vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0041.html
zhangyue 32b9354795 OBS PERMS DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-04-18 07:48:10 +00:00

813 lines
74 KiB
HTML
Raw Blame History

<a name="obs_40_0041"></a><a name="obs_40_0041"></a>
<h1 class="topictitle1">Bucket Policy Parameters</h1>
<div id="body0000001132232227"><p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p6480821">A policy in JSON format is described as follows:</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen1671243035119">{
"Statement" : [{
statement1
},
{
statement2
},
......
]
}</pre>
<div class="p" id="obs_40_0041__en-us_topic_0118394684_p578602465111">Example:<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen19171223203611">{
"Statement" : [{
"Sid": "ExampleStatementID1",
"Principal": "*",
"Effect": "Allow",
"Action": "ListBucket",
"Resource": "examplebucket",
"Condition": "some conditions"
},
{
"Sid": "ExampleStatementID2",
"Principal": "*",
"Effect": "Allow",
"Action": "PutObject",
"Resource": "examplebucket",
"Condition": "some conditions"
},
......
]
}</pre>
</div>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p26302712">A policy is comprised of one or more statements. Each statement contains the following elements:</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__en-us_topic_0118394684_table35397823" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Statement elements</caption><thead align="left"><tr id="obs_40_0041__en-us_topic_0118394684_row21716226"><th align="left" class="cellrowborder" valign="top" width="16.33%" id="mcps1.3.5.2.4.1.1"><p id="obs_40_0041__en-us_topic_0118394684_p14183880">Element</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="62.239999999999995%" id="mcps1.3.5.2.4.1.2"><p id="obs_40_0041__en-us_topic_0118394684_p5283556">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="21.43%" id="mcps1.3.5.2.4.1.3"><p id="obs_40_0041__en-us_topic_0118394684_p26507476">Mandatory/Optional</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__en-us_topic_0118394684_row66730779"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p36484039">Sid</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p2417216">ID of a statement. The value is a string that describes the statement.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p61576813">Optional</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row17320411"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p60776050">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p23913009">Domains and users to which a statement applies. The wildcard (*) is supported, indicating all users. When permissions are authorized to all users under a domain, the format of <strong id="obs_40_0041__b1270895110351">Principal</strong> is <strong id="obs_40_0041__b1563416151391">domain/</strong><em id="obs_40_0041__i770855173518">domainid</em><strong id="obs_40_0041__b76352151395">:user/*</strong>. When permissions are authorized to a specific user under a domain, the format of <strong id="obs_40_0041__b1370955153513">Principal</strong> is <strong id="obs_40_0041__b1652552193913">domain/</strong><em id="obs_40_0041__i770919517355">domainid</em><strong id="obs_40_0041__b10131425133910">:user/</strong><em id="obs_40_0041__i3709145123513">userId</em> or <strong id="obs_40_0041__b111641281398">domain/</strong><em id="obs_40_0041__i10709151173519">domainid</em><strong id="obs_40_0041__b2206103093914">:user/</strong><em id="obs_40_0041__i13710851183518">userName</em>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p1708187">Optional. Select either <strong id="obs_40_0041__b335344343417">Principal</strong> or <strong id="obs_40_0041__b123561543103416">NotPrincipal</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row15373683"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p37308772">NotPrincipal</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p2111686">An exception to a list of principals in the statement. You can deny access to all principals except the ones named in the <strong id="obs_40_0041__b27826465295">NotPrincipal</strong> element. This parameter has the same value format as <strong id="obs_40_0041__b93347353439">Principal</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p36828864">Optional. Select either <strong id="obs_40_0041__b6701151211415">NotPrincipal</strong> or <strong id="obs_40_0041__b77011127142">Principal</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row63024326"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p4696792">Action</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p44895895">Actions which a statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. The value supports a wildcard character (*) that indicates all actions, for example, <strong id="obs_40_0041__b681719509239">"Action":["List*", "Get*"]</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p12688874">Optional. Select either <strong id="obs_40_0041__b269519307142">Action</strong> or <strong id="obs_40_0041__b769519302146">NotAction</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row47091007"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p56275212">NotAction</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p61998305">An exception to a list of actions in the statement. All actions are performed except the ones specified in <strong id="obs_40_0041__b11503178319">NotAction</strong>. This parameter has the same value format as <strong id="obs_40_0041__b1797817478236">Action</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p55806823">Optional. Select either <strong id="obs_40_0041__b17677201132412">Action</strong> or <strong id="obs_40_0041__b20677141102420">NotAction</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row32499364"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p15202805">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p23467724">Whether the permission in a statement is allowed or denied. The value is <strong id="obs_40_0041__b173465263109">Allow</strong> or <strong id="obs_40_0041__b173112711106">Deny</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p21837454">Mandatory</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row62319364"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p14703700">Resource</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p50149061">Resources on which the statement takes effect. The wildcard (*) is supported, indicating all resources.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p35542142">Optional. Select either <strong id="obs_40_0041__b167101454142714">Resource</strong> or <strong id="obs_40_0041__b37161954132710">NotResource</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row51443830"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p6200687">NotResource</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p32493637">An exception to a list of resources in a statement. A policy is not applied to the resources specified in <strong id="obs_40_0041__b1583465593316">NotResource</strong>. This parameter has the same value format as <strong id="obs_40_0041__b186015872818">Resource</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p14738911">Optional. Select either <strong id="obs_40_0041__b151601317289">Resource</strong> or <strong id="obs_40_0041__b416014318283">NotResource</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row65541337"><td class="cellrowborder" valign="top" width="16.33%" headers="mcps1.3.5.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p7248085">Condition</p>
</td>
<td class="cellrowborder" valign="top" width="62.239999999999995%" headers="mcps1.3.5.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p50224009">Conditions for a statement to take effect.</p>
</td>
<td class="cellrowborder" valign="top" width="21.43%" headers="mcps1.3.5.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p41612958">Optional</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="obs_40_0041__en-us_topic_0118394684_note38972308"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="obs_40_0041__en-us_topic_0118394684_p15206460">A statement must contain either <strong id="obs_40_0041__b6244131833513">Action</strong> or <strong id="obs_40_0041__b102503182359">NotAction</strong>, either <strong id="obs_40_0041__b525031893518">Resource</strong> or <strong id="obs_40_0041__b112515185357">NotResource</strong>, and either <strong id="obs_40_0041__b172517184354">Principal</strong> or <strong id="obs_40_0041__b14251118103512">NotPrincipal</strong>.</p>
</div></div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section5503115113418"><h4 class="sectiontitle">Principal/NotPrincipal</h4><p id="obs_40_0041__en-us_topic_0118394684_p1896975443412"><strong id="obs_40_0041__b773733315359">Principal</strong> or <strong id="obs_40_0041__b19738233153516">NotPrincipal</strong> supported by OBS includes anonymous users, specific tenants, specific users, federated users, and agencies.</p>
</div>
<ul id="obs_40_0041__en-us_topic_0118394684_ul11997279325"><li id="obs_40_0041__en-us_topic_0118394684_li919914277321">All (anonymous users)<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen11878413">"Principal": {"ID": "*"}</pre>
<p id="obs_40_0041__en-us_topic_0118394684_p02001827163219">In the example, the wildcard (*) is used as a placeholder for Everyone/Anonymous. We strongly recommend that you do not use wildcards in the <strong id="obs_40_0041__b73498579379">Principal</strong> element of the role's trust policy unless you have restricted access by using the <strong id="obs_40_0041__b8355165716373">Condition</strong> element in the policy.</p>
</li></ul>
<ul id="obs_40_0041__en-us_topic_0118394684_ul18200162773217"><li id="obs_40_0041__en-us_topic_0118394684_li15200162713322">Specific tenants<p id="obs_40_0041__en-us_topic_0118394684_p112007279329"><a name="obs_40_0041__en-us_topic_0118394684_li15200162713322"></a><a name="en-us_topic_0118394684_li15200162713322"></a>If the tenant identifier is used as the authorizer in the policy, permissions in the policy statement can be granted to all roles, including all the users, contained in this tenant. The following example demonstrates how to specify a tenant as an authorizer.</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen19670056163418">"Principal": { "ID": " domain/domainIdxxxx:user/*" }</pre>
<p id="obs_40_0041__en-us_topic_0118394684_p17200132793218">You can grant permissions to multiple tenants, as described in the following example:</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen11252153883617">"Principal": {
"ID": [
"domain/domainIDxx1:user/useridxxxx",
"domain/domainIDxx2:user/*"
]
}</pre>
</li></ul>
<ul id="obs_40_0041__en-us_topic_0118394684_ul8201027193218"><li id="obs_40_0041__en-us_topic_0118394684_li12013277323">Specific users<p id="obs_40_0041__en-us_topic_0118394684_p7201927173212"><a name="obs_40_0041__en-us_topic_0118394684_li12013277323"></a><a name="en-us_topic_0118394684_li12013277323"></a>In the <strong id="obs_40_0041__b99361919144513">Principal</strong> element, user names are case sensitive.</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen7831174053613">"Principal": {"ID": "domain/domainIDxxx:user/user-name" }
"Principal": {
"ID": [
"domain/domainIDxxx:user/UserID1",
"domain/domainIDxxx:user/UserID2"
]
}</pre>
</li></ul>
<ul id="obs_40_0041__en-us_topic_0118394684_ul10202132719321"><li id="obs_40_0041__en-us_topic_0118394684_li620212753212">Federated users (using SAML identity provider)<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen624312319373">"Principal": { "Federated": "domain/domainIDxxx:identity-provider/provider-name" }
"Principal": { "Federated": "domain/domainIDxxx:group/groupname" }</pre>
</li><li id="obs_40_0041__en-us_topic_0118394684_li1520213277321">Agencies<div class="p" id="obs_40_0041__p16356541512"><a name="obs_40_0041__en-us_topic_0118394684_li1520213277321"></a><a name="en-us_topic_0118394684_li1520213277321"></a><strong id="obs_40_0041__b1656710303351">*</strong> indicates all agencies of a tenant.<pre class="screen" id="obs_40_0041__screen17761165285118">"Principal": { "ID": "domain/domainIDxxx:agency/agencyname" }
"Principal": { "ID": "domain/domainIDxxx:agency/*" }</pre>
</div>
</li></ul>
<p id="obs_40_0041__p84772255592">The principals on OBS Console refer to the users which the bucket policies apply to. These users can be accounts, federated users or federated user groups, and IAM users. You can specify principals in either of the following ways:</p>
<ul id="obs_40_0041__ul108801826115212"><li id="obs_40_0041__li7880926165213"><strong id="obs_40_0041__b11724113010289">Include</strong>: Specifies the users to whom the bucket policy applies.</li><li id="obs_40_0041__li1488092635210"><strong id="obs_40_0041__b186651437523">Exclude</strong>: Specifies that to all users except the specified ones the bucket policy applies.</li></ul>
<p id="obs_40_0041__p13981044541"><strong id="obs_40_0041__b15754250115719">Specifying IAM users under the current account</strong></p>
<p id="obs_40_0041__p180315561844">With <strong id="obs_40_0041__b195153119474">Principal</strong> set to <strong id="obs_40_0041__b1751611114478">Current account</strong>, you can select one or more IAM users under this account, so the bucket policy applies to the selected IAM users.</p>
<p id="obs_40_0041__p12891650154713"><strong id="obs_40_0041__b95775202518">Specifying another account</strong></p>
<p id="obs_40_0041__p69291443104715">With <strong id="obs_40_0041__b4886225184814">Principal</strong> set to <strong id="obs_40_0041__b2887162584819">Other account</strong>, you can enter an account ID. If you want to grant access only to IAM users under the account, you need to enter user IDs, and use commas (,) to separate one user ID from another.</p>
<div class="note" id="obs_40_0041__note81331511189"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0041__p18133185201812">To obtain the account ID and user ID, log in to the console as an IAM user and go to the <strong id="obs_40_0041__b46913501486">My Credentials</strong> page.</p>
</div></div>
<p id="obs_40_0041__p13685381141"><strong id="obs_40_0041__b419212311060">Specifying anonymous users</strong></p>
<p id="obs_40_0041__p2088114267528">To grant the bucket access to anyone, set <strong id="obs_40_0041__b12271754661">Principal</strong> to <strong id="obs_40_0041__b6345542618">Other account</strong> and enter a wildcard (*) as the account ID.</p>
<div class="notice" id="obs_40_0041__note198214105314"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="obs_40_0041__p149831448536">Exercise caution when granting bucket access permissions to anonymous users. If you grant the access permissions to anonymous users, anyone can access your bucket. You are advised to set restrictions on access requests. For example, you can allow the access requests from only one IP address.</p>
</div></div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section1623516525350"><a name="obs_40_0041__en-us_topic_0118394684_section1623516525350"></a><a name="en-us_topic_0118394684_section1623516525350"></a><h4 class="sectiontitle">Action/NotAction</h4><p id="obs_40_0041__p205313416552">If a policy applies to a bucket, configure bucket-related actions; if the policy applies to the objects in a bucket, configure object-related actions.</p>
<p id="obs_40_0041__p77695354145">Actions can be specified in either of the following ways:</p>
<ul id="obs_40_0041__ul108291819152819"><li id="obs_40_0041__li100102451519"><strong id="obs_40_0041__b1260710264507">Include</strong>: Specifies the actions on which the bucket policy takes effect.</li><li id="obs_40_0041__li12829619172810"><strong id="obs_40_0041__b20170104405015">Exclude</strong>: Specifies that on all actions except the specified ones the bucket policy takes effect.</li></ul>
</div>
<p id="obs_40_0041__p2166204972813"><strong id="obs_40_0041__b7865849122419">Bucket Actions</strong></p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table13827194016555" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Action description</caption><thead align="left"><tr id="obs_40_0041__row85334118557"><th align="left" class="cellrowborder" valign="top" width="16.16%" id="mcps1.3.24.2.4.1.1"><p id="obs_40_0041__p195334120552">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="30.220000000000002%" id="mcps1.3.24.2.4.1.2"><p id="obs_40_0041__p175354120557">Value</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="53.620000000000005%" id="mcps1.3.24.2.4.1.3"><p id="obs_40_0041__p1453144125511">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row453184117553"><td class="cellrowborder" rowspan="4" valign="top" width="16.16%" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p5531411558">General</p>
</td>
<td class="cellrowborder" valign="top" width="30.220000000000002%" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p453174113553">*</p>
</td>
<td class="cellrowborder" valign="top" width="53.620000000000005%" headers="mcps1.3.24.2.4.1.3 "><p id="obs_40_0041__p135334117553">Indicates that all operations can be performed on a resource.</p>
</td>
</tr>
<tr id="obs_40_0041__row1453124118553"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p15334135514">Get*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1153041155513">Indicates that all GET operations can be performed on a resource.</p>
</td>
</tr>
<tr id="obs_40_0041__row55304185517"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p1553124165517">Put*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p13535414553">Indicates that all PUT operations can be performed on a resource.</p>
</td>
</tr>
<tr id="obs_40_0041__row1053184119554"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p853741105510">List*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p653441185516">Indicates that all LIST operations can be performed on a resource.</p>
</td>
</tr>
<tr id="obs_40_0041__row1746441913813"><td class="cellrowborder" rowspan="19" valign="top" width="16.16%" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p15464419123810">Bucket</p>
</td>
<td class="cellrowborder" valign="top" width="30.220000000000002%" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p3597524183813">CreateBucket</p>
</td>
<td class="cellrowborder" valign="top" width="53.620000000000005%" headers="mcps1.3.24.2.4.1.3 "><p id="obs_40_0041__p17597424103818">Creates a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row6531441135518"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p19531141125518">DeleteBucket</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p175384145515">Deletes a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1154041115519"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p9541741175510">ListBucket</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1154134112551">Lists objects in a bucket, and gets the bucket metadata.</p>
</td>
</tr>
<tr id="obs_40_0041__row95474110559"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p20541041185513">ListBucketVersions</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1254144145510">Lists versioned objects in a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row12542041195514"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p135413411555">ListBucketMultipartUploads</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p954184135510">Lists multipart upload tasks.</p>
</td>
</tr>
<tr id="obs_40_0041__row3541541155515"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p45474113559">GetBucketAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1545412557">Gets the bucket ACL information.</p>
</td>
</tr>
<tr id="obs_40_0041__row1541541125517"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p1854144125519">PutBucketAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p185424175514">Configures a bucket ACL.</p>
</td>
</tr>
<tr id="obs_40_0041__row19548412556"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p17546419559">GetBucketCORS</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p17545414556">Gets the CORS configuration of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row154174165511"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p13545418559">PutBucketCORS</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1554341195517">Configures CORS for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row18541541155513"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p35424175510">GetBucketVersioning</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p25694120558">Gets the bucket versioning information.</p>
</td>
</tr>
<tr id="obs_40_0041__row1556124110550"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p256114114557">PutBucketVersioning</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p8561041165514">Configures versioning for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1956174175518"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p105616414553">GetBucketLocation</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p65684195517">Gets the bucket location.</p>
</td>
</tr>
<tr id="obs_40_0041__row65694112559"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p19567419551">GetBucketLogging</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p20561941195520">Gets the bucket logging information.</p>
</td>
</tr>
<tr id="obs_40_0041__row25624135520"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p8576412557">PutBucketLogging</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p65794105515">Configures logging for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row1457341125512"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p125714418556">GetBucketWebsite</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p145710418554">Obtains the static website configuration information of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row135744120554"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p957184112553">PutBucketWebsite</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1457154115555">Configures static website hosting for a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row8571941185515"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p757164111551">DeleteBucketWebsite</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p11573417559">Cancels the static website hosting of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row165719411553"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p1357104117554">GetLifecycleConfiguration</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p5581441145518">Obtains the lifecycle rules of a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row658341115520"><td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.1 "><p id="obs_40_0041__p1358124115511">PutLifecycleConfiguration</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.24.2.4.1.2 "><p id="obs_40_0041__p1558941115516">Configures a lifecycle rule for a bucket.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="obs_40_0041__p127181542914"><strong id="obs_40_0041__b1475811413240">Object Actions</strong></p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table1020518423242" frame="border" border="1" rules="all"><caption><b>Table 3 </b>Action description</caption><thead align="left"><tr id="obs_40_0041__row1620644218243"><th align="left" class="cellrowborder" valign="top" width="16.16%" id="mcps1.3.26.2.4.1.1"><p id="obs_40_0041__p120612421243">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="30.3%" id="mcps1.3.26.2.4.1.2"><p id="obs_40_0041__p1920614217245">Value</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="53.54%" id="mcps1.3.26.2.4.1.3"><p id="obs_40_0041__p4206442152416">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row5206204282412"><td class="cellrowborder" rowspan="4" valign="top" width="16.16%" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p112069421244">General</p>
</td>
<td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p17206342142415">*</p>
</td>
<td class="cellrowborder" valign="top" width="53.54%" headers="mcps1.3.26.2.4.1.3 "><p id="obs_40_0041__p320664292412">Indicates that all operations can be performed on a resource.</p>
</td>
</tr>
<tr id="obs_40_0041__row620624218240"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p1720611423245">Get*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p1320617422244">Indicates that all GET operations can be performed on a resource.</p>
</td>
</tr>
<tr id="obs_40_0041__row1220634216241"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p7206134202415">Put*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p620616420248">Indicates that all PUT operations can be performed on a resource.</p>
</td>
</tr>
<tr id="obs_40_0041__row5206164262415"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p19206144252410">List*</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p152061042112416">Indicates that all LIST operations can be performed on a resource.</p>
</td>
</tr>
<tr id="obs_40_0041__row13206342192416"><td class="cellrowborder" rowspan="11" valign="top" width="16.16%" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p9206144211241">Object</p>
</td>
<td class="cellrowborder" valign="top" width="30.3%" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p7206134213245">GetObject</p>
</td>
<td class="cellrowborder" valign="top" width="53.54%" headers="mcps1.3.26.2.4.1.3 "><p id="obs_40_0041__p8206242122419">Gets the content and metadata of an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row120674272415"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p162069427248">GetObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p620684210243">Gets the content and metadata of a specified object version.</p>
</td>
</tr>
<tr id="obs_40_0041__row17207842192410"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p142073426242">PutObject</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p220794282413">Performs PUT upload, POST upload, multipart upload, initialization of uploaded parts, and merging of parts.</p>
</td>
</tr>
<tr id="obs_40_0041__row3207144232415"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p132071542162416">GetObjectAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p120704242415">Gets the object ACL information.</p>
</td>
</tr>
<tr id="obs_40_0041__row3207144272419"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p8207194212243">GetObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p172071042192415">Gets the ACL information of a specified object version.</p>
</td>
</tr>
<tr id="obs_40_0041__row202072042172419"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p52071642162419">PutObjectAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p420704222419">Configures the ACL for an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row720715423242"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p12071942182413">PutObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p120744282411">Configures the ACL for a specified object version.</p>
</td>
</tr>
<tr id="obs_40_0041__row1120704216242"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p520716423242">DeleteObject</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p142071342192417">Deletes an object.</p>
</td>
</tr>
<tr id="obs_40_0041__row1320714423244"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p10207842172412">DeleteObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p1120794212240">Deletes a specified object version.</p>
</td>
</tr>
<tr id="obs_40_0041__row92071342112420"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p1620711424248">ListMultipartUploadParts</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p1208164202420">Lists uploaded parts.</p>
</td>
</tr>
<tr id="obs_40_0041__row1420864214247"><td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.1 "><p id="obs_40_0041__p2208184292413">AbortMultipartUpload</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.26.2.4.1.2 "><p id="obs_40_0041__p5208174242416">Cancels a multipart upload.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section12213204018369"><h4 class="sectiontitle">Resource/NotResource</h4><p id="obs_40_0041__p20757629185113">The resources supported by OBS are as follows:</p>
</div>
<ul id="obs_40_0041__en-us_topic_0118394684_ul093644813162"><li class="msonormal" id="obs_40_0041__en-us_topic_0118394684_li13934114841610"><em id="obs_40_0041__i178819184217">bucketname</em> (bucket operation): The <strong id="obs_40_0041__b1188814116424">Action</strong> drop-down list box contains the list of supported bucket actions. If you want to perform the listed operations on the bucket, set <strong id="obs_40_0041__b1588819112423">Resource</strong> to the bucket name.</li><li class="msonormal" id="obs_40_0041__en-us_topic_0118394684_li1093617484167"><em id="obs_40_0041__i6656162713427">bucketname/objectname</em> (object operation): The <strong id="obs_40_0041__b7663172716424">Action</strong> drop-down list box contains the list of supported object actions. If you want to respond to an object in a bucket, set <strong id="obs_40_0041__b116641027164217">Resource</strong> to <em id="obs_40_0041__i1366516271427">bucketname/objectname</em>. <strong id="obs_40_0041__b4119394440">objectname</strong> supports wildcards. For example, if you have permissions on the directory object in a bucket, set <strong id="obs_40_0041__b511917913442">Resource</strong> to <em id="obs_40_0041__i1797874424411">"bucketname/directory/*"</em>. If you have permissions on all the objects in a bucket, set <strong id="obs_40_0041__b16120119114414">Resource</strong> to <em id="obs_40_0041__i532652617454">"bucketname/*"</em>. If permissions for both a bucket and its objects need to be granted, set <strong id="obs_40_0041__b1312115910448">Resource</strong> to <strong id="obs_40_0041__b91216915445">["examplebucket/*","examplebucket"]</strong>.</li></ul>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p28339309">The following example policy grants all operation permissions on <strong id="obs_40_0041__b17194943114214">examplebucket</strong> (including the bucket and its objects) to user1 whose user ID is <strong id="obs_40_0041__b172018439425">71f3901173514e6988115ea2c26d1999</strong> under account <strong id="obs_40_0041__b420264324211">b4bf1b36d9ca43d984fbcb9491b6fce9</strong> (account ID). </p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen137871136173612">{
"Statement":[
{
"Sid":"test",
"Effect":"Allow",
"Principal": {"ID": ["domain/b4bf1b36d9ca43d984fbcb9491b6fce9:user/71f3901173514e6988115ea2c26d1999"]},
"Action":["*"],
"Resource":["examplebucket/*","examplebucket"]
}
]
}</pre>
<p id="obs_40_0041__p27361558140">On OBS Console, resources can be a bucket or objects in the bucket.</p>
<p id="obs_40_0041__p3201152310539">Resources can be specified in either of the following ways:</p>
<ul id="obs_40_0041__ul18201323125311"><li id="obs_40_0041__li1620132355317"><strong id="obs_40_0041__b2172171711917">Include</strong>: Specifies the OBS resources on which the bucket policy takes effect.</li><li id="obs_40_0041__li152011423195316"><strong id="obs_40_0041__b145660221899">Exclude</strong>: Specifies that on all OBS resources except the specified ones the bucket policy takes effect.</li></ul>
<p id="obs_40_0041__p4748115711511"><strong id="obs_40_0041__b1421592619112">Specifying the bucket as the resource</strong></p>
<p id="obs_40_0041__p7692111610414">To specify the current bucket as the resource, keep the resource text box empty. When configuring actions for the policy, select bucket related actions.</p>
<p id="obs_40_0041__p1858224595420"><strong id="obs_40_0041__b1211925451115">Specifying objects as the resources</strong></p>
<p id="obs_40_0041__p1020118236532">When objects in a bucket are specified as the resources, configure object-related actions in the bucket policy. The following are examples of how to specify objects as resources.</p>
<ul id="obs_40_0041__ul1620119232537"><li id="obs_40_0041__li72011823155312">For an object, enter the object name (including its folder name if any). For example, if the specified resource is the <strong id="obs_40_0041__b0225719165314">example.jpg</strong> file in the <strong id="obs_40_0041__b112321919185319">imgs-folder</strong> folder in the bucket, enter the following content in the resource text box:<p id="obs_40_0041__p182671834115620"><strong id="obs_40_0041__b11371825121318">imgs-folder/example.jpg</strong></p>
</li><li id="obs_40_0041__li8201623115313">For an object set, the wildcard asterisk (*) should be used. The asterisk (*) indicates an empty string or any combination of multiple characters. The format rules are as follows:<ul id="obs_40_0041__ul15201192315537"><li id="obs_40_0041__li1220282315531">Use only one asterisk (*) to indicate all objects in a bucket.</li><li id="obs_40_0041__li52024233535">Use <em id="obs_40_0041__i1072152911147">Object name prefix</em>* to indicate objects starting with this prefix in a bucket. Example:<p id="obs_40_0041__p148641724165711">imgs*</p>
</li></ul>
<ul id="obs_40_0041__ul1520213232535"><li id="obs_40_0041__li7202112335317">Use *<em id="obs_40_0041__i373552281518">Object name suffix</em> to indicate objects ending with this suffix in a bucket. Example:<p id="obs_40_0041__p19330184135712">*.jpg</p>
</li></ul>
</li></ul>
<div class="note" id="obs_40_0041__note1484124911416"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0041__p11485104918419">Use commas (,) to separate one object (or object set) from another.</p>
</div></div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section14714311143713"><h4 class="sectiontitle">Condition</h4><p id="obs_40_0041__p175010131315">In addition to the effect, principal, resources, and actions, you can also specify the conditions under which a bucket policy takes effect. The bucket policy takes effect only when its condition expressions match values contained in the request. Conditions are optional. You can choose whether to configure them.</p>
<p id="obs_40_0041__p192962645715">For example, if account A needs to have full control over an object uploaded by account B to bucket <strong id="obs_40_0041__b2620845181819">example</strong> of account A, the <strong id="obs_40_0041__b156201545111820">x-obs-acl</strong> key must be specified in the upload request and the policy effect must be set to <strong id="obs_40_0041__b56209452185">Allow</strong> for account A. The complete condition expression is as follows:</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table4665122635716" frame="border" border="1" rules="all"><thead align="left"><tr id="obs_40_0041__row18929192605713"><th align="left" class="cellrowborder" valign="top" width="26.529999999999998%" id="mcps1.3.40.4.1.4.1.1"><p id="obs_40_0041__p1692982625718">Conditional Operator</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35.709999999999994%" id="mcps1.3.40.4.1.4.1.2"><p id="obs_40_0041__p1192982612571">Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="37.76%" id="mcps1.3.40.4.1.4.1.3"><p id="obs_40_0041__p792920265579">Value</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row1793012695713"><td class="cellrowborder" valign="top" width="26.529999999999998%" headers="mcps1.3.40.4.1.4.1.1 "><p id="obs_40_0041__p09301626135716">StringEquals</p>
</td>
<td class="cellrowborder" valign="top" width="35.709999999999994%" headers="mcps1.3.40.4.1.4.1.2 "><p id="obs_40_0041__p12930192616574">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" width="37.76%" headers="mcps1.3.40.4.1.4.1.3 "><p id="obs_40_0041__p693019269573">bucket-owner-full-control</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="obs_40_0041__p2093052665712">A condition consists of three parts: conditional operator, key, and value. If there are multiple identical keys in the same conditional operator, only the last key is retained. Conditional operators and keys are mutually restricted:</p>
<ul id="obs_40_0041__ul2928191410501"><li id="obs_40_0041__li9928101465017">If you select a conditional operator of the string type, for example, <strong id="obs_40_0041__b660422315264">StringEquals</strong>, the key can only be of the string type, for example, <strong id="obs_40_0041__b96048233266">UserAgent</strong>.</li><li id="obs_40_0041__li916352425717">Likewise, if a key of the date type is selected, for example, <strong id="obs_40_0041__b1099219434321">CurrentTime</strong>, the conditional operator can only be of the date type, for example, <strong id="obs_40_0041__b1199314318327">DateEquals</strong>.</li></ul>
<p id="obs_40_0041__p91971956124516"><a href="#obs_40_0041__en-us_topic_0118394684_table18965458">Table 4</a> lists the general condition types that you can specify.</p>
</div>
<div class="tablenoborder"><a name="obs_40_0041__en-us_topic_0118394684_table18965458"></a><a name="en-us_topic_0118394684_table18965458"></a><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__en-us_topic_0118394684_table18965458" frame="border" border="1" rules="all"><caption><b>Table 4 </b>Conditional operators</caption><thead align="left"><tr id="obs_40_0041__en-us_topic_0118394684_row16641116"><th align="left" class="cellrowborder" valign="top" width="14.29%" id="mcps1.3.41.2.4.1.1"><p id="obs_40_0041__en-us_topic_0118394684_p5753193">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="35.709999999999994%" id="mcps1.3.41.2.4.1.2"><p id="obs_40_0041__en-us_topic_0118394684_p33328392">Element</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.41.2.4.1.3"><p id="obs_40_0041__en-us_topic_0118394684_p2989297">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__en-us_topic_0118394684_row31714287"><td class="cellrowborder" rowspan="6" valign="top" width="14.29%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p18720486">String</p>
</td>
<td class="cellrowborder" valign="top" width="35.709999999999994%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p39964360">StringEquals</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p15887743">Strict matching. Short version: streq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row8771966"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p39440655">StringNotEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p40576488">Strict negated matching. Short version: strneq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row29644080"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p52360265">StringEqualsIgnoreCase</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p13323071">Strict matching, ignoring case. Short version: streqi</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row52798776"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p48842435">StringNotEqualsIgnoreCase</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p63923167">Strict negated matching, ignoring case. Short version: strneqi</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row38437595"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p26437458">StringLike</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p61059374">Loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strl</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row12663462"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p19107476">StringNotLike</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p4201690">Negated loose case-sensitive matching. The values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. Short version: strnl</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row37815214"><td class="cellrowborder" rowspan="6" valign="top" width="14.29%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p43133484">Numeric</p>
</td>
<td class="cellrowborder" valign="top" width="35.709999999999994%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p4151319">NumericEquals</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p712534">Strict matching. Short version: numeq</p>
<p id="obs_40_0041__p4564172263319"><strong id="obs_40_0041__b13935193711456">Numeric</strong> indicates a data type expressed in numbers.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row6412809"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p49675490">NumericNotEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p64291715">Strict negated matching. Short version: numneq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row41754526"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p26673471">NumericLessThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p13067581">"Less than" matching. Short version: numlt</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row50499370"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p63917182">NumericLessThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p9909217">"Less than or equals" matching. Short version: numlteq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row22074097"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p43171441">NumericGreaterThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p7225813">"Greater than" matching. Short version: numgt</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row65032320"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p33126582">NumericGreaterThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p66007492">"Greater than or equals" matching. Short version: numgteq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row57196524"><td class="cellrowborder" rowspan="6" valign="top" width="14.29%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p2406899">Date</p>
</td>
<td class="cellrowborder" valign="top" width="35.709999999999994%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p60741093">DateEquals</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p21081516">Strict matching. Short version: dateeq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row55515923"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p495924">DateNotEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p40169885">Strict negated matching. Short version: dateneq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row25984653"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p24382134">DateLessThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p28795836">Indicates that the date is earlier than a specific date. Short version: datelt</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row57835933"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p54198968">DateLessThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p28040292">Indicates that the date is earlier than or equal to a specific date. Short version: datelteq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row51036040"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p40278543">DateGreaterThan</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p41336571">Indicates that the date is later than a specific date. Short version: dategt</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row36484827"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p2480985">DateGreaterThanEquals</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p66742063">Indicates that the date is later than or equal to a specific date. Short version: dategteq</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row63807659"><td class="cellrowborder" valign="top" width="14.29%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p1037881">Boolean</p>
</td>
<td class="cellrowborder" valign="top" width="35.709999999999994%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p16959540">Bool</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p31545475">Strict Boolean matching</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row15473822"><td class="cellrowborder" rowspan="2" valign="top" width="14.29%" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p45420039">IP address</p>
</td>
<td class="cellrowborder" valign="top" width="35.709999999999994%" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p55144504">IpAddress</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.41.2.4.1.3 "><p id="obs_40_0041__en-us_topic_0118394684_p37519834">Specified IP address or IP address range</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row2134188"><td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p38651578">NotIpAddress</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.41.2.4.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p43770124">All IP addresses excluding the specified IP address or IP address range</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="obs_40_0041__en-us_topic_0118394684_note58386803"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="obs_40_0041__en-us_topic_0118394684_p55719179">Elements in a condition are case sensitive. The date format complies with the ISO 8601 standard, for example, <strong id="obs_40_0041__b54758891817">2015-07-01T12:00:00Z</strong>.</p>
</div></div>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p15551392">Each condition can contain multiple key-value pairs. The <strong id="obs_40_0041__b12341145713425">Condition</strong> combination in the following figure indicates that the request time ranges from <strong id="obs_40_0041__b10341115774215">2015-07-01T12:00:00Z</strong> to <strong id="obs_40_0041__b143411757194214">2018-04-16T15:00:00Z</strong> and the request IP address range is <strong id="obs_40_0041__b1434195718423">192.168.176.0/24</strong> or <strong id="obs_40_0041__b1734275720421">192.168.143.0/24</strong>.</p>
<pre class="screen" id="obs_40_0041__en-us_topic_0118394684_screen23965442">"Condition" : {
"DateGreaterThan" : {
"CurrentTime" : "2015-07-01T12:00:00Z"
},
"DateLessThan": {
"CurrentTime" : "2018-04-16T15:00:00Z"
},
"IpAddress" : {
"SourceIp" : ["192.168.176.0/24","192.168.143.0/24"]
}
}</pre>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p14362392">Keys in a condition can be classified into three types: general keys, keys related to bucket actions, and keys related to object actions.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p62152665">The following table lists the keys that are not related to actions.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table6707152645718" frame="border" border="1" rules="all"><caption><b>Table 5 </b>General keys</caption><thead align="left"><tr id="obs_40_0041__row1935926135711"><th align="left" class="cellrowborder" valign="top" width="24%" id="mcps1.3.47.2.4.1.1"><p id="obs_40_0041__p1793592611576">Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="28.000000000000004%" id="mcps1.3.47.2.4.1.2"><p id="obs_40_0041__p793514267571">Type</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="48%" id="mcps1.3.47.2.4.1.3"><p id="obs_40_0041__p3935122615719">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row3935172613579"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.47.2.4.1.1 "><p id="obs_40_0041__p89351926115716">CurrentTime</p>
</td>
<td class="cellrowborder" valign="top" width="28.000000000000004%" headers="mcps1.3.47.2.4.1.2 "><p id="obs_40_0041__p8935226155711">Date</p>
</td>
<td class="cellrowborder" valign="top" width="48%" headers="mcps1.3.47.2.4.1.3 "><p id="obs_40_0041__p129353268579">Indicates the date when the request is received by the server. The date format must comply with ISO 8601.</p>
</td>
</tr>
<tr id="obs_40_0041__row99361826135711"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.47.2.4.1.1 "><p id="obs_40_0041__p893662675713">EpochTime</p>
</td>
<td class="cellrowborder" valign="top" width="28.000000000000004%" headers="mcps1.3.47.2.4.1.2 "><p id="obs_40_0041__p17936626155716">Numeric</p>
</td>
<td class="cellrowborder" valign="top" width="48%" headers="mcps1.3.47.2.4.1.3 "><p id="obs_40_0041__p893610266576">Indicates the time when the request is received by the server, which is expressed as seconds since 1970.01.01 00:00:00 UTC, regardless of the leap seconds.</p>
</td>
</tr>
<tr id="obs_40_0041__row159361226145714"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.47.2.4.1.1 "><p id="obs_40_0041__p893692618570">SecureTransport</p>
</td>
<td class="cellrowborder" valign="top" width="28.000000000000004%" headers="mcps1.3.47.2.4.1.2 "><p id="obs_40_0041__p4936182635719">Bool</p>
</td>
<td class="cellrowborder" valign="top" width="48%" headers="mcps1.3.47.2.4.1.3 "><p id="obs_40_0041__p1936172613574">Indicates whether requests are encrypted using SSL.</p>
</td>
</tr>
<tr id="obs_40_0041__row1936326155719"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.47.2.4.1.1 "><p id="obs_40_0041__p1693616267579">SourceIp</p>
</td>
<td class="cellrowborder" valign="top" width="28.000000000000004%" headers="mcps1.3.47.2.4.1.2 "><p id="obs_40_0041__p1993652625717">IP address</p>
</td>
<td class="cellrowborder" valign="top" width="48%" headers="mcps1.3.47.2.4.1.3 "><p id="obs_40_0041__p1693692615716">Source IP address from which the request is sent</p>
</td>
</tr>
<tr id="obs_40_0041__row1193652695714"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.47.2.4.1.1 "><p id="obs_40_0041__p129361426125712">UserAgent</p>
</td>
<td class="cellrowborder" valign="top" width="28.000000000000004%" headers="mcps1.3.47.2.4.1.2 "><p id="obs_40_0041__p393662612574">String</p>
</td>
<td class="cellrowborder" valign="top" width="48%" headers="mcps1.3.47.2.4.1.3 "><p id="obs_40_0041__p159364265574">Requested client software agent</p>
</td>
</tr>
<tr id="obs_40_0041__row293620261576"><td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.47.2.4.1.1 "><p id="obs_40_0041__p493602675716">Referer</p>
</td>
<td class="cellrowborder" valign="top" width="28.000000000000004%" headers="mcps1.3.47.2.4.1.2 "><p id="obs_40_0041__p14936172685719">String</p>
</td>
<td class="cellrowborder" valign="top" width="48%" headers="mcps1.3.47.2.4.1.3 "><p id="obs_40_0041__p893617261578">Indicates the link from which the request is sent.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p24480756">Keys in a condition must be used in certain actions. The following table lists the mapping between actions and the keys in a condition.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table1972610267573" frame="border" border="1" rules="all"><caption><b>Table 6 </b>Keys related to bucket actions</caption><thead align="left"><tr id="obs_40_0041__row6936152645711"><th align="left" class="cellrowborder" valign="top" width="19.608039196080394%" id="mcps1.3.49.2.5.1.1"><p id="obs_40_0041__p8937726175712">Action</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="14.788521147885211%" id="mcps1.3.49.2.5.1.2"><p id="obs_40_0041__p9937182635715">Optional Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="43.05569443055695%" id="mcps1.3.49.2.5.1.3"><p id="obs_40_0041__p10937826175712">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="22.547745225477453%" id="mcps1.3.49.2.5.1.4"><p id="obs_40_0041__p1096873771416">Remarks</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row593712616576"><td class="cellrowborder" rowspan="3" valign="top" width="19.608039196080394%" headers="mcps1.3.49.2.5.1.1 "><p id="obs_40_0041__p59379267576">ListBucket</p>
</td>
<td class="cellrowborder" valign="top" width="14.788521147885211%" headers="mcps1.3.49.2.5.1.2 "><p id="obs_40_0041__p13937182675716">prefix</p>
</td>
<td class="cellrowborder" valign="top" width="43.05569443055695%" headers="mcps1.3.49.2.5.1.3 "><p id="obs_40_0041__p9937926155719">Type: String. Lists objects that begin with the specified prefix.</p>
</td>
<td class="cellrowborder" rowspan="6" valign="top" width="22.547745225477453%" headers="mcps1.3.49.2.5.1.4 "><p id="obs_40_0041__p175983818155">If <strong id="obs_40_0041__b4319102110504">prefix</strong>, <strong id="obs_40_0041__b15319182112508">delimiter</strong>, and <strong id="obs_40_0041__b13320202135016">max-keys</strong> are configured, the key-value pair meeting the conditions must be specified in the List operation for the bucket policy to take effect.</p>
<p id="obs_40_0041__p153725312183">For example, if a bucket policy (with the conditional operator set to <strong id="obs_40_0041__b517832711178">NumericEquals</strong>, the key to <strong id="obs_40_0041__b41841527191712">max-keys</strong>, and the value to <strong id="obs_40_0041__b2018412713176">100</strong>) that allows anonymous users to read data is configured for a bucket, the anonymous users must add <strong id="obs_40_0041__b01677330176">?max-keys=100</strong> to the end of the bucket domain name for listing objects. The listed objects are the first 100 objects in alphabetic order.</p>
</td>
</tr>
<tr id="obs_40_0041__row993792685715"><td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.1 "><p id="obs_40_0041__p69371126115716">delimiter</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.2 "><p id="obs_40_0041__p7937172675719">Type: String. Groups objects in a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row13937226115711"><td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.1 "><p id="obs_40_0041__p293712266579">max-keys</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.2 "><p id="obs_40_0041__p2093752619576">Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.</p>
</td>
</tr>
<tr id="obs_40_0041__row8937926195711"><td class="cellrowborder" rowspan="3" valign="top" headers="mcps1.3.49.2.5.1.1 "><p id="obs_40_0041__p393712675711">ListBucketVersions</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.2 "><p id="obs_40_0041__p09372264575">prefix</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.3 "><p id="obs_40_0041__p693772615577">Type: String. Lists multi-version objects whose name starts with the specified prefix.</p>
</td>
</tr>
<tr id="obs_40_0041__row993715262572"><td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.1 "><p id="obs_40_0041__p119371326175713">delimiter</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.2 "><p id="obs_40_0041__p6937162615576">Type: String. Groups objects of different versions in a bucket.</p>
</td>
</tr>
<tr id="obs_40_0041__row693722612571"><td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.1 "><p id="obs_40_0041__p15937326155717">max-keys</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.49.2.5.1.2 "><p id="obs_40_0041__p12938122617571">Type: Numeric. Sets the maximum number of objects. Returned objects are listed in alphabetic order.</p>
</td>
</tr>
<tr id="obs_40_0041__row193842612574"><td class="cellrowborder" valign="top" width="19.608039196080394%" headers="mcps1.3.49.2.5.1.1 "><p id="obs_40_0041__p1793819263575">PutBucketAcl</p>
</td>
<td class="cellrowborder" valign="top" width="14.788521147885211%" headers="mcps1.3.49.2.5.1.2 "><p id="obs_40_0041__p139381226195719">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" width="43.05569443055695%" headers="mcps1.3.49.2.5.1.3 "><p id="obs_40_0041__p793892605711">Type: String. Configures the bucket ACL. When modifying a bucket ACL, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: <strong id="obs_40_0041__b68479615188">private|public-read|public-read-write|bucketowner-read|log-delivery-write</strong>.</p>
</td>
<td class="cellrowborder" valign="top" width="22.547745225477453%" headers="mcps1.3.49.2.5.1.4 "><p id="obs_40_0041__p9968173791419">None</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__table14742526145718" frame="border" border="1" rules="all"><caption><b>Table 7 </b>Keys related to object actions</caption><thead align="left"><tr id="obs_40_0041__row293802635716"><th align="left" class="cellrowborder" valign="top" width="23.47%" id="mcps1.3.50.2.4.1.1"><p id="obs_40_0041__p99381026135710">Action</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="27.55%" id="mcps1.3.50.2.4.1.2"><p id="obs_40_0041__p2938132618576">Optional Key</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="48.980000000000004%" id="mcps1.3.50.2.4.1.3"><p id="obs_40_0041__p19938726175710">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__row19939182618579"><td class="cellrowborder" rowspan="4" valign="top" width="23.47%" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p893942695710">PutObject</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p493902613571">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.50.2.4.1.3 "><p id="obs_40_0041__p861813885512">Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: <strong id="obs_40_0041__b7231133602115">private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row293932619571"><td class="cellrowborder" valign="top" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p19391026155720">x-obs-copy-source</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p393942620578">Type: String. Specifies names of the source bucket and the source object. Format: <strong id="obs_40_0041__b203521941102120">/</strong><em id="obs_40_0041__i10352341152119">bucketname</em><strong id="obs_40_0041__b163532418219">/</strong><em id="obs_40_0041__i14353174117217">keyname</em></p>
</td>
</tr>
<tr id="obs_40_0041__row3939626125711"><td class="cellrowborder" valign="top" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p15939726165718">x-obs-metadata-directive</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p1293962614575">Type: String. Specifies whether to copy the metadata from the source object or replace with the metadata in the request. The value can be <strong id="obs_40_0041__b479062416226">COPY</strong> or <strong id="obs_40_0041__b114781926112212">REPLACE</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row5806457133513"><td class="cellrowborder" valign="top" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p69702319365">x-obs-server-side-encryption</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p2888164583617">Type: String. Specifies that objects in a bucket are encrypted using SSE-KMS before they are stored. The value is <strong id="obs_40_0041__b115461010912">kms</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row159391126185711"><td class="cellrowborder" valign="top" width="23.47%" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p6939202611579">PutObjectAcl</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p293992675713">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.50.2.4.1.3 "><p id="obs_40_0041__p26111442185511">Type: String. Configures the object ACL. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: <strong id="obs_40_0041__b7320154162218">private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row14939172645713"><td class="cellrowborder" valign="top" width="23.47%" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p16939142613573">GetObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p1294002655714">versionId</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.50.2.4.1.3 "><p id="obs_40_0041__p1494016264579">Type: String. Obtains the object with the specified version ID.</p>
</td>
</tr>
<tr id="obs_40_0041__row19940172645714"><td class="cellrowborder" valign="top" width="23.47%" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p2094002613577">GetObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p14940162685715">versionId</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.50.2.4.1.3 "><p id="obs_40_0041__p13940192615574">Type: String. Obtains the ACL of the object with the specified version ID.</p>
</td>
</tr>
<tr id="obs_40_0041__row99401326105715"><td class="cellrowborder" rowspan="2" valign="top" width="23.47%" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p994016263575">PutObjectVersionAcl</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p7940122655716">versionId</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.50.2.4.1.3 "><p id="obs_40_0041__p1394042615579">Type: String. Specifies a version ID.</p>
</td>
</tr>
<tr id="obs_40_0041__row1794032615574"><td class="cellrowborder" valign="top" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p10940162695719">x-obs-acl</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p1392195113554">Type: String. Configures the ACL of the object with the specified version ID. When uploading an object, you can use the request that contains a canned ACL setting in its header. Value options of a canned ACL setting: <strong id="obs_40_0041__b44317503227">private|public-read|public-read-write|bucketowner-read|bucket-owner-full-control|log-delivery-write</strong>.</p>
</td>
</tr>
<tr id="obs_40_0041__row1394092635717"><td class="cellrowborder" valign="top" width="23.47%" headers="mcps1.3.50.2.4.1.1 "><p id="obs_40_0041__p179406267573">DeleteObjectVersion</p>
</td>
<td class="cellrowborder" valign="top" width="27.55%" headers="mcps1.3.50.2.4.1.2 "><p id="obs_40_0041__p16940192615577">versionId</p>
</td>
<td class="cellrowborder" valign="top" width="48.980000000000004%" headers="mcps1.3.50.2.4.1.3 "><p id="obs_40_0041__p13941726185718">Type: String. Deletes the object with the specified version ID.</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="obs_40_0041__en-us_topic_0118394684_section10136448"><h4 class="sectiontitle">Policy Permission Judgment Logic</h4><p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p31906675">A policy may pose any of the three results for each statement: <strong id="obs_40_0041__b16117104714314">Explicit Deny</strong>, <strong id="obs_40_0041__b1812344719320">Allow</strong>, and <strong id="obs_40_0041__b5123134712318">Default Deny</strong>. If a bucket policy contains multiple statements, the policy determines which statement prevails according to the following rules:</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p18724620">1. If conditions in any statement of a policy are not met, the policy poses a default deny result.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p34303855">2. An explicit deny overrides an allow.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p40299246">3. An allow overrides a default deny.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p27148896">4. Statements can be in any order in a policy.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0041__en-us_topic_0118394684_table43013480" frame="border" border="1" rules="all"><caption><b>Table 8 </b>Statement results</caption><thead align="left"><tr id="obs_40_0041__en-us_topic_0118394684_row36198266"><th align="left" class="cellrowborder" valign="top" width="23.23%" id="mcps1.3.51.7.2.3.1.1"><p id="obs_40_0041__en-us_topic_0118394684_p46378471">Result</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="76.77000000000001%" id="mcps1.3.51.7.2.3.1.2"><p id="obs_40_0041__en-us_topic_0118394684_p54147030">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0041__en-us_topic_0118394684_row13173135"><td class="cellrowborder" valign="top" width="23.23%" headers="mcps1.3.51.7.2.3.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p60391021">explicit deny</p>
</td>
<td class="cellrowborder" valign="top" width="76.77000000000001%" headers="mcps1.3.51.7.2.3.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p59834572">A statement defines effect="deny". All requests for resources to which the statement applies are denied. No permission is returned.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row1640244"><td class="cellrowborder" valign="top" width="23.23%" headers="mcps1.3.51.7.2.3.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p65750902">allow</p>
</td>
<td class="cellrowborder" valign="top" width="76.77000000000001%" headers="mcps1.3.51.7.2.3.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p24222861">A statement defines effect="allow". All requests for resources to which the statement applies are allowed.</p>
</td>
</tr>
<tr id="obs_40_0041__en-us_topic_0118394684_row16679164"><td class="cellrowborder" valign="top" width="23.23%" headers="mcps1.3.51.7.2.3.1.1 "><p id="obs_40_0041__en-us_topic_0118394684_p8835053">default deny</p>
</td>
<td class="cellrowborder" valign="top" width="76.77000000000001%" headers="mcps1.3.51.7.2.3.1.2 "><p id="obs_40_0041__en-us_topic_0118394684_p44550694">Conditions defined in a statement are not met. Requests are denied.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p14830224">If an ACL and a bucket policy are applied together to an account, an explicit deny in the bucket policy overrides the allow in the ACL.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p66363158">If a bucket policy and an IAM policy are applied together to an account, an explicit deny overrides the allow, and an allow overrides the default deny.</p>
<p class="msonormal" id="obs_40_0041__en-us_topic_0118394684_p60397511">SSE-KMS server-side encrypted object does not support Bucket ACL/Policy for cross-tenant authorization.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0042.html">Appendix</a></div>
</div>
</div>
View Git Blame Copy Permalink