vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0001.html
zhangyue 32b9354795 OBS PERMS DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-04-18 07:48:10 +00:00

167 lines
28 KiB
HTML
Raw Blame History

<a name="obs_40_0001"></a><a name="obs_40_0001"></a>
<h1 class="topictitle1">Introduction to OBS Access Control</h1>
<div id="body39451090"><p id="obs_40_0001__p92541859144911">By default, OBS resources (buckets and objects) are private. Only resource owners can access their OBS resources. Without authorization, other users cannot access OBS. OBS permission control refers to granting permissions to other accounts or IAM users by editing access policies. For example, if you have a bucket, you can authorize another IAM user to upload objects to your bucket. You can also open buckets to non-public cloud users, so that anyone can access your buckets as public resources over the Internet. OBS offers different methods to help resource owners grant resource permissions to others as required, keeping data secure.</p>
<div class="section" id="obs_40_0001__section994612812917"><h4 class="sectiontitle">OBS Permission Control Model</h4><p id="obs_40_0001__p23852817154">OBS provides multiple permission control mechanisms, including IAM permissions, bucket policies, object ACLs, and bucket ACLs. <a href="#obs_40_0001__table16110824101113">Table 1</a> describes the mechanisms and application scenarios.</p>
<div class="fignone" id="obs_40_0001__fig86382060556"><span class="figcap"><b>Figure 1 </b>OBS permission control mechanisms</span><br><span><img id="obs_40_0001__image19638268557" src="en-us_image_0257815079.png"></span></div>
<div class="tablenoborder"><a name="obs_40_0001__table16110824101113"></a><a name="table16110824101113"></a><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0001__table16110824101113" frame="border" border="1" rules="all"><caption><b>Table 1 </b>OBS permission control mechanisms and application scenarios</caption><thead align="left"><tr id="obs_40_0001__row191137249118"><th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.2.4.2.4.1.1"><p id="obs_40_0001__p101139244117">Method</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="40%" id="mcps1.3.2.4.2.4.1.2"><p id="obs_40_0001__p13113224171114">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="45%" id="mcps1.3.2.4.2.4.1.3"><p id="obs_40_0001__p1111372413118">Scenario</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0001__row31131324201112"><td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.4.2.4.1.1 "><p id="obs_40_0001__p411392481118">IAM permissions</p>
</td>
<td class="cellrowborder" valign="top" width="40%" headers="mcps1.3.2.4.2.4.1.2 "><p id="obs_40_0001__p15113152418112">IAM permissions define the actions that can be performed on your cloud resources. In other words, IAM permissions specify what actions are allowed or denied. After an IAM user is created, the administrator needs to add the user to a group. IAM can grant the user group required OBS access permissions, and then all users in the group automatically inherit the permissions of the user group.</p>
</td>
<td class="cellrowborder" valign="top" width="45%" headers="mcps1.3.2.4.2.4.1.3 "><ul id="obs_40_0001__ul319124042416"><li id="obs_40_0001__li659151842013">Controlling access to all OBS buckets under an account</li><li id="obs_40_0001__li6730112282013">Controlling access to all OBS objects under an account</li><li id="obs_40_0001__li859111882010">Controlling access to specified OBS resources under an account</li></ul>
</td>
</tr>
<tr id="obs_40_0001__row12615128191413"><td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.4.2.4.1.1 "><p id="obs_40_0001__p33131329111413">Bucket policies</p>
</td>
<td class="cellrowborder" valign="top" width="40%" headers="mcps1.3.2.4.2.4.1.2 "><p id="obs_40_0001__p1931312295148">A bucket policy is attached to a bucket and objects in the bucket. Bucket owners can use bucket policies to grant IAM users or other accounts the permissions to operate buckets and objects in the buckets. ACLs of buckets and objects supplement bucket policies, and in many cases, bucket policies replace ACLs.</p>
</td>
<td class="cellrowborder" valign="top" width="45%" headers="mcps1.3.2.4.2.4.1.3 "><ul id="obs_40_0001__ul1231302991411"><li id="obs_40_0001__li53131829181412">Granting other accounts the permissions to access OBS resources</li><li id="obs_40_0001__li931310297146">Configuring bucket policies to grant IAM users various access permissions to different buckets</li></ul>
</td>
</tr>
<tr id="obs_40_0001__row15966232171415"><td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.4.2.4.1.1 "><p id="obs_40_0001__p1699324454219">Object ACLs</p>
</td>
<td class="cellrowborder" valign="top" width="40%" headers="mcps1.3.2.4.2.4.1.2 "><p id="obs_40_0001__p715844613142">Controls access to objects for accounts or user groups. Object owners can configure the object access control list (ACL) to grant basic read and write permissions to specified accounts or user groups.</p>
<div class="note" id="obs_40_0001__note1415854615143"><span class="notetitle"> NOTE: </span><div class="notebody"><ul id="obs_40_0001__ul1515874671418"><li id="obs_40_0001__li2015824612145">By default, an object ACL is created upon the creation of the object. The object owner has full control over the object.</li><li id="obs_40_0001__li2015854619149">An object owner is the account that uploads the object, but may not be the owner of the bucket that stores the object. For example, account <strong id="obs_40_0001__b122201620448">B</strong> is granted the permission to access a bucket of account <strong id="obs_40_0001__b3225120742">A</strong>, and account <strong id="obs_40_0001__b9225020948">B</strong> uploads a file to the bucket. In that case, instead of the bucket owner account <strong id="obs_40_0001__b7226720144">A</strong>, account <strong id="obs_40_0001__b22261220349">B</strong> is the owner of the object. By default, account A is not allowed to access this object and cannot read or modify the object ACL.</li></ul>
</div></div>
</td>
<td class="cellrowborder" valign="top" width="45%" headers="mcps1.3.2.4.2.4.1.3 "><ul id="obs_40_0001__ul6158184661418"><li id="obs_40_0001__li171581146201417">If object-level access control is required, a bucket policy can be used to grant the access permission to an object or a set of objects. After the access permission is granted to an object set, it is not practical to configure a bucket policy to grant the access permission to an object in the object set separately. Then the object ACL is recommended for easier access control over single objects.</li><li id="obs_40_0001__li13158646141418">An object is accessed through a URL. Generally, if you want to grant anonymous users the permission to read an object through a URL, use the object ACL.</li></ul>
</td>
</tr>
<tr id="obs_40_0001__row183426374143"><td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.4.2.4.1.1 "><p id="obs_40_0001__p8810165361119">Bucket ACLs</p>
</td>
<td class="cellrowborder" valign="top" width="40%" headers="mcps1.3.2.4.2.4.1.2 "><p id="obs_40_0001__p31587467141">Controls access to buckets for accounts or user groups. Bucket owners can configure the bucket ACL to grant basic read and write permissions to specified accounts or user groups.</p>
<div class="note" id="obs_40_0001__note1715884618143"><span class="notetitle"> NOTE: </span><div class="notebody"><ul id="obs_40_0001__ul4158144681420"><li id="obs_40_0001__li7158184611416">By default, a bucket ACL is created upon the creation of the bucket. The bucket owner has full control over the bucket.</li><li id="obs_40_0001__li2015824671415">Bucket ACLs do not provide fine-grained permission control. Generally, IAM permissions and bucket policies are recommended.</li></ul>
</div></div>
</td>
<td class="cellrowborder" valign="top" width="45%" headers="mcps1.3.2.4.2.4.1.3 "><ul id="obs_40_0001__ul1215818466148"><li id="obs_40_0001__li20158164614147">Granting an account the read and write access to a bucket, so that data in the bucket can be shared or external buckets can be added. For example, after account <strong id="obs_40_0001__b369114073213">A</strong> grants account <strong id="obs_40_0001__b46911203327">B</strong> the read and write access to a bucket, account <strong id="obs_40_0001__b669218013213">B</strong> can access the bucket by adding an external bucket through OBS Browser+ or using APIs and SDKs.</li><li id="obs_40_0001__li17158746131416">Grant the log delivery user group with the write access to the target bucket, so that access logs can be delivered to the target bucket.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="obs_40_0001__section1360784432715"><h4 class="sectiontitle">Relationship Between OBS Permissions and IAM Permissions</h4><p id="obs_40_0001__p01421253102710">OBS provides multiple permission control mechanisms, including time-limited access to objects, object ACLs, bucket ACLs, and bucket policies. Some service-level permissions (for example, creating a bucket and listing all buckets) cannot be configured through OBS and can only be configured on IAM. OBS permissions apply only to resources (buckets and objects). To grant both OBS service-level and resource-level permissions, you must use IAM permissions or both IAM and OBS permissions.</p>
<div class="fignone" id="obs_40_0001__fig95331179511"><span class="figcap"><b>Figure 2 </b>Relationship between OBS permissions and IAM permissions</span><br><span><img id="obs_40_0001__image1253312172517" src="en-us_image_0257817646.png"></span></div>
</div>
<div class="section" id="obs_40_0001__section753694015118"><h4 class="sectiontitle">OBS Permission Control Elements</h4><p id="obs_40_0001__p4739113825">The following factors determine the authorization result:</p>
<ul id="obs_40_0001__ul1383016201242"><li id="obs_40_0001__li188304204419"><strong id="obs_40_0001__b638919453413">Principal (authorized user)</strong></li><li id="obs_40_0001__li1529014411647"><strong id="obs_40_0001__b1622911101259">Effect</strong></li><li id="obs_40_0001__li1816418241945"><strong id="obs_40_0001__b14307713195516">Resource</strong></li><li id="obs_40_0001__li72566261841"><strong id="obs_40_0001__b016518815611">Action</strong></li><li id="obs_40_0001__li1179328148"><strong id="obs_40_0001__b19431486133114">Condition</strong></li></ul>
<p id="obs_40_0001__p1378311151433">For details about elements, see <a href="obs_40_0041.html">Bucket Policy Parameters</a>.</p>
<p id="obs_40_0001__p15693142162310"><a href="#obs_40_0001__table260016521874">Table 2</a> describes elements in different permission control mechanisms.</p>
<div class="tablenoborder"><a name="obs_40_0001__table260016521874"></a><a name="table260016521874"></a><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0001__table260016521874" frame="border" border="1" rules="all"><caption><b>Table 2 </b>OBS permission control elements in different permission control mechanisms</caption><thead align="left"><tr id="obs_40_0001__row460117526717"><th align="left" class="cellrowborder" valign="top" width="12.3%" id="mcps1.3.4.6.2.7.1.1"><p id="obs_40_0001__p1360195211716">Method</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15.72%" id="mcps1.3.4.6.2.7.1.2"><p id="obs_40_0001__p14601195211713">Principal</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="10.24%" id="mcps1.3.4.6.2.7.1.3"><p id="obs_40_0001__p1853863251513">Supported Effect</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.549999999999999%" id="mcps1.3.4.6.2.7.1.4"><p id="obs_40_0001__p96010521720">Authorized Resource</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="34.5%" id="mcps1.3.4.6.2.7.1.5"><p id="obs_40_0001__p360112529714">Authorized Action</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="12.690000000000001%" id="mcps1.3.4.6.2.7.1.6"><p id="obs_40_0001__p16954324101215">Condition Configuration</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0001__row1560119521271"><td class="cellrowborder" valign="top" width="12.3%" headers="mcps1.3.4.6.2.7.1.1 "><p id="obs_40_0001__p261612618166">IAM Permissions</p>
</td>
<td class="cellrowborder" valign="top" width="15.72%" headers="mcps1.3.4.6.2.7.1.2 "><p id="obs_40_0001__p1060213527710">IAM user</p>
</td>
<td class="cellrowborder" valign="top" width="10.24%" headers="mcps1.3.4.6.2.7.1.3 "><ul id="obs_40_0001__ul2467105913177"><li id="obs_40_0001__li104671259161715">Allow</li><li id="obs_40_0001__li6774141021812">Deny</li></ul>
</td>
<td class="cellrowborder" valign="top" width="14.549999999999999%" headers="mcps1.3.4.6.2.7.1.4 "><p id="obs_40_0001__p760214521877">All or specified OBS resources</p>
</td>
<td class="cellrowborder" valign="top" width="34.5%" headers="mcps1.3.4.6.2.7.1.5 "><p id="obs_40_0001__p1760210521672">All permissions to access OBS</p>
</td>
<td class="cellrowborder" valign="top" width="12.690000000000001%" headers="mcps1.3.4.6.2.7.1.6 "><p id="obs_40_0001__p1095411243121">Supported</p>
</td>
</tr>
<tr id="obs_40_0001__row41341345164810"><td class="cellrowborder" valign="top" width="12.3%" headers="mcps1.3.4.6.2.7.1.1 "><p id="obs_40_0001__p20968144554813">Bucket Policy</p>
</td>
<td class="cellrowborder" valign="top" width="15.72%" headers="mcps1.3.4.6.2.7.1.2 "><ul id="obs_40_0001__ul20968945154814"><li id="obs_40_0001__li59682453482">Account</li><li id="obs_40_0001__li139681645104817">IAM user</li><li id="obs_40_0001__li14968164544816">Anonymous users</li></ul>
</td>
<td class="cellrowborder" valign="top" width="10.24%" headers="mcps1.3.4.6.2.7.1.3 "><ul id="obs_40_0001__ul1896834584813"><li id="obs_40_0001__li149681045144817">Allow</li><li id="obs_40_0001__li1996817451486">Deny</li></ul>
</td>
<td class="cellrowborder" valign="top" width="14.549999999999999%" headers="mcps1.3.4.6.2.7.1.4 "><p id="obs_40_0001__p19681345124816">Specified bucket and resources in the bucket</p>
</td>
<td class="cellrowborder" valign="top" width="34.5%" headers="mcps1.3.4.6.2.7.1.5 "><p id="obs_40_0001__p29681145104814">All permissions to access OBS</p>
</td>
<td class="cellrowborder" valign="top" width="12.690000000000001%" headers="mcps1.3.4.6.2.7.1.6 "><p id="obs_40_0001__p0968134544816">Supported</p>
</td>
</tr>
<tr id="obs_40_0001__row69571156174816"><td class="cellrowborder" valign="top" width="12.3%" headers="mcps1.3.4.6.2.7.1.1 "><p id="obs_40_0001__p1863011104911">Object ACL</p>
</td>
<td class="cellrowborder" valign="top" width="15.72%" headers="mcps1.3.4.6.2.7.1.2 "><ul id="obs_40_0001__ul166308120499"><li id="obs_40_0001__li463018184914">Account</li><li id="obs_40_0001__li563018110490">Anonymous users</li></ul>
</td>
<td class="cellrowborder" valign="top" width="10.24%" headers="mcps1.3.4.6.2.7.1.3 "><p id="obs_40_0001__p363017154915">Allow</p>
</td>
<td class="cellrowborder" valign="top" width="14.549999999999999%" headers="mcps1.3.4.6.2.7.1.4 "><p id="obs_40_0001__p163016184919">Specified object</p>
</td>
<td class="cellrowborder" valign="top" width="34.5%" headers="mcps1.3.4.6.2.7.1.5 "><ul id="obs_40_0001__ul6630161154917"><li id="obs_40_0001__li116301814493">Obtains the content and metadata of a specified object.</li><li id="obs_40_0001__li8630151144912">Obtains the content and metadata of an object with a specified version.</li><li id="obs_40_0001__li1463051134918">Obtains information about an object ACL.</li><li id="obs_40_0001__li18630191184918">Obtains information about the ACL for an object of a specified version.</li><li id="obs_40_0001__li063012116490">Configures an object ACL.</li><li id="obs_40_0001__li126304112497">Configures the ACL for an object of a specified version.</li></ul>
</td>
<td class="cellrowborder" valign="top" width="12.690000000000001%" headers="mcps1.3.4.6.2.7.1.6 "><p id="obs_40_0001__p36301810493">Not supported</p>
</td>
</tr>
<tr id="obs_40_0001__row154505934818"><td class="cellrowborder" valign="top" width="12.3%" headers="mcps1.3.4.6.2.7.1.1 "><p id="obs_40_0001__p16311816490">Bucket ACL</p>
</td>
<td class="cellrowborder" valign="top" width="15.72%" headers="mcps1.3.4.6.2.7.1.2 "><ul id="obs_40_0001__ul263118104917"><li id="obs_40_0001__li86311316495">Account</li><li id="obs_40_0001__li126311316497">Anonymous users</li><li id="obs_40_0001__li86313118497">Log delivery user groups</li></ul>
</td>
<td class="cellrowborder" valign="top" width="10.24%" headers="mcps1.3.4.6.2.7.1.3 "><p id="obs_40_0001__p126317112494">Allow</p>
</td>
<td class="cellrowborder" valign="top" width="14.549999999999999%" headers="mcps1.3.4.6.2.7.1.4 "><p id="obs_40_0001__p26311518495">Specified bucket</p>
</td>
<td class="cellrowborder" valign="top" width="34.5%" headers="mcps1.3.4.6.2.7.1.5 "><ul id="obs_40_0001__ul763112116495"><li id="obs_40_0001__li156315134914">Identifies whether a bucket exists.</li><li id="obs_40_0001__li196313144911">Lists objects in a bucket, and gets the bucket metadata.</li><li id="obs_40_0001__li163116118494">Lists versioned objects in a bucket.</li><li id="obs_40_0001__li963112114493">Lists multipart uploads.</li><li id="obs_40_0001__li5631510498">Performs PUT upload, POST upload, multipart upload, initialization of uploaded parts, and merging of parts.</li><li id="obs_40_0001__li063101104919">Deletes an Object.</li><li id="obs_40_0001__li16631201114915">Deletes an object of a specified version.</li><li id="obs_40_0001__li96318114917">Obtains bucket ACL information.</li><li id="obs_40_0001__li11631131154915">Configures a bucket ACL.</li><li id="obs_40_0001__li559010418598">Obtains object content.</li><li id="obs_40_0001__li1167213488592">Obtains object metadata.</li></ul>
</td>
<td class="cellrowborder" valign="top" width="12.690000000000001%" headers="mcps1.3.4.6.2.7.1.6 "><p id="obs_40_0001__p46311711490">Not supported</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="obs_40_0001__section1229213575018"><h4 class="sectiontitle">How to Select IAM Permissions, Bucket Policies, and ACLs</h4><p id="obs_40_0001__p3982038155413">Based on the advantages and disadvantages of the three elements, you are advised to preferentially use IAM permissions and bucket policies.</p>
<ul id="obs_40_0001__ul9197115320581"><li id="obs_40_0001__li598223814541">Select IAM permissions in the following scenarios:<ul id="obs_40_0001__ul18122163213559"><li id="obs_40_0001__li11501131425518">Grant the same permissions to numerous IAM users under the same account.</li><li id="obs_40_0001__li86311036125518">Grant the same permissions to all OBS resources or multiple buckets.</li><li id="obs_40_0001__li1865494025511">Configure OBS service-level permissions, such as creating and listing buckets.</li><li id="obs_40_0001__li31356503553">Restrict the permissions of temporary access keys used for temporarily authorized access to OBS.</li></ul>
</li><li id="obs_40_0001__li119755317581">Select bucket policies in the following scenarios:<ul id="obs_40_0001__ul4197175315817"><li id="obs_40_0001__li7881455614">Grant permissions across accounts or grant permissions to anonymous users.</li><li id="obs_40_0001__li171971153205820">Grant different permissions to different IAM users under the same account.</li></ul>
</li><li id="obs_40_0001__li18409643175919">Still do not know what to select?<p id="obs_40_0001__p93731624145815"><a name="obs_40_0001__li18409643175919"></a><a name="li18409643175919"></a>Identify the problem you are most concerned with:</p>
<ul id="obs_40_0001__ul13605115225912"><li id="obs_40_0001__li17373162425814">What the user can do - IAM permissions recommended<p id="obs_40_0001__p33731124165812"><a name="obs_40_0001__li17373162425814"></a><a name="li17373162425814"></a>You can search for an IAM user and check the permissions of the user group to which the user belongs to know what the user can do.</p>
</li><li id="obs_40_0001__li1606252165917">Who can access an OBS bucket - Bucket policies recommended<p id="obs_40_0001__p1060614528599"><a name="obs_40_0001__li1606252165917"></a><a name="li1606252165917"></a>You can query the bucket and check the bucket policy to know who can access the bucket.</p>
</li></ul>
</li></ul>
<div class="note" id="obs_40_0001__note34441629202"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0001__p8444129108">It is better for you to use the same method for access control, because as the number of IAM permissions and bucket policies increase, access maintenance will become increasingly difficult.</p>
</div></div>
</div>
<p id="obs_40_0001__p916319451304"><strong id="obs_40_0001__b85498420346">When to Select an ACL?</strong></p>
<ul id="obs_40_0001__ul51633454011"><li id="obs_40_0001__li171637457020">As a supplement to IAM permissions and bucket policies:<p id="obs_40_0001__p616364517011"><a name="obs_40_0001__li171637457020"></a><a name="li171637457020"></a>IAM permissions and bucket policies have granted access permissions to an object set, but you want to grant access permissions to a single object.</p>
</li><li id="obs_40_0001__li616310451017">To allow an object to be accessible to all anonymous Internet users, configuring object ACL operations is more convenient.<p id="obs_40_0001__p2163845807"><a name="obs_40_0001__li616310451017"></a><a name="li616310451017"></a>When uploading an object, you can use the ACL header to specify the read and write permissions of the object.</p>
</li></ul>
<div class="section" id="obs_40_0001__section168541631121519"><h4 class="sectiontitle">Relationship Between Bucket ACLs and Bucket Policies</h4><p id="obs_40_0001__p457674219154">Bucket ACLs are used to control basic read and write access to buckets. Custom settings of bucket policies support more actions that can be performed on buckets. Bucket ACLs supplement bucket policies. In many cases, bucket policies can replace bucket ACLs to manage access to buckets. <a href="obs_40_0043.html">Relationship Between Bucket Policies and Bucket ACLs</a> shows the mapping between bucket ACL access permissions and bucket policy actions.</p>
</div>
<div class="section" id="obs_40_0001__section1381514334364"><h4 class="sectiontitle">OBS Permission Control Principles</h4><ul id="obs_40_0001__ul631195033614"><li id="obs_40_0001__li18311135019369">Least privilege<p id="obs_40_0001__p142592375119"><a name="obs_40_0001__li18311135019369"></a><a name="li18311135019369"></a>Never grant IAM users more than the minimum level of access needed to complete a task. For example, if an IAM user only needs to upload and download objects to a directory, you do not need to assign the user the read and write permissions for the entire bucket.</p>
</li><li id="obs_40_0001__li167001731153110">Separation of duties<p id="obs_40_0001__p17997134183813"><a name="obs_40_0001__li167001731153110"></a><a name="li167001731153110"></a>Management of resources or of permissions can be assigned to different IAM users. For example, you can let one IAM user assign permissions, and let other IAM users manage OBS resources.</p>
</li><li id="obs_40_0001__li633219564361">Restriction by condition<p id="obs_40_0001__p10455442191615"><a name="obs_40_0001__li633219564361"></a><a name="li633219564361"></a>To enhance the security of the resources in a bucket, specific conditions can be configured to control when a permission is applied. For example, a bucket policy with conditions contained can be configured for OBS to accept requests only from a specific IP address.</p>
</li></ul>
</div>
<div class="section" id="obs_40_0001__section54731919133310"><h4 class="sectiontitle">How Do Access Control Mechanisms Work When They Conflict?</h4><p id="obs_40_0001__p99321121194018">In the OBS permission control elements, there are allow and deny effects, which indicate the permission to allow or deny an operation.</p>
<p id="obs_40_0001__p2366102212325">Based on the least-privilege principle, decisions default to deny, and an explicit deny statement always takes precedence over an allow statement. For example, IAM permissions grant a user access to an object, a bucket policy denies the user's access to that object, and there is no ACL. Then access will be denied.</p>
<p id="obs_40_0001__p1416134111327">If no method specifies an allow statement, then the request will be denied by default. Only if no method specifies a deny statement and one or more methods specify an allow statement, will the request be allowed. For example, if a bucket has multiple bucket policies with allow statements, adding such a new bucket policy applies the allowed permissions to the bucket, but adding a new bucket policy with a deny statement will make the permissions work differently. The deny statement will take precedence over allow statements, even if the denied permissions are allowed in other bucket policies.</p>
<div class="fignone" id="obs_40_0001__fig137808145374"><span class="figcap"><b>Figure 3 </b>Authorization process</span><br><span><img id="obs_40_0001__image574953662115" src="en-us_image_0000001335934590.png"></span></div>
<p id="obs_40_0001__p84781694399"><a href="#obs_40_0001__fig2276143024512">Figure 4</a> describes how bucket policies, IAM permissions, and ACLs work (allow or deny) when you grant the IAM users of your account the access to OBS buckets and resources in the buckets. ACLs are applied to accounts and do not control IAM users' read and write permissions for the buckets and the sources in the buckets under their account.</p>
<div class="fignone" id="obs_40_0001__fig2276143024512"><a name="obs_40_0001__fig2276143024512"></a><a name="fig2276143024512"></a><span class="figcap"><b>Figure 4 </b>Working mechanisms (allow or deny) of bucket policies and IAM permissions in the same account</span><br><span><img id="obs_40_0001__image120275411301" src="en-us_image_0000001479778546.png"></span></div>
<p id="obs_40_0001__p3975193111381"><a href="#obs_40_0001__fig1251114133010">Figure 5</a> describes how bucket policies, IAM permissions, and ACLs work (allow or deny) when you grant any other account and the IAM users of this account the access to OBS buckets and resources in the buckets.</p>
<div class="fignone" id="obs_40_0001__fig1251114133010"><a name="obs_40_0001__fig1251114133010"></a><a name="fig1251114133010"></a><span class="figcap"><b>Figure 5 </b>Working mechanisms (allow or deny) of bucket policies, IAM permissions, and ACLs in cross-account access grant scenarios</span><br><span><img id="obs_40_0001__image589322184218" src="en-us_image_0000001555603997.png"></span></div>
<div class="note" id="obs_40_0001__note44281281940"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="obs_40_0001__ul111531531494"><li id="obs_40_0001__li2153143114920">If both the bucket policy and IAM policy are set to <strong id="obs_40_0001__b1641114210248">Default Deny</strong>, but the ACL is set to <strong id="obs_40_0001__b1046916449246">Allow</strong>, the final result is <strong id="obs_40_0001__b204711393228">Deny</strong>. ACLs are used to supplement bucket policies.</li><li id="obs_40_0001__li21536312094">If both the bucket policy and ACL are set to <strong id="obs_40_0001__b16401541142511">Default Deny</strong> and the IAM policy is set to <strong id="obs_40_0001__b7310745162519">Allow</strong>, the final result is <strong id="obs_40_0001__b7983142113266">Deny</strong>. IAM policies are applied to users, while bucket policies are applied to resources. Even if the <strong id="obs_40_0001__b2517132653013">Allow</strong> permission is granted to users, they still cannot access the resources if the resources have the <strong id="obs_40_0001__b45694313314">Deny</strong> permission configured.</li></ul>
</div></div>
</div>
<div class="section" id="obs_40_0001__section95252107366"><h4 class="sectiontitle">Concepts</h4><ul id="obs_40_0001__ul4618955134312"><li id="obs_40_0001__li136181955174317">Domain: An account that is automatically created during your registration. This account has full access control over its resources and IAM users.</li><li id="obs_40_0001__li128711957164310">IAM user: A user created by the administrator in IAM. An IAM user may be an employee, a system, or an application. An IAM user has access permissions to specified resources. IAM users have identity credentials (passwords and access keys) and can log in to the management console or call APIs.</li><li id="obs_40_0001__li14540813115712">Anonymous user: A common visitor who has not registered.</li><li id="obs_40_0001__li6711548413">A log delivery user group: A user group who only delivers access logs of buckets and objects to the specified target bucket. OBS does not create or upload any file to a bucket automatically. If you want to record access logs for a bucket, you must grant the log delivery user group required permissions, so that OBS can write the access logs to the specified bucket. This user group is only used to record internal logs of OBS.</li></ul>
</div>
</div>
View Git Blame Copy Permalink