="obs_40_0041__b114781926112212">REPLACE</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row5806457133513"><td class="cellrowborder" valign="top" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p69702319365">x-obs-server-side-encryption</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p2888164583617">Type: String. Specifies that objects in a bucket are encrypted using SSE-KMS before they are stored. The value is <strong id="obs_40_0041__b115461010912">kms</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row159391126185711"><td class="cellrowborder" valign="top" width="23.47%" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p6939202611579">PutObjectAcl</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p293992675713">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.51.2.4.1.3 "><p id="obs_40_0041__p26111442185511">Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: <strong id="obs_40_0041__b7320154162218">private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row14939172645713"><td class="cellrowborder" valign="top" width="23.47%" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p16939142613573">GetObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p1294002655714">versionId</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.51.2.4.1.3 "><p id="obs_40_0041__p1494016264579">Type: String. Obtains the object with the specified version ID.</p>
</td>
</tr>
<tr id="obs_40_0041__row19940172645714"><td class="cellrowborder" valign="top" width="23.47%" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p2094002613577">GetObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p14940162685715">versionId</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.51.2.4.1.3 "><p id="obs_40_0041__p13940192615574">Type: String. Obtains the ACL of the object with the specified version ID.</p>
</td>
</tr>
<tr id="obs_40_0041__row99401326105715"><td class="cellrowborder" rowspan="2" valign="top" width="23.47%" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p994016263575">PutObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p7940122655716">versionId</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.51.2.4.1.3 "><p id="obs_40_0041__p1394042615579">Type: String. Specifies a version ID.</p>
</td>
</tr>
<tr id="obs_40_0041__row1794032615574"><td class="cellrowborder" valign="top" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p10940162695719">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p1392195113554">Type: String. Configures the ACL of the object with the specified version ID. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: <strong id="obs_40_0041__b44317503227">private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row1394092635717"><td class="cellrowborder" valign="top" width="23.47%" headers="mcps1.3.51.2.4.1.1 "><p id="obs_40_0041__p179406267573">DeleteObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.51.2.4.1.2 "><p id="obs_40_0041__p16940192615577">versionId</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.51.2.4.1.3 "><p id="obs_40_0041__p13941726185718">Type: String. Deletes the object with the specified version ID.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section10136448"><h4 class="sectiontitle">Policy Permission Judgment Logic</h4><p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p31906675">Each statement in a policy can have the action <strong id="obs_40_0041__b16117104714314">Explicit Deny</strong>, <strong id="obs_40_0041__b1812344719320">Allow</strong>, or <strong id="obs_40_0041__b5123134712318">Default Deny</strong>. If a bucket policy contains multiple statements with different actions, the final action is determined according to the following rules:</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p18724620">- If there are no <strong id="obs_40_0041__b0178165612226">Explicit Deny</strong> or <strong id="obs_40_0041__b2595258172211">Allow</strong>, <strong id="obs_40_0041__b8593200234">Default Deny</strong> will apply.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p34303855">- An explicit deny overrides an allow.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p40299246">- An allow overrides a default deny.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p27148896">- Statements can be in any order in a policy.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__en-us_topic_0118394684_table43013480" frame="border" border="1" rules="all"><caption><b>Table 8 </b>Statement results</caption><thead align="left"><tr id="obs_40_0041__en-us_topic_0118394684_row36198266"><th align="left" class="cellrowborder" valign="top" width="23.23%" id="mcps1.3.52.7.2.3.1.1"><p id="obs_40_0041__en-us_topic_0118394684_p46378471">Result</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="76.77000000000001%" id="mcps1.3.52.7.2.3.1.2"><p id="obs_40_0041__en-us_topic_0118394684_p54147030">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__en-us_topic_0118394684_row13173135"><td class="cellrowborder" valign="top" width="23.23%" headers="mcps1.3.52.7.2.3.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p60391021">explicit deny</p>
</td>
<td class="cellrowborder" valign="top" width="76.77000000000001%" headers="mcps1.3.52.7.2.3.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p59834572">A statement defines effect="deny". All requests for resources to which the statement applies are denied. No permission is returned.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row1640244"><td class="cellrowborder" valign="top" width="23.23%" headers="mcps1.3.52.7.2.3.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p65750902">allow</p>
</td>
<td class="cellrowborder" valign="top" width="76.77000000000001%" headers="mcps1.3.52.7.2.3.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p24222861">A statement defines effect="allow". All requests for resources to which the statement applies are allowed.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row16679164"><td class="cellrowborder" valign="top" width="23.23%" headers="mcps1.3.52.7.2.3.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p8835053">default deny</p>
</td>
<td class="cellrowborder" valign="top" width="76.77000000000001%" headers="mcps1.3.52.7.2.3.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p44550694">Conditions defined in a statement are not met. Requests are denied.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p14830224">If both an ACL and a bucket policy apply, an explicit deny in the bucket policy overrides the allow in the ACL.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p66363158">If both a bucket policy and an IAM policy apply, an explicit deny overrides an allow, and an allow overrides the default deny.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p60397511">Bucket ACL/Policy for cross-tenant authorization does not apply to SSE-KMS server-side encrypted objects.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0042.html">Appendix</a></div>
</div>
</div>
View Git Blame Copy Permalink