vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/umn/en-us_topic_0045853745.html
zhangyue 92e44874e7 OBS UMN DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-11-06 14:33:05 +00:00

92 lines
13 KiB
HTML
Raw Blame History

<a name="en-us_topic_0045853745"></a><a name="en-us_topic_0045853745"></a>
<h1 class="topictitle1">Bucket Policies and Object Policies</h1>
<div id="body1557026128761"><div class="section" id="en-us_topic_0045853745__section4574154145010"><h4 class="sectiontitle">Bucket Owner and Object Owner</h4><p id="en-us_topic_0045853745__p18002110210">The owner of a bucket is the account that created the bucket. If the bucket is created by an IAM user under the account, the bucket owner is the account instead of the IAM user.</p>
<p id="en-us_topic_0045853745__p14995316180">The owner of an object is the account that uploads the object, who may not be the owner of the bucket to which the object belongs. For example, account <strong id="en-us_topic_0045853745__b195491217194518">B</strong> is granted the permission to access a bucket of account <strong id="en-us_topic_0045853745__b165491017134515">A</strong>, and account <strong id="en-us_topic_0045853745__b16549141713459">B</strong> uploads a file to the bucket. In that case, instead of the bucket owner account <strong id="en-us_topic_0045853745__b454941710457">A</strong>, account <strong id="en-us_topic_0045853745__b0549517184517">B</strong> is the owner of the object.</p>
</div>
<div class="section" id="en-us_topic_0045853745__section1825740772"><h4 class="sectiontitle">Bucket Policies</h4><p id="en-us_topic_0045853745__p859419124614">Bucket policies apply to buckets and the objects in them. By leveraging bucket policies, the owner of a bucket can grant IAM users or other accounts the permissions to operate the bucket and objects in the bucket.</p>
<p id="en-us_topic_0045853745__p116964110188"><strong id="en-us_topic_0045853745__b1310315411577">Application Scenarios</strong></p>
<ul id="en-us_topic_0045853745__ul7761857101919"><li id="en-us_topic_0045853745__li10777579196">If no <span id="en-us_topic_0045853745__ph9419171385810">IAM policies</span> are used for access control and you want to grant other accounts the permissions to access your OBS resources, you can use bucket policies.</li><li id="en-us_topic_0045853745__li129735910199">You can configure bucket policies to grant IAM users different access permissions on buckets.</li><li id="en-us_topic_0045853745__li121708142011">You can also use bucket policies to grant other accounts the permissions to access your buckets.</li></ul>
<p id="en-us_topic_0045853745__p108879396110"><strong id="en-us_topic_0045853745__b1738916595918">Standard Bucket Policies</strong></p>
<p id="en-us_topic_0045853745__p1320714303352">There are three options for standard bucket policies.</p>
<ul id="en-us_topic_0045853745__ul15740133433513"><li id="en-us_topic_0045853745__li4740103420354"><strong id="en-us_topic_0045853745__b8759625143810">Private</strong>: No access beyond the bucket ACL settings is granted.</li><li id="en-us_topic_0045853745__li377138153513"><strong id="en-us_topic_0045853745__b161311618113117">Public Read</strong>: Anyone can read objects in the bucket.</li><li id="en-us_topic_0045853745__li66641044203514"><strong id="en-us_topic_0045853745__b931618225313">Public Read and Write</strong>: Anyone can read, write, or delete objects in the bucket.</li></ul>
<p id="en-us_topic_0045853745__p17739175319515">After a bucket is created, the default bucket policy is <strong id="en-us_topic_0045853745__b17602010102814">Private</strong>. Only the bucket owner has the full control permissions over the bucket. To ensure data security, it is recommended that you do not use the <strong id="en-us_topic_0045853745__b10152175317123">Public Read</strong> or <strong id="en-us_topic_0045853745__b667475711122">Public Read and Write</strong> policies.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="en-us_topic_0045853745__table12248152111227" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Standard bucket policies</caption><thead align="left"><tr id="en-us_topic_0045853745__row15249821152217"><th align="left" class="cellrowborder" valign="top" width="19%" id="mcps1.3.2.9.2.5.1.1"><p id="en-us_topic_0045853745__p122491621102215">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="15%" id="mcps1.3.2.9.2.5.1.2"><p id="en-us_topic_0045853745__p1249182111225">Private</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="32%" id="mcps1.3.2.9.2.5.1.3"><p id="en-us_topic_0045853745__p9249112142212">Public Read</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="34%" id="mcps1.3.2.9.2.5.1.4"><p id="en-us_topic_0045853745__p14249421172212">Public Read and Write</p>
</th>
</tr>
</thead>
<tbody><tr id="en-us_topic_0045853745__row724919215226"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.9.2.5.1.1 "><p id="en-us_topic_0045853745__p102491321142216">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.9.2.5.1.2 "><p id="en-us_topic_0045853745__p13249112115225">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.9.2.5.1.3 "><p id="en-us_topic_0045853745__p02496219224">Allow</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.9.2.5.1.4 "><p id="en-us_topic_0045853745__p424962162212">Allow</p>
</td>
</tr>
<tr id="en-us_topic_0045853745__row1224915215221"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.9.2.5.1.1 "><p id="en-us_topic_0045853745__p824919216225">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.9.2.5.1.2 "><p id="en-us_topic_0045853745__p913548162513">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.9.2.5.1.3 "><p id="en-us_topic_0045853745__p12503210220">* (Any user)</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.9.2.5.1.4 "><p id="en-us_topic_0045853745__p132503214228">* (Any user)</p>
</td>
</tr>
<tr id="en-us_topic_0045853745__row5250121102214"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.9.2.5.1.1 "><p id="en-us_topic_0045853745__p1625082192215">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.9.2.5.1.2 "><p id="en-us_topic_0045853745__p92501212228">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.9.2.5.1.3 "><p id="en-us_topic_0045853745__p125022172220">* (All objects in a bucket)</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.9.2.5.1.4 "><p id="en-us_topic_0045853745__p3250112172220">* (All objects in a bucket)</p>
</td>
</tr>
<tr id="en-us_topic_0045853745__row14250821122214"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.9.2.5.1.1 "><p id="en-us_topic_0045853745__p1125052118223">Actions</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.9.2.5.1.2 "><p id="en-us_topic_0045853745__p113541515304">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.9.2.5.1.3 "><ul id="en-us_topic_0045853745__ul1512955514"><li id="en-us_topic_0045853745__li25017322553">GetObject</li><li id="en-us_topic_0045853745__li9512918551">GetObjectVersion</li><li id="en-us_topic_0045853745__li270053214419">ListBucket</li></ul>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.9.2.5.1.4 "><ul id="en-us_topic_0045853745__ul5350174995516"><li id="en-us_topic_0045853745__li235184914552">GetObject</li><li id="en-us_topic_0045853745__li635354905514">GetObjectVersion</li><li id="en-us_topic_0045853745__li67015320563">PutObject</li><li id="en-us_topic_0045853745__li165585435619">DeleteObject</li><li id="en-us_topic_0045853745__li133265814550">DeleteObjectVersion</li><li id="en-us_topic_0045853745__li0309121518499">ListBucket</li></ul>
</td>
</tr>
<tr id="en-us_topic_0045853745__row122501121162216"><td class="cellrowborder" valign="top" width="19%" headers="mcps1.3.2.9.2.5.1.1 "><p id="en-us_topic_0045853745__p22501217226">Conditions</p>
</td>
<td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.9.2.5.1.2 "><p id="en-us_topic_0045853745__p10924191511307">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="32%" headers="mcps1.3.2.9.2.5.1.3 "><p id="en-us_topic_0045853745__p132501521172219">N/A</p>
</td>
<td class="cellrowborder" valign="top" width="34%" headers="mcps1.3.2.9.2.5.1.4 "><p id="en-us_topic_0045853745__p1325042111223">N/A</p>
</td>
</tr>
</tbody>
</table>
</div>
<div class="note" id="en-us_topic_0045853745__note2118103711307"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0045853745__p4682317528">For buckets whose version is 3.0, the default permissions of <strong id="en-us_topic_0045853745__b1994991416242">Public Read</strong> and <strong id="en-us_topic_0045853745__b99614143244">Public Read and Write</strong> are updated to solve the problem where external buckets fail to be added to OBS Browser due to insufficient permissions.</p>
<ul id="en-us_topic_0045853745__ul434119504315"><li id="en-us_topic_0045853745__li163422505317">Added the ListBucket permission to the <strong id="en-us_topic_0045853745__b11720943112420">Public Read</strong> policy.</li><li id="en-us_topic_0045853745__li93426503315">Added the ListBucket permission to the <strong id="en-us_topic_0045853745__b36061540240">Public Read and Write</strong> policy.</li><li id="en-us_topic_0045853745__li934255083119">If you want to add an external bucket to OBS Browser, manually update the configuration of standard bucket policies.</li></ul>
</div></div>
<p id="en-us_topic_0045853745__p102285401236"><strong id="en-us_topic_0045853745__b12791142219148">Custom Bucket Policies</strong></p>
<p id="en-us_topic_0045853745__p385655915198">The following three modes are provided to facilitate quick configuration:</p>
<ul id="en-us_topic_0045853745__ul8780438183815"><li id="en-us_topic_0045853745__li14780838163818"><strong id="en-us_topic_0045853745__b1579603411120">Read-only</strong>: With the <strong id="en-us_topic_0045853745__b149541244151111">Read-only</strong> mode, you only need to specify the <strong id="en-us_topic_0045853745__b154171455161115">Principal</strong> (authorized users). Then the authorized users have the read permission for the bucket and objects in the bucket, and can perform all GET operations on these resources.</li><li id="en-us_topic_0045853745__li11780438103816"><strong id="en-us_topic_0045853745__b14945201661218">Read and write</strong>: With the <strong id="en-us_topic_0045853745__b7774422121220">Read and write</strong> mode, you only need to specify the <strong id="en-us_topic_0045853745__b197141041313">Principal</strong> (authorized users). Then the authorized users have the full control permissions for the bucket and objects in the bucket, and can perform any operation on these resources.</li><li id="en-us_topic_0045853745__li15780138123814"><strong id="en-us_topic_0045853745__b16901182413136">Customized</strong>: With the <strong id="en-us_topic_0045853745__b1392612293135">Customized</strong> mode, you can define the specific operation permissions that you want to grant to users and accounts by configuring the <strong id="en-us_topic_0045853745__b1496317562136">Effect</strong>, <strong id="en-us_topic_0045853745__b14784013141">Principal</strong>, <strong id="en-us_topic_0045853745__b05277541415">Resources</strong>, <strong id="en-us_topic_0045853745__b21719971415">Actions</strong>, and <strong id="en-us_topic_0045853745__b143672163147">Conditions</strong> parameters. </li></ul>
<div class="note" id="en-us_topic_0045853745__note14398193912214"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="en-us_topic_0045853745__p639816399229">On OBS Console, when you use a custom bucket policy to grant other users the permissions to operate resources in a bucket, you also need to grant these users the bucket read permission <strong id="en-us_topic_0045853745__b1735213568396">ListBucket</strong> (leaving the resource name blank indicates that the policy is applied to the entire bucket). Otherwise, the users may have no permission to access the bucket from OBS Console.</p>
</div></div>
</div>
<div class="section" id="en-us_topic_0045853745__section0354920819"><h4 class="sectiontitle">Object Policies</h4><p id="en-us_topic_0045853745__p139763410611">Object policies apply to objects in a bucket. A bucket policy is applicable to a set of objects (with the same object name prefix) or to all objects (specified by an asterisk <strong id="en-us_topic_0045853745__b2086119513210">*</strong>) in the bucket. To configure an object policy, select an object, and then configure a policy for it.</p>
<p id="en-us_topic_0045853745__p09403144379"></p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_03_0109.html">Permission Control Mechanisms</a></div>
</div>
</div>
View Git Blame Copy Permalink