vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0004.html
zhangyue 32b9354795 OBS PERMS DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-04-18 07:48:10 +00:00

285 lines
26 KiB
HTML
Raw Blame History

<a name="obs_40_0004"></a><a name="obs_40_0004"></a>
<h1 class="topictitle1">Bucket Policies</h1>
<div id="body1588766432188"><div class="section" id="obs_40_0004__section7601193912719"><h4 class="sectiontitle">Overview</h4><p id="obs_40_0004__p3671173512916">A bucket policy applies to an <span id="obs_40_0004__ph196711355292">OBS</span> bucket and objects in the bucket. By leveraging bucket policies, the owner of a bucket can authorize IAM users or other accounts the permissions to operate the bucket and objects in the bucket.</p>
<div class="note" id="obs_40_0004__note209741028171818"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="obs_40_0004__ul204679179594"><li id="obs_40_0004__li11467217155912">Creating a bucket and obtaining a bucket list are service-level operations. To obtain such operation permissions, you need to configure <a href="obs_40_0014.html">IAM permissions</a>.</li><li id="obs_40_0004__li9467101715598">Due to data caching, after a bucket policy is configured, it takes 5 minutes at most for the policy to take effect.</li></ul>
</div></div>
</div>
<div class="section" id="obs_40_0004__section11947155545"><h4 class="sectiontitle">Bucket Policy Overview</h4><p id="obs_40_0004__p20513012512">A bucket policy is attached to a bucket and objects in the bucket. An OBS bucket owner can use bucket policies to grant IAM users, other accounts, or anonymous users the permissions to operate buckets and objects in the buckets. OBS provides standard and advanced bucket policies.</p>
<p id="obs_40_0004__p108879396110"><strong id="obs_40_0004__b1985910539115">Standard Bucket Policies</strong>:</p>
<p id="obs_40_0004__p1320714303352">There are three options for standard bucket policies.</p>
<ul id="obs_40_0004__ul15740133433513"><li id="obs_40_0004__li4740103420354"><strong id="obs_40_0004__b1250434818102153">Private</strong>: No access beyond the bucket ACL settings is granted.</li><li id="obs_40_0004__li377138153513"><strong id="obs_40_0004__b1048696142102153">Public Read</strong>: Any user can read objects in the bucket.</li><li id="obs_40_0004__li66641044203514"><strong id="obs_40_0004__b1804639115102153">Public Read and Write</strong>: Any user can read, write, and delete objects in the bucket.</li></ul>
<p id="obs_40_0004__p17739175319515">After a bucket is created, the default bucket policy is <strong id="obs_40_0004__b753261926102153">Private</strong>. Only the bucket owner has the full control permissions over the bucket. To ensure data security, it is recommended that you do not use the <strong id="obs_40_0004__b699199083102153">Public Read</strong> or <strong id="obs_40_0004__b119269808102153">Public Read and Write</strong> policies.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0004__table12248152111227" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Standard bucket policies</caption><thead align="left"><tr id="obs_40_0004__row15249821152217"><th align="left" class="cellrowborder" valign="top" width="19%" id="mcps1.3.2.7.2.5.1.1"><p id="obs_40_0004__p122491621102215"><strong id="obs_40_0004__b523629874102153">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.2.7.2.5.1.2"><p id="obs_40_0004__p1249182111225"><strong id="obs_40_0004__b1061363231102153">Private</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="32%" id="mcps1.3.2.7.2.5.1.3"><p id="obs_40_0004__p9249112142212"><strong id="obs_40_0004__b637417906102153">Public Read</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="34%" id="mcps1.3.2.7.2.5.1.4"><p id="obs_40_0004__p14249421172212"><strong id="obs_40_0004__b966753680102153">Public Read and Write</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0004__row724919215226"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.7.2.5.1.1 "><p id="obs_40_0004__p102491321142216">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.7.2.5.1.2 "><p id="obs_40_0004__p13249112115225">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.7.2.5.1.3 "><p id="obs_40_0004__p02496219224">Allow</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.7.2.5.1.4 "><p id="obs_40_0004__p424962162212">Allow</p>
</td>
</tr>
<tr id="obs_40_0004__row1224915215221"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.7.2.5.1.1 "><p id="obs_40_0004__p824919216225">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.7.2.5.1.2 "><p id="obs_40_0004__p913548162513">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.7.2.5.1.3 "><p id="obs_40_0004__p12503210220">* (Any user)</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.7.2.5.1.4 "><p id="obs_40_0004__p132503214228">* (Any user)</p>
</td>
</tr>
<tr id="obs_40_0004__row5250121102214"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.7.2.5.1.1 "><p id="obs_40_0004__p1625082192215">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.7.2.5.1.2 "><p id="obs_40_0004__p92501212228">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.7.2.5.1.3 "><p id="obs_40_0004__p125022172220">* (All objects in a bucket)</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.7.2.5.1.4 "><p id="obs_40_0004__p3250112172220">* (All objects in a bucket)</p>
</td>
</tr>
<tr id="obs_40_0004__row14250821122214"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.7.2.5.1.1 "><p id="obs_40_0004__p1125052118223">Actions</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.7.2.5.1.2 "><p id="obs_40_0004__p113541515304">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.7.2.5.1.3 "><ul id="obs_40_0004__ul1512955514"><li id="obs_40_0004__li25017322553">GetObject</li><li id="obs_40_0004__li9512918551">GetObjectVersion</li><li id="obs_40_0004__li1317122234117">HeadBucket</li><li id="obs_40_0004__li270053214419">ListBucket</li></ul>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.7.2.5.1.4 "><ul id="obs_40_0004__ul5350174995516"><li id="obs_40_0004__li235184914552">GetObject</li><li id="obs_40_0004__li635354905514">GetObjectVersion</li><li id="obs_40_0004__li67015320563">PutObject</li><li id="obs_40_0004__li165585435619">DeleteObject</li><li id="obs_40_0004__li133265814550">DeleteObjectVersion</li><li id="obs_40_0004__li3309161513495">HeadBucket</li><li id="obs_40_0004__li0309121518499">ListBucket</li></ul>
</td>
</tr>
<tr id="obs_40_0004__row122501121162216"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.7.2.5.1.1 "><p id="obs_40_0004__p22501217226">Conditions</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.7.2.5.1.2 "><p id="obs_40_0004__p10924191511307">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.7.2.5.1.3 "><p id="obs_40_0004__p132501521172219">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.7.2.5.1.4 "><p id="obs_40_0004__p1325042111223">N/A</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="obs_40_0004__p102285401236"><strong id="obs_40_0004__b167989536314">Custom Bucket Policy</strong>:</p>
<p id="obs_40_0004__p385655915198">The following three modes are provided to facilitate quick configuration of a custom bucket policy:</p>
<ul id="obs_40_0004__ul8780438183815"><li id="obs_40_0004__li14780838163818"><strong id="obs_40_0004__b564742511102153">Read-only</strong>: With the <strong id="obs_40_0004__b1204129045102153">Read-only</strong> mode, you only need to specify the <strong id="obs_40_0004__b1903280500102153">Principal</strong> (authorized users). Then the authorized users have the read permission for the bucket and objects in the bucket, and can perform all GET operations on these resources.</li><li id="obs_40_0004__li11780438103816"><strong id="obs_40_0004__b1582138021102153">Read and write</strong>: With the <strong id="obs_40_0004__b315861430102153">Read and write</strong> mode, you only need to specify the <strong id="obs_40_0004__b103026638102153">Principal</strong> (authorized users). Then the authorized users have the full control permissions for the bucket and objects in the bucket, and can perform any operation on these resources.</li><li id="obs_40_0004__li15780138123814"><strong id="obs_40_0004__b921310667102153">Customized</strong>: With the <strong id="obs_40_0004__b1936822727102153">Customized</strong> mode, you can define the specific operation permissions that you want to authorize to users and accounts by configuring the parameters of <strong id="obs_40_0004__b1456455213102153">Effect</strong>, <strong id="obs_40_0004__b2136251359102153">Principal</strong>, <strong id="obs_40_0004__b435592627102153">Resources</strong>, <strong id="obs_40_0004__b1719064803102153">Actions</strong>, and <strong id="obs_40_0004__b1298345174102153">Conditions</strong>. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/obs/obs_03_0074.html" target="_blank" rel="noopener noreferrer">Bucket Policy Parameters</a>.</li></ul>
<div class="note" id="obs_40_0004__note154003135617"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0004__p134001713961">On OBS Console, when you use the custom bucket policy to authorize other users with resource operation permissions, you also need to authorize the users with the bucket read permission <strong id="obs_40_0004__b521955623102153">ListBucket</strong> (leave the resource name blank to indicate that the policy takes effect on the entire bucket). Otherwise, the users have no permission to access the bucket.</p>
</div></div>
</div>
<div class="section" id="obs_40_0004__section15235811516"><h4 class="sectiontitle">Bucket Policy Application Scenarios</h4><ul id="obs_40_0004__ul7761857101919"><li id="obs_40_0004__li53131829181412">You can use bucket policies to grant other accounts the permissions to access OBS resources.</li><li id="obs_40_0004__li931310297146">You can configure bucket policies to grant IAM users various access permissions to different buckets.</li></ul>
</div>
<div class="section" id="obs_40_0004__section33297445291"><h4 class="sectiontitle">Policy Structure and Syntax</h4><div class="msonormal" id="obs_40_0004__p6480821">A bucket policy is in JSON format. The format is as follows:<pre class="screen" id="obs_40_0004__screen1671243035119">{
"Statement" : [
{
statement1
},
{
statement2
},
......
]
}</pre>
</div>
<div class="p" id="obs_40_0004__p578602465111">Example:<pre class="screen" id="obs_40_0004__screen866121133215"><span style="color:#222222;">{</span>
<span style="color:#222222;"> "Statement":[</span>
<span style="color:#222222;"> {</span>
"Sid": "ExampleStatementID1",
<span style="color:#222222;"> "Principal":{</span>
<span style="color:#222222;"> "ID":[</span>
"domain/<em id="obs_40_0004__i1129343493419">account ID</em>",
"domain/<em id="obs_40_0004__i12293143410341">account ID</em>:user/<em id="obs_40_0004__i629313453411">User ID</em>"
<span style="color:#222222;"> ]</span>
<span style="color:#222222;"> },</span>
<span style="color:#222222;"> "Effect":"Allow",</span>
<span style="color:#222222;"> "Action":[</span>
<span style="color:#222222;"> "CreateBucket",</span>
<span style="color:#222222;"> "DeleteBucket"</span>
<span style="color:#222222;"> ],</span>
<span style="color:#222222;"> "Resource":"000-02/key01",</span>
<span style="color:#222222;"> "Condition":{</span>
<span style="color:#222222;"> "NumericNotEquals":{</span>
<span style="color:#222222;"> "Referer":"sdf"</span>
<span style="color:#222222;"> },</span>
<span style="color:#222222;"> "StringNotLike":{</span>
<span style="color:#222222;"> "Delimiter":"ouio"</span>
<span style="color:#222222;"> }</span>
<span style="color:#222222;"> }</span>
<span style="color:#222222;"> }</span>
<span style="color:#222222;"> ]</span>
<span style="color:#222222;"> }</span></pre>
</div>
<p class="msonormal" id="obs_40_0004__p26302712">A bucket policy comprises one or more statements. Each statement contains the following elements:</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0004__table35397823" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Statement elements</caption><thead align="left"><tr id="obs_40_0004__row21716226"><th align="left" class="cellrowborder" valign="top" width="16.33%" id="mcps1.3.4.5.2.4.1.1"><p id="obs_40_0004__p14183880">Element</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="62.239999999999995%" id="mcps1.3.4.5.2.4.1.2"><p id="obs_40_0004__p5283556">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21.43%" id="mcps1.3.4.5.2.4.1.3"><p id="obs_40_0004__p26507476">Mandatory or Optional</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0004__row66730779"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.4.5.2.4.1.1 "><p id="obs_40_0004__p36484039">Sid</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.4.5.2.4.1.2 "><p id="obs_40_0004__p2417216">ID of a statement. The value is a string that describes the statement.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.4.5.2.4.1.3 "><p id="obs_40_0004__p61576813">Optional</p>
</td>
</tr>
<tr id="obs_40_0004__row17320411"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.4.5.2.4.1.1 "><p id="obs_40_0004__p60776050">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.4.5.2.4.1.2 "><p id="obs_40_0004__p19639194211399">Domains (accounts) and users (IAM users) to which the statement applies. The wildcard (*) is supported, indicating all users.</p>
<ul id="obs_40_0004__ul194051450143918"><li id="obs_40_0004__li1540575013399">When permissions are granted to all IAM users in a domain (account), the principal format is <em id="obs_40_0004__i9332031111418">domain/domainid:user/*</em>.</li><li id="obs_40_0004__li158255418397">When a user is authorized, the principal format is <em id="obs_40_0004__i1237713531516">domain/domainid:user/userId</em> or <em id="obs_40_0004__i127281901162">domain/domainid:user/userName</em>.</li></ul>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.4.5.2.4.1.3 "><p id="obs_40_0004__p1708187">Optional. Select either <strong id="obs_40_0004__b314691590102153">Principal</strong> or <strong id="obs_40_0004__b163988443102153">NotPrincipal</strong>.</p>
</td>
</tr>
<tr id="obs_40_0004__row15373683"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.4.5.2.4.1.1 "><p id="obs_40_0004__p37308772">NotPrincipal</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.4.5.2.4.1.2 "><p id="obs_40_0004__p2111686">An exception to a list of principals in the statement. You can deny access to all principals except the ones named in the <strong id="obs_40_0004__b202823301102153">NotPrincipal</strong> element. This parameter has the same value format as <strong id="obs_40_0004__b16522151520171">Principal</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.4.5.2.4.1.3 "><p id="obs_40_0004__p36828864">Optional. Select either <strong id="obs_40_0004__b685973360102153">Principal</strong> or <strong id="obs_40_0004__b946828846102153">NotPrincipal</strong>.</p>
</td>
</tr>
<tr id="obs_40_0004__row117885527513"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.4.5.2.4.1.1 "><p id="obs_40_0004__p24795715517">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.4.5.2.4.1.2 "><p id="obs_40_0004__p347155715512">Whether the permission in a statement is allowed or denied. The value is <strong id="obs_40_0004__b173465263109">Allow</strong> or <strong id="obs_40_0004__b173112711106">Deny</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.4.5.2.4.1.3 "><p id="obs_40_0004__p1470579516">Mandatory</p>
</td>
</tr>
<tr id="obs_40_0004__row63024326"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.4.5.2.4.1.1 "><p id="obs_40_0004__p4696792">Action</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.4.5.2.4.1.2 "><p id="obs_40_0004__p44895895">Actions which a statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. The value supports a wildcard character (*) that indicates all actions, for example, <strong id="obs_40_0004__b58700156238">"Action":["List*", "Get*"]</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.4.5.2.4.1.3 "><p id="obs_40_0004__p12688874">Optional. Select either <strong id="obs_40_0004__b1050577407102153">Action</strong> or <strong id="obs_40_0004__b1866439694102153">NotAction</strong>.</p>
</td>
</tr>
<tr id="obs_40_0004__row47091007"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.4.5.2.4.1.1 "><p id="obs_40_0004__p56275212">NotAction</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.4.5.2.4.1.2 "><p id="obs_40_0004__p61998305">An exception to a list of actions in the statement. All actions are performed except the one specified in <strong id="obs_40_0004__b234211998102153">NotAction</strong>. The value of this element is similar to <strong id="obs_40_0004__b588199787102153">Action</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.4.5.2.4.1.3 "><p id="obs_40_0004__p55806823">Optional. Select either <strong id="obs_40_0004__b1588093475102153">Action</strong> or <strong id="obs_40_0004__b887754746102153">NotAction</strong>.</p>
</td>
</tr>
<tr id="obs_40_0004__row62319364"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.4.5.2.4.1.1 "><p id="obs_40_0004__p14703700">Resource</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.4.5.2.4.1.2 "><p id="obs_40_0004__p50149061">Resources on which the statement takes effect. The wildcard (*) is supported, indicating all resources.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.4.5.2.4.1.3 "><p id="obs_40_0004__p35542142">Optional. Select either <strong id="obs_40_0004__b1157066402102153">Resource</strong> or <strong id="obs_40_0004__b468915057102153">NotResource</strong>.</p>
</td>
</tr>
<tr id="obs_40_0004__row51443830"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.4.5.2.4.1.1 "><p id="obs_40_0004__p6200687">NotResource</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.4.5.2.4.1.2 "><p id="obs_40_0004__p32493637">An exception to a list of resources in a statement. A policy is not applied to the resources specified in <strong id="obs_40_0004__b1159010214122">NotResource</strong>. The value of this parameter is similar to that of <strong id="obs_40_0004__b1518167252161548">Resource</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.4.5.2.4.1.3 "><p id="obs_40_0004__p14738911">Optional. Select either <strong id="obs_40_0004__b791683905102153">Resource</strong> or <strong id="obs_40_0004__b1522316623102153">NotResource</strong>.</p>
</td>
</tr>
<tr id="obs_40_0004__row65541337"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.4.5.2.4.1.1 "><p id="obs_40_0004__p7248085">Condition</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.4.5.2.4.1.2 "><p id="obs_40_0004__p50224009">Conditions for a statement to take effect.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.4.5.2.4.1.3 "><p id="obs_40_0004__p41612958">Optional</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="obs_40_0004__p1378311151433">For details about each element, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/obs/obs_03_0074.html" target="_blank" rel="noopener noreferrer">Bucket Policy Parameters</a>.</p>
</div>
<div class="section" id="obs_40_0004__section8115174519452"><h4 class="sectiontitle">Configuring a Bucket Policy</h4><ul id="obs_40_0004__ul6926194364716"><li id="obs_40_0004__li10864112411449"><a href="https://docs.otc.t-systems.com/en-us/usermanual/obs/obs_03_0142.html" target="_blank" rel="noopener noreferrer">Configuring a Standard Bucket Policy</a></li><li id="obs_40_0004__li209031848174415"><a href="https://docs.otc.t-systems.com/en-us/usermanual/obs/obs_03_0123.html" target="_blank" rel="noopener noreferrer">Configuring a Custom Bucket Policy (Common Mode)</a></li><li id="obs_40_0004__li8569863379"><a href="https://docs.otc.t-systems.com/en-us/usermanual/obs/obs_03_0141.html" target="_blank" rel="noopener noreferrer">Configuring a Custom Bucket Policy (Coding Mode)</a></li></ul>
</div>
<div class="section" id="obs_40_0004__section991518516457"><h4 class="sectiontitle">Bucket Policy Example</h4><ul id="obs_40_0004__ul251413712531"><li id="obs_40_0004__li651413711535"><strong id="obs_40_0004__b10416462153">Example 1: grant an IAM user the specified operation permission on all objects in a specified bucket.</strong><p id="obs_40_0004__p6597175419536">The following example policy grants the PutObject and PutObjectAcl permissions to the IAM user whose ID is <strong id="obs_40_0004__b16455114671513">71f3901173514e6988115ea2c26d1999</strong> under account <strong id="obs_40_0004__b1346114611518">b4bf1b36d9ca43d984fbcb9491b6fce9</strong> (account ID).</p>
<pre class="screen" id="obs_40_0004__screen15361871153935">{
"Statement":[
{
"Sid":"AddCannedAcl",
"Effect":"Allow",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["PutObject","PutObjectAcl"],
"Resource":["examplebucket/*"]
}
]
}</pre>
</li><li id="obs_40_0004__li353611512530"><strong id="obs_40_0004__b0221123521510">Example 2: Grant all permissions for a specified bucket to an IAM user.</strong><p id="obs_40_0004__p276516413540">The following example policy grants all operation permissions (including bucket operations and object operations) of <strong id="obs_40_0004__b1941411930102153">examplebucket</strong> to the user whose ID is <strong id="obs_40_0004__b1388615963102153">71f3901173514e6988115ea2c26d1999</strong> in account <strong id="obs_40_0004__b1070362009102153">b4bf1b36d9ca43d984fbcb9491b6fce9</strong> (account ID).</p>
<pre class="screen" id="obs_40_0004__screen36025159112336">{
"Statement":[
{
"Sid":"test",
"Effect":"Allow",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["*"],
"Resource":[
"examplebucket/*",
"examplebucket"
]
}
]
}</pre>
</li><li id="obs_40_0004__li1319113325414"><strong id="obs_40_0004__b047410150">Example 3: Grant all permissions except the object deletion permission to an OBS user.</strong><p id="obs_40_0004__p137095265411">The following example policy grants a user (user ID <strong id="obs_40_0004__b1376071661102153">71f3901173514e6988115ea2c26d1999</strong>) of an account (ID <strong id="obs_40_0004__b2020976271102153">b4bf1b36d9ca43d984fbcb9491b6fce9</strong>) all permissions for the <strong id="obs_40_0004__b1005415538102153">examplebucket</strong> bucket, excluding the permission to delete objects.</p>
<pre class="screen" id="obs_40_0004__screen53220430144528">{
"Statement":[
{
"Sid":"test1",
"Effect":"Allow",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["*"],
"Resource":["examplebucket/*"]
},
{
"Sid":"test2",
"Effect":"Deny",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["DeleteObject"],
"Resource":["examplebucket/*"]
}
]
}</pre>
</li><li id="obs_40_0004__li12181163615547"><strong id="obs_40_0004__b841713538159">Example 4: Grant the read-only permission on a specified object to anonymous users.</strong><p id="obs_40_0004__p1176973345516">The following example policy grants the <strong id="obs_40_0004__b102441628102153">GetObject</strong> (download object) permission of <strong id="obs_40_0004__b1405095165102153">exampleobject</strong> in bucket <strong id="obs_40_0004__b1345120852102153">examplebucket</strong> to anonymous users, allowing everyone to read data of the exampleobject object.</p>
<pre class="screen" id="obs_40_0004__screen3111597311348">{
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["GetObject"],
"Resource":["examplebucket/exampleobject"]
}
]
}</pre>
</li><li id="obs_40_0004__li17157338165417"><strong id="obs_40_0004__b633217120174">Example 5: Restrict access to a specific IP address.</strong><p id="obs_40_0004__p6364144318555">The following policy grants all users the permission to perform any OBS operation. However, the requests must be from the specified IP address range. The IP address range that is allowed by the statement is 192.168.0.* with an exception of 192.168.0.1.</p>
<p id="obs_40_0004__p48293335113549">Use <strong id="obs_40_0004__b1448040862102153">IpAddress</strong> and <strong id="obs_40_0004__b757472809102153">NotIpAddress</strong> conditions, and use the <strong id="obs_40_0004__b838352860102153">SourceIp</strong> (in OBS range) condition key. The value of <strong id="obs_40_0004__b875947681102153">SourceIp</strong> is the CIDR notation described in RFC 4632.</p>
<pre class="screen" id="obs_40_0004__screen51079788113712">{
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "examplebucket/*",
"Condition": {
"IpAddress": {"SourceIp": "192.168.0.0/24"},
"NotIpAddress": {"SourceIp": "192.168.0.1/32"}
}
}
]
}</pre>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0002.html">Permission Control Mechanisms</a></div>
</div>
</div>
View Git Blame Copy Permalink