vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/umn/obs_03_0121.html
zhangyue b55201d729 OBS UMN DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-03-18 15:39:30 +00:00

123 lines
7.2 KiB
HTML
Raw Blame History

<a name="obs_03_0121"></a><a name="obs_03_0121"></a>
<h1 class="topictitle1">Configuring Fine-Grained Policies</h1>
<div id="body1558000364828"><p id="obs_03_0121__p221854795715">Custom policies can be created to supplement the system-defined policies of OBS.</p>
<p id="obs_03_0121__p12902144114010">For details, see <a href="https://docs.otc.t-systems.com/identity-access-management/umn/user_guide/fine-grained_policy_management/creating_a_custom_policy.html" target="_blank" rel="noopener noreferrer">Creating a Custom Policy</a>. The following provides examples of common OBS custom policies.</p>
<div class="section" id="obs_03_0121__section10809111016198"><h4 class="sectiontitle">Example Custom Policies</h4><ul id="obs_03_0121__ul10182135619226"><li id="obs_03_0121__li14253426192520">Example 1: Grant users all OBS permissions.<div class="p" id="obs_03_0121__p6249182711253"><a name="obs_03_0121__li14253426192520"></a><a name="li14253426192520"></a>This policy allows users to perform any operation on OBS.<pre class="screen" id="obs_03_0121__screen6554143215243">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:*:*"
]
}
]
}</pre>
</div>
</li><li id="obs_03_0121__li157689265447">Example 2: Grant users all OBS Console permissions.<p id="obs_03_0121__p46653263312"><a name="obs_03_0121__li157689265447"></a><a name="li157689265447"></a>This policy allows users to perform all operations on OBS Console.</p>
<div class="p" id="obs_03_0121__p339253017318">When a user logs in to OBS Console, the user may access resources of other services such as audit information in CTS. Therefore, in addition to the OBS permissions in example 1, you also need to configure the access permissions to other services. You need to configure the <strong id="obs_03_0121__b11163441628">Tenant Guest</strong> permission for the global project and regional projects based on the services and regions that you use.<pre class="screen" id="obs_03_0121__screen55823101111">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:*:*"
]
}
]
}</pre>
</div>
</li><li id="obs_03_0121__li1499001214237">Example 3: Grant users the read-only permission for all directories in a bucket.<div class="p" id="obs_03_0121__p0659712132814"><a name="obs_03_0121__li1499001214237"></a><a name="li1499001214237"></a>This policy allows users to list and download all objects in bucket <strong id="obs_03_0121__b1231113421569">obs-example</strong>.<pre class="screen" id="obs_03_0121__screen1715419122288">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:object:GetObject",
"obs:bucket:ListBucket"
],
"Resource": [
"obs:*:*:object:obs-example/*",
"obs:*:*:bucket:obs-example"
]
}
]
}</pre>
</div>
</li><li id="obs_03_0121__li1178134122714">Example 4: Grant users the read-only permission for a specified directory in a bucket.<div class="p" id="obs_03_0121__p1316275917297"><a name="obs_03_0121__li1178134122714"></a><a name="li1178134122714"></a>This policy allows users to download objects in only the <strong id="obs_03_0121__b104197231879">my-project/</strong> directory of bucket <strong id="obs_03_0121__b842011231718">obs-example</strong>. Objects in other directories can be listed but cannot be downloaded.<pre class="screen" id="obs_03_0121__screen1570175817291">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:object:GetObject",
"obs:bucket:ListBucket"
],
"Resource": [
"obs:*:*:object:obs-example/my-project/*",
"obs:*:*:bucket:obs-example"
]
}
]
}</pre>
</div>
</li><li id="obs_03_0121__li7252849112918">Example 5: Grant users the read/write permissions for a specified directory in a bucket.<div class="p" id="obs_03_0121__p15698820153316"><a name="obs_03_0121__li7252849112918"></a><a name="li7252849112918"></a>This policy allows users to list, download, upload, and delete objects in the <strong id="obs_03_0121__b655212186119">my-project</strong> directory of bucket <strong id="obs_03_0121__b8554201831116">obs-example</strong>.<pre class="screen" id="obs_03_0121__screen16250020173311">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:object:GetObject",
"obs:object:ListMultipartUploadParts",
"obs:bucket:ListBucket",
"obs:object:DeleteObject",
"obs:object:PutObject"
],
"Resource": [
"obs:*:*:object:obs-example/my-project/*",
"obs:*:*:bucket:obs-example"
]
}
]
}</pre>
</div>
</li><li id="obs_03_0121__li13633157133316">Example 6: Grant users all permissions for a bucket.<div class="p" id="obs_03_0121__p101733273710"><a name="obs_03_0121__li13633157133316"></a><a name="li13633157133316"></a>This policy allows users to perform any operation on bucket <strong id="obs_03_0121__b177321057111411">obs-example</strong>.<pre class="screen" id="obs_03_0121__screen1740510316374">{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:*:*"
],
"Resource": [
"obs:*:*:bucket:obs-example",
"obs:*:*:object:obs-example/*"
]
}
]
}</pre>
</div>
</li><li id="obs_03_0121__li838854165119">Example 7: Grant users the permission to deny object upload.<p id="obs_03_0121__p915923116524"><a name="obs_03_0121__li838854165119"></a><a name="li838854165119"></a>A deny policy must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.</p>
<p id="obs_03_0121__p816018319521">If you grant the system policy <span id="obs_03_0121__ph18845175109">OBS OperateAccess</span> to a user but do not want the user to have the object upload permission (which is also a permission allowed by <span id="obs_03_0121__ph71411423111519">OBS OperateAccess</span>), you can create a custom policy besides the <span id="obs_03_0121__ph42986376610">OBS OperateAccess</span> policy, to deny the user's upload permission. According to the authorization principle, the policy with the deny statement takes precedence, so that the user can perform all operations allowed by <span id="obs_03_0121__ph3933720141414">OBS OperateAccess</span>, except uploading objects. The following is an example of a deny policy:</p>
<pre class="screen" id="obs_03_0121__screen146127316555">{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"obs:object:PutObject"
]
}
]
}</pre>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_03_0144.html">Configuring IAM Policies</a></div>
</div>
</div>
View Git Blame Copy Permalink