zhangyue
78cb06737e
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com> Co-authored-by: zhangyue <zhangyue164@huawei.com> Co-committed-by: zhangyue <zhangyue164@huawei.com>
7.3 KiB
Configuring Fine-Grained Policies
Custom policies can be created to supplement the system-defined policies of OBS.
For details, see Creating a Custom Policy. The following provides examples of common OBS custom policies.
Example Custom Policies
- Example 1: Grant all OBS permissions to users.
- Example 2: Grant all OBS Console permissions to users.
This policy allows users to perform all operations on OBS Console.
When a user logs in to OBS Console, the user may access resources of other services such as audit information in CTS. Therefore, in addition to the OBS permissions in example 1, you also need to configure the access permissions to other services. You need to configure the Tenant Guest permission for the global project and regional projects based on the services and regions that you use.{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:*:*" ] } ] } - Example 3: Grant the read-only permission on a bucket to users (any directory).
- Example 4: Grant the read-only permission on a bucket to users (specified directory).This policy allows users to download objects in only the my-project/ directory of bucket obs-example. Objects in other directories can be listed but cannot be downloaded.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:GetObject", "obs:bucket:ListBucket" ], "Resource": [ "obs:*:*:object:obs-example/my-project/*", "obs:*:*:bucket:obs-example" ] } ] } - Example 5: Grant the read and write permissions on a bucket to users (specified directory).This policy allows users to list, download, upload, and delete objects in the my-project directory of bucket obs-example.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:GetObject", "obs:object:ListMultipartUploadParts", "obs:bucket:ListBucket", "obs:object:DeleteObject", "obs:object:PutObject" ], "Resource": [ "obs:*:*:object:obs-example/my-project/*", "obs:*:*:bucket:obs-example" ] } ] } - Example 6: Grant all permissions on a bucket to users.
- Example 7: Deny permissions to users to upload objects.
A deny policy must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
If you grant the system policy OBS OperateAccess to a user but do not want the user to have the object upload permission (which is also a permission allowed by OBS OperateAccess), you can create a custom policy besides the OBS OperateAccess policy, to deny the user's upload permission. According to the authorization principle, the policy with the deny statement takes precedence, so that the user can perform all operations allowed by OBS OperateAccess, except uploading objects. The following is an example of a deny policy:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "obs:object:PutObject" ], } ] }