vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0028.html
zhangyue 32b9354795 OBS PERMS DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-04-18 07:48:10 +00:00

52 lines
6.9 KiB
HTML
Raw Blame History

<a name="obs_40_0028"></a><a name="obs_40_0028"></a>
<h1 class="topictitle1">Granting an Account Read Permissions on Certain Objects</h1>
<div id="body1588765301379"><div class="section" id="obs_40_0028__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0028__p3431154410448">This case describes how to grant other accounts (excluding IAM users under the account) the read permission for an object or a type of objects in an OBS bucket. For details about how to grant permissions to an IAM user, see <a href="obs_40_0027.html">Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket</a>.</p>
</div>
<div class="section" id="obs_40_0028__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0028__p103657437515">You are advised to use bucket policies to grant permissions to other accounts.</p>
</div>
<div class="section" id="obs_40_0028__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0028__p1436151622312">The preset read-only mode of OBS has the following permissions:</p>
<ul id="obs_40_0028__ul12273198112311"><li id="obs_40_0028__li1327378202314">GetObject: downloading objects</li><li id="obs_40_0028__li127318812235">GetObjectVersion: downloading versioned objects</li></ul>
<p id="obs_40_0028__p817120327254">After the configuration is complete, you can read (download) specific objects using APIs. However, if you download an object from OBS Console or OBS Browser+, an error is reported indicating that you do not have required permissions.</p>
<p id="obs_40_0028__p2027615802413">This is because when you log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0028__b7957153916368">ListAllMyBuckets</strong> and <strong id="obs_40_0028__b13277941123615">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.</p>
</div>
<div class="section" id="obs_40_0028__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0028__ol745117710219"><li id="obs_40_0028__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0028__b166521479587">Object Storage</strong>.</span></li><li id="obs_40_0028__li104511752115"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0028__b327691211374">Overview</strong> page.</span></li><li id="obs_40_0028__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0028__b17881115474513">Permissions</strong>.</span></li><li id="obs_40_0028__li49461065486"><span>On the <strong id="obs_40_0028__b344716607">Bucket Policies</strong> page, click <strong id="obs_40_0028__b14482614015">Create Bucket Policy</strong> under <strong id="obs_40_0028__b04481366013">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0028__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0028__fig7676182754111"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0028__image13678227144115" src="en-us_image_0000001385864766.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0028__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0028__row27504174239"><th align="left" class="cellrowborder" valign="top" width="23.82%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0028__p107559176234"><strong id="obs_40_0028__b8746130373493">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="76.18%" id="mcps1.3.4.2.5.2.2.2.3.1.2"><p id="obs_40_0028__p1976317170239"><strong id="obs_40_0028__b20498576063493">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0028__row1246385816164"><td class="cellrowborder" valign="top" width="23.82%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0028__p04631584161">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="76.18%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0028__p19463175819166">Select <strong id="obs_40_0028__b7457707963493">Read-only</strong>.</p>
</td>
</tr>
<tr id="obs_40_0028__row8783617122317"><td class="cellrowborder" valign="top" width="23.82%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0028__p478519172231">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="76.18%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0028__ul1341145419174"><li id="obs_40_0028__li6417546174">Select <strong id="obs_40_0028__b21387414843493">Include</strong> &gt; <strong id="obs_40_0028__b12867007463493">Other account</strong>.</li><li id="obs_40_0028__li4253125801711"><strong id="obs_40_0028__b3494121513548">Account ID</strong>: Enter the ID of the account which you want to grant permissions to. You can obtain it from the <strong id="obs_40_0028__b9495315195418">My Credentials</strong> page of the account.</li><li id="obs_40_0028__li1530533711817"><strong id="obs_40_0028__b7183291173493">User ID</strong>: Enter the account ID, which can be obtained from the <strong id="obs_40_0028__b5979426203493">My Credentials</strong> page of the account.<div class="note" id="obs_40_0028__note8498202544611"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="obs_40_0028__p15498192594615">In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.</p>
</div></div>
</li></ul>
</td>
</tr>
<tr id="obs_40_0028__row081741752319"><td class="cellrowborder" valign="top" width="23.82%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0028__p15821617102320">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="76.18%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0028__ul7274173411710"><li id="obs_40_0028__li260555313171"><strong id="obs_40_0028__b10395840073493">Include</strong></li><li id="obs_40_0028__li1338101719199"><strong id="obs_40_0028__b2985146953493">Resource Name</strong>: Enter the object or the set of objects that will be accessed.<p id="obs_40_0028__p12830717162315">For one object, enter <em id="obs_40_0028__i383261716237">object name</em>.</p>
<p id="obs_40_0028__p68341917112319">For a set of objects, enter <em id="obs_40_0028__i16357615233493">object name prefix + *, * + object name suffix, or *</em>.</p>
</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0028__li4406132611218"><span>Click <strong id="obs_40_0028__b913976893493">OK</strong>. The bucket policy is created.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0024.html">Granting Permissions to Other Accounts</a></div>
</div>
</div>
View Git Blame Copy Permalink