vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0044.html
zhangyue 2c8baf104e OBS PERM DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-10-29 16:45:36 +00:00

81 lines
15 KiB
HTML
Raw Blame History

<a name="obs_40_0044"></a><a name="obs_40_0044"></a>
<h1 class="topictitle1">Granting IAM User Groups Specific Permissions on a Folder</h1>
<div id="body0000001128664300"><div class="section" id="obs_40_0044__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0044__p3431154410448">This topic describes how to grant specified permissions for a folder in an OBS bucket to multiple IAM users or user groups.</p>
</div>
<div class="section" id="obs_40_0044__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0044__p103657437515">Use an IAM custom policy to configure the permissions.</p>
</div>
<div class="section" id="obs_40_0044__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0044__p817120327254">After configuration, IAM users can perform allowed operations using APIs. If they log in to OBS Console or OBS Browser+ to perform those operations, a message will be displayed indicating that they do not have required permissions.</p>
<p id="obs_40_0044__p2095722518592">This is because when they log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0044__b1165119455278">ListAllMyBuckets</strong> and <strong id="obs_40_0044__b1565114512711">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is diplayed.</p>
<p id="obs_40_0044__p7807163365117">To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the <strong id="obs_40_0044__b1023814132458">obs:bucket:ListAllMyBuckets</strong> and <strong id="obs_40_0044__b423961364510">obs:bucket:ListBucket</strong> permissions to the custom policy. (In this case, these two permissions are configured in permissions 2 and 3.)</p>
<div class="note" id="obs_40_0044__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p1518015112445"><strong id="obs_40_0044__b1175714464297">obs:bucket:ListAllMyBuckets</strong> applies to all resources. You need to select all resources.</p>
<p id="obs_40_0044__p256692825216"><strong id="obs_40_0044__b173404902917">obs:bucket:ListBucket</strong> applies only to the authorized bucket. You can select all resources or a specified bucket as needed.</p>
</div></div>
</div>
<div class="section" id="obs_40_0044__section1565643713464"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0044__ol170633855216"><li id="obs_40_0044__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0044__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0044__b2096717161570">Service List</strong> &gt; <strong id="obs_40_0044__b196721655710">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0044__b6967131605713">Identity and Access Management</strong>.</span></li><li id="obs_40_0044__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0044__b17330625152910">Permissions</strong>.</span></li><li id="obs_40_0044__li1388483016366"><span>Click <strong id="obs_40_0044__b3955112255715">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0044__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0044__fig61012351811"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0044__image1010283101813" src="en-us_image_0000001386340170.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0044__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0044__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.25%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0044__p23757272286">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="74.75%" id="mcps1.3.4.2.5.2.2.2.3.1.2"><p id="obs_40_0044__p63751027152820">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0044__row17375102752819"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p1737572772816">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p83758278280">Enter a policy name.</p>
</td>
</tr>
<tr id="obs_40_0044__row1937592712288"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p173753272284">Policy View</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p17375102714285">Select one based on your own habits. <strong id="obs_40_0044__b12251105612819">Visual editor</strong> is used here.</p>
</td>
</tr>
<tr id="obs_40_0044__row133751227142812"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p203751027172816">Policy Content</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p1928318374535">[Permission 1]</p>
<ul id="obs_40_0044__ul1488325514462"><li id="obs_40_0044__li10883125510469">Select <strong id="obs_40_0044__b1866817151147">Allow</strong>.</li><li id="obs_40_0044__li988318554466">Select <strong id="obs_40_0044__b10564181443">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0044__li77471332151019">Select all the object-related permissions under <strong id="obs_40_0044__b153651023363">ReadOnly</strong>, <strong id="obs_40_0044__b496392414610">ReadWrite</strong>, and <strong id="obs_40_0044__b375318354615">Permissions</strong>.</li><li id="obs_40_0044__li595411121418">On the <strong id="obs_40_0044__b1243537131317">All</strong> tab, choose <strong id="obs_40_0044__b645910101070">Specific</strong> &gt; <strong id="obs_40_0044__b246020102071">Specify resource path</strong> to specify a folder.<p id="obs_40_0044__p4392013822">[Path Format]</p>
<p id="obs_40_0044__p9933155311298"><strong id="obs_40_0044__b576132216156">obs:*:*:object:</strong><em id="obs_40_0044__i175434291158">Bucket name</em><strong id="obs_40_0044__b1526353310150">/</strong><em id="obs_40_0044__i94341139151511">Folder name</em><strong id="obs_40_0044__b169031642181517">/*</strong></p>
<p id="obs_40_0044__p14703335307">[Notes]</p>
<p id="obs_40_0044__p9142175873014">For bucket resources, IAM automatically generates the prefix of the resource path <strong id="obs_40_0044__b720530101913">obs:*:*:object:</strong>.</p>
<p id="obs_40_0044__p17463217363">You can add <em id="obs_40_0044__i187511017141713">Bucket name/Object name</em> at the end of the generated path prefix to specify a resource path. Wildcards (*) are also supported. For example, <strong id="obs_40_0044__b144871906242">OBS:*:*:object:example-002/folder-001/*</strong> indicates any object in folder <strong id="obs_40_0044__b554372202419">folder-001</strong> of bucket <strong id="obs_40_0044__b39723219244">example-002</strong>.</p>
</li></ul>
<p id="obs_40_0044__p1094344019260">[Permission 2] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.</p>
<ul id="obs_40_0044__ul17943540162618"><li id="obs_40_0044__li10943104052620">Select <strong id="obs_40_0044__b195554342271">Allow</strong>.</li><li id="obs_40_0044__li9943184022620">Select <strong id="obs_40_0044__b152051737162710">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0044__li19883155554614">Select <strong id="obs_40_0044__b12933739192712">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0044__li1991741116547">On the <strong id="obs_40_0044__b2116731162813">All</strong> tab, choose <strong id="obs_40_0044__b14118143182811">Specific</strong> &gt; <strong id="obs_40_0044__b3120113116285">Specify resource path</strong> to specify a bucket.<p id="obs_40_0044__p2045623815299">[Path Format]</p>
<p id="obs_40_0044__p74565384297"><strong id="obs_40_0044__b172671627397">obs:*:*:bucket:</strong><em id="obs_40_0044__i734662053613">Bucket name</em></p>
</li><li id="obs_40_0044__li1588752312315">On the <strong id="obs_40_0044__b17782230124419">(Optional) Add request condition</strong> tab, click <strong id="obs_40_0044__b2448123915442">Add Request Condition</strong>.<ul id="obs_40_0044__ul12427164311341"><li id="obs_40_0044__li347333313220"><strong id="obs_40_0044__b4846192444519">Condition key</strong>: Select <strong id="obs_40_0044__b124631354154516">obs:prefix</strong> from the drop-down list.</li><li id="obs_40_0044__li988010439332"><strong id="obs_40_0044__b2751199114613">Operator</strong>: Select <strong id="obs_40_0044__b1560329114613">StringMatch</strong> from the drop-down list.</li><li id="obs_40_0044__li1167275203417"><strong id="obs_40_0044__en-us_topic_0104029905_b33832910436">Value</strong>: <em id="obs_40_0044__en-us_topic_0104029905_en-us_topic_0101094788_i102251116161316">Folder name</em><strong id="obs_40_0044__b15352191112476">/</strong></li></ul>
<p id="obs_40_0044__p10505450163414">[Notes]</p>
<p id="obs_40_0044__p4861328352">If you want a user to have only the permission to list a folder in the bucket, add a request condition for action <strong id="obs_40_0044__b2027203614487">obs:bucket:ListBucket</strong>. <strong id="obs_40_0044__b789255075811">prefix</strong> is included in the request for listing objects in a bucket. In this way, when you specify <strong id="obs_40_0044__b1932193919597">prefix</strong> to list objects whose names start with <em id="obs_40_0044__i174551427143719">Folder name</em><strong id="obs_40_0044__b156943360360">/</strong>, the objects in the bucket can be listed.</p>
</li></ul>
<div class="p" id="obs_40_0044__p7700251153917">[Permission 3] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.<ul id="obs_40_0044__ul1854216504393"><li id="obs_40_0044__li155421350103914">Select <strong id="obs_40_0044__b1361117610481">Allow</strong>.</li><li id="obs_40_0044__li4542450103916">Select <strong id="obs_40_0044__b19890121285411">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0044__li135421450183918">Select <strong id="obs_40_0044__b227391915546">obs:bucket:ListAllMyBuckets</strong> under <strong id="obs_40_0044__b795072805513">ListOnly</strong>.</li><li id="obs_40_0044__li15542105020399">Select <strong id="obs_40_0044__b1174619265568">All</strong> for <strong id="obs_40_0044__b1537101185719">Resources</strong>.</li></ul>
</div>
</td>
</tr>
<tr id="obs_40_0044__row207159108539"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p83756273285">Scope</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p1037542711283">The default value is <strong id="obs_40_0044__b860181361">Global services</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0044__li1293324623719"><span>Click <strong id="obs_40_0044__b165709613316">OK</strong>.</span></li><li id="obs_40_0044__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0044__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0044__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0044__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div>
</p></li></ol>
</div>
<div class="section" id="obs_40_0044__section15823527415"><h4 class="sectiontitle">Verification</h4><ol id="obs_40_0044__ol5278184513146"><li id="obs_40_0044__li027864581416"><span>Log in to OBS Console as an IAM user.</span></li><li id="obs_40_0044__li187691522131319"><span>In the bucket list, click bucket <strong id="obs_40_0044__b1120725410174">example-002</strong> to go to the <strong id="obs_40_0044__b860791133215">Overview</strong> page.</span><p><div class="note" id="obs_40_0044__note1582471119493"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p78251911174916">After the configuration is complete, it is normal if the system still displays a message indicating that you do not have required permissions, because OBS Console also calls other APIs for advanced settings, but you can still perform the operations allowed on the folder.</p>
</div></div>
</p></li><li id="obs_40_0044__li11765154017509"><span>In the navigation pane, select <strong id="obs_40_0044__b430811332119">Objects</strong>. If a message indicating no sufficient is available and no object can be viewed, ignore the message and continue with the operations.</span><p><div class="note" id="obs_40_0044__note3156142165415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p141561321195411">The reason why there is no required permission is that listing objects on OBS Console is to list objects in the root folder. This is different from the configured custom policy (listing objects in folder <strong id="obs_40_0044__b13188125619298">folder-001/</strong>).</p>
</div></div>
</p></li><li id="obs_40_0044__li7706170175111"><span>In the search box, enter <strong id="obs_40_0044__b1593118142616">folder-001/</strong> to view the list of objects in <strong id="obs_40_0044__b182861144132616">folder-001</strong>. Objects <strong id="obs_40_0044__b1273081272711">222.txt</strong> and <strong id="obs_40_0044__b18722131532719">111.txt</strong> are displayed.</span></li><li id="obs_40_0044__li584842925718"><span>Click <strong id="obs_40_0044__b12655185116331">Create Folder</strong> to create folder <strong id="obs_40_0044__b185938552336">folder-002</strong>.</span></li><li id="obs_40_0044__li1629212395918"><span>Click <strong id="obs_40_0044__b587712754116">Upload Object</strong> to upload file <strong id="obs_40_0044__b11764182154111">333.txt</strong>.</span><p><div class="note" id="obs_40_0044__note127411448185420"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p137411348205417">If some other permissions are required, hover over the username and choose <strong id="obs_40_0044__b1419118113463">Identity and Access Management</strong> &gt; <strong id="obs_40_0044__b16592553462">Permissions</strong>, and then repeat the operations above to configure custom policies as needed.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0019.html">Granting Permissions to Multiple IAM Users or User Groups Under the Account</a></div>
</div>
</div>
View Git Blame Copy Permalink