• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. Developer Guide (Python SDK)
  4. Bucket Management
  5. Managing Bucket ACLs

Managing Bucket ACLs

A bucket ACL can be configured in three modes:

  1. Specify a pre-defined access control policy during bucket creation.
  2. Call ObsClient.setBucketAcl to specify a pre-defined access control policy.
  3. Call ObsClient.setBucketAcl to set the ACL directly.

The following table lists the five permission types supported by OBS.

Permission

Description

READ

A grantee with this permission for a bucket can obtain the list of objects in the bucket and the metadata of the bucket.

A grantee with this permission for an object can obtain the object content and metadata.

WRITE

A grantee with this permission for a bucket can upload, overwrite, and delete any object in the bucket.

This permission is not applicable to objects.

READ_ACP

A grantee with this permission can obtain the ACL of a bucket or object.

A bucket or object owner has this permission permanently.

WRITE_ACP

A grantee with this permission can update the ACL of a bucket or object.

A bucket or object owner has this permission permanently.

A grantee with this permission can modify the access control policy and thus the grantee obtains full access permissions.

FULL_CONTROL

A grantee with this permission for a bucket has READ, WRITE, READ_ACP, and WRITE_ACP permissions for the bucket.

A grantee with this permission for an object has READ, WRITE, READ_ACP, and WRITE_ACP permissions for the object.

There are seven access control policies pre-defined in OBS, as described in the following table:

Policy

Description

private

Indicates that the owner of a bucket or object has the FULL_CONTROL permission for the bucket or object. Other users have no permission to access the bucket or object.

public-read

Indicates that the owner of a bucket or object has the FULL_CONTROL permission for the bucket or object. Other users including anonymous users have the READ permission.

public-read-write

Indicates that the owner of a bucket or object has the FULL_CONTROL permission for the bucket or object. Other users including anonymous users have the READ and WRITE permissions.

authenticated-read

Indicates that the owner of a bucket or object has the FULL_CONTROL permission for the bucket or object. Other OBS users have the READ permission.

bucket-owner-read

Indicates that the owner of an object has the FULL_CONTROL permission for the object and the owner of the bucket where the object resides has the READ permission.

bucket-owner-full-control

Indicates that the owner of an object has the FULL_CONTROL permission for the object and the owner of the bucket where the object resides has FULL_CONTROL permission for the object.

log-delivery-write

Indicates that a log delivery group has the WRITE and READ_ACP permissions for buckets.

Specifying a Pre-defined Access Control Policy During Bucket Creation

Sample code:

# Import the module.
from com.obs.client.obs_client import ObsClient

# Create an instance of ObsClient.
obsClient = ObsClient(
    access_key_id='*** Provide your Access Key ***',    
    secret_access_key='*** Provide your Secret Key ***',    
    server='yourdomainname'
)

from com.obs.models.create_bucket_header import CreateBucketHeader
# Set the bucket ACL to public-read-write.
header = CreateBucketHeader(aclControl='public-read-write')
# Create a bucket.
resp = obsClient.createBucket('bucketname', header=header)

if resp.status < 300:    
    print('requestId:', resp.requestId)
else:    
    print('errorCode:', resp.errorCode)
    print('errorMessage:', resp.errorMessage)

Setting a Pre-defined Access Control Policy for a Bucket

Sample code:

# Import the module.
from com.obs.client.obs_client import ObsClient

# Create an instance of ObsClient.
obsClient = ObsClient(
    access_key_id='*** Provide your Access Key ***',    
    secret_access_key='*** Provide your Secret Key ***',    
    server='yourdomainname'
)

# Set the bucket ACL to log-delivery-write.
resp = obsClient.setBucketAcl('bucketname', aclControl='log-delivery-write')

if resp.status < 300:    
    print('requestId:', resp.requestId)
else:    
    print('errorCode:', resp.errorCode)
    print('errorMessage:', resp.errorMessage)

Directly Setting a Bucket ACL

Sample code:

# Import the module.
from com.obs.client.obs_client import ObsClient

# Create an instance of ObsClient.
obsClient = ObsClient(
    access_key_id='*** Provide your Access Key ***',    
    secret_access_key='*** Provide your Secret Key ***',    
    server='yourdomainname'
)
from com.obs.models.acl import ACL
from com.obs.models.owner import Owner
from com.obs.models.grant import Grant, Permission
from com.obs.models.grantee import Grantee, Group

owner = Owner(owner_id='ownerid', owner_name='ownername')

grantee1 = Grantee(grantee_id='userid', grantee_name='username')
grantee2 = Grantee(group=Group.LOG_DELIVERY)
# Grant READ and WRITE permissions to a specified user.
grant1 = Grant(grantee=grantee1, permission=Permission.READ)
grant2 = Grant(grantee=grantee1, permission=Permission.WRITE)
# Grant the WIRTE and READ_ACP permissions to the log delivery group.
grant3 = Grant(grantee=grantee2, permission=Permission.WRITE)
grant4 = Grant(grantee=grantee2, permission=Permission.READ_ACP)

acl = ACL(owner=owner, grants=[grant1, grant2, grant3, grant4])
# Directly set the bucket ACL.
resp = obsClient.setBucketAcl('bucketname', acl)

if resp.status < 300:
    print('requestId:', resp.requestId)
else:
    print('errorCode:', resp.errorCode)
    print('errorMessage:', resp.errorMessage)
NOTE:
  • The owner or grantee ID needed in the ACL indicates the account ID, which can be viewed on the My Credential page of OBS Console.
  • OBS buckets support three types of grantee group:
    • Authorized users: http://acs.amazonaws.com/groups/global/AuthenticatedUsers
    • All users: http://acs.amazonaws.com/groups/global/AllUsers
    • Log delivery group: http://acs.amazonaws.com/groups/s3/LogDelivery

Obtaining a Bucket ACL

You can call ObsClient.getBucketAcl to obtain the bucket ACL. Sample code is as follows:

# Import the module.
from com.obs.client.obs_client import ObsClient

# Create an instance of ObsClient.
obsClient = ObsClient(
    access_key_id='*** Provide your Access Key ***',    
    secret_access_key='*** Provide your Secret Key ***',    
    server='yourdomainname'
)
resp = obsClient.getBucketAcl('bucketname')

if resp.status < 300:
    print('requestId:', resp.requestId)
    print('owner_id:', resp.body.owner.owner_id)
    print('owner_name:', resp.body.owner.owner_name)
    index = 1;
    for grant in resp.body.grants:
        print('grant [' + str(index) + ']')
        print('grant_id:', grant.grantee.grantee_id)
        print('grant_name:', grant.grantee.grantee_name)
        print('group:', grant.grantee.group)
        print('permission:', grant.permission)
        index += 1
else:
    print('errorCode:', resp.errorCode)
    print('errorMessage:', resp.errorMessage)