• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. Developer Guide (PHP SDK)
  4. Bucket Management
  5. Managing Bucket ACLs

Managing Bucket ACLs

A bucket ACL can be configured in three modes:

  1. Specify a pre-defined access policy during bucket creation.
  2. Call ObsClient->setBucketAcl to specify a pre-defined access policy.
  3. Call ObsClient->setBucketAcl to set the ACL directly.

The following table lists the five permission types supported by OBS.

Permission

Description

Value in OBS PHP SDK

READ

A grantee with this permission for a bucket can obtain the list of objects in the bucket and the metadata of the bucket.

A grantee with this permission for an object can obtain the object content and metadata.

ObsClient::PermissionRead

WRITE

A grantee with this permission for a bucket can upload, overwrite, and delete any object in the bucket.

This permission is not applicable to objects.

ObsClient::PermissionWrite

READ_ACP

A grantee with this permission can obtain the ACL of a bucket or object.

A bucket or object owner has this permission permanently.

ObsClient::PermissionReadAcp

WRITE_ACP

A grantee with this permission can update the ACL of a bucket or object.

A bucket or object owner has this permission permanently.

A grantee with this permission can modify the access control policy and thus the grantee obtains full access permissions.

ObsClient::PermissionWriteAcp

FULL_CONTROL

A grantee with this permission for a bucket has READ, WRITE, READ_ACP, and WRITE_ACP permissions for the bucket.

A grantee with this permission for an object has READ, WRITE, READ_ACP, and WRITE_ACP permissions for the object.

ObsClient::PermissionFullControl

There are seven access control policies pre-defined in OBS, as described in the following table:

Policy

Description

Value in OBS PHP SDK

private

Indicates that the owner of a bucket or object has the FULL_CONTROL permission for the bucket or object. Other users have no permission to access the bucket or object.

ObsClient::AclPrivate

public-read

Indicates that the owner of a bucket or object has the FULL_CONTROL permission for the bucket or object. Other users including anonymous users have the READ permission.

ObsClient::AclPublicRead

public-read-write

Indicates that the owner of a bucket or object has the FULL_CONTROL permission for the bucket or object. Other users including anonymous users have the READ and WRITE permissions.

ObsClient::AclPublicReadWrite

authenticated-read

Indicates that the owner of a bucket or object has the FULL_CONTROL permission for the bucket or object. Other OBS users have the READ permission.

ObsClient::AclAuthenticatedRead

bucket-owner-read

Indicates that the owner of an object has the FULL_CONTROL permission for the object and the owner of the bucket where the object resides has the READ permission.

ObsClient::AclBucketOwnerRead

bucket-owner-full-control

Indicates that the owner of an object has the FULL_CONTROL permission for the object and the owner of the bucket where the object resides has FULL_CONTROL permission for the object.

ObsClient::AclBucketOwnerFullControl

log-delivery-write

Indicates that a log delivery group has the WRITE and READ_ACP permissions for buckets.

ObsClient::AclLogDeliveryWrite

Specifying a Pre-defined Access Control Policy During Bucket Creation

Sample code:

// Import the third-party open source libraries.
require 'vendor/autoload.php';
// Import the SDK code library.
require 'obs-autoloader.php';
// Declare the namespace.
use Obs\S3\ObsClient;
// Create an instance of ObsClient.
$obsClient = new ObsClient([
       'key' => '*** Provide your Access Key ***',
       'secret' => '*** Provide your Secret Key ***',
       'endpoint' => 'https://yourdomainname'
]);

// Create a bucket.
$resp = $obsClient->createBucket([
       'Bucket' => 'bucketname',
       // Set the bucket ACL to public-read-write.
       'ACL' => ObsClient::AclPublicReadWrite
]);

printf("RequestId:%s\n",$resp['RequestId']);

Setting a Pre-defined Access Control Policy for a Bucket

Sample code:

// Import the third-party open source libraries.
require 'vendor/autoload.php';
// Import the SDK code library.
require 'obs-autoloader.php';
// Declare the namespace.
use Obs\S3\ObsClient;
// Create an instance of ObsClient.
$obsClient = new ObsClient([
       'key' => '*** Provide your Access Key ***',
       'secret' => '*** Provide your Secret Key ***',
       'endpoint' => 'https://yourdomainname'
]);

// Use a pre-specified access policy to set the bucket ACL.
$resp = $obsClient->setBucketAcl([
       'Bucket' => 'bucketname',
       // Set the bucket ACL to log-delivery-write.
       'ACL' => ObsClient::AclLogDeliveryWrite
]);

printf("RequestId:%s\n",$resp['RequestId']);
NOTE:

Use the ACL parameter to specify the ACL for a bucket.

Directly Setting a Bucket ACL

Sample code:

// Import the third-party open source libraries.
require 'vendor/autoload.php';
// Import the SDK code library.
require 'obs-autoloader.php';
// Declare the namespace.
use Obs\S3\ObsClient;
// Create an instance of ObsClient.
$obsClient = new ObsClient([
       'key' => '*** Provide your Access Key ***',
       'secret' => '*** Provide your Secret Key ***',
       'endpoint' => 'https://yourdomainname'
]);

// Directly set the bucket ACL.
$resp = $obsClient->setBucketAcl([
       'Bucket' => 'bucketname',
       // Set the bucket owner.
       'Owner' => [
              'DisplayName' => 'ownername',
              'ID' => 'ownerid'
       ],
       'Grants' => [
              // Grant all permissions to a specified user.
              ['Grantee' => ['Type' => 'CanonicalUser', 'ID' => 'userid'], 'Permission' => ObsClient::PermissionFullControl],
              // Grant the READ permission to all users.
              ['Grantee' => ['Type' => 'Group', 'URI' => ObsClient::GroupAllUsers], 'Permission' => ObsClient::PermissionRead],
              // Grant the WRITE permission to authorized users.
              ['Grantee' => ['Type' => 'Group', 'URI' => ObsClient::GroupAuthenticatedUsers], 'Permission' => ObsClient::PermissionWrite],
              // Grant the WIRTE and READ_ACP permissions to the log delivery group.
              ['Grantee' => ['Type' => 'Group', 'URI' => ObsClient::GroupLogDelivery], 'Permission' => ObsClient::PermissionWrite],
              ['Grantee' => ['Type' => 'Group', 'URI' => ObsClient::GroupLogDelivery], 'Permission' => ObsClient::PermissionReadAcp]
       ]
]);

printf("RequestId:%s\n",$resp['RequestId']);
NOTE:
  • Use the Owner parameter to specify the bucket owner and the Grants parameter to specify the information about authorized users.
  • The owner or grantee ID needed in the ACL indicates the account ID, which can be viewed on the My Credential page of OBS Console.
  • OBS buckets support three types of grantee group:
    • Authorized users: ObsClient::GroupAuthenticatedUsers
    • All users: ObsClient::GroupAllUsers
    • Log delivery group: ObsClient::GroupLogDelivery

Obtaining a Bucket ACL

You can call ObsClient->getBucketAcl to obtain the bucket ACL. Sample code is as follows:

// Import the third-party open source libraries.
require 'vendor/autoload.php';
// Import the SDK code library.
require 'obs-autoloader.php';
// Declare the namespace.
use Obs\S3\ObsClient;
// Create an instance of ObsClient.
$obsClient = new ObsClient([
       'key' => '*** Provide your Access Key ***',
       'secret' => '*** Provide your Secret Key ***',
       'endpoint' => 'https://yourdomainname'
]);

$resp = $obsClient->getBucketAcl([
       'Bucket' => 'bucketname'
]);

printf ("RequestId:%s\n", $resp ['RequestId']);
printf ("Owner[ID]:%s\n", $resp ['Owner']['ID']);
printf ("Owner[DisplayName]:%s\n", $resp ['Owner']['DisplayName']);
foreach ( $resp ['Grants'] as $index => $grant ) {
       printf ("Grants[%d]\n", $index + 1);
       printf ("Grantee[ID]:%s\n", $grant['Grantee']['ID']);
       printf ("Grantee[URI]:%s\n", $grant['Grantee']['URI']);
       printf ("Permission:%s\n", $grant['Permission']); 
}