• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Console Operation Guide
  5. Bucket Permissions
  6. Bucket ACL Overview

Bucket ACL Overview

Introduction to Bucket ACL

An access control list (ACL) is a list that defines grantees and their granted permissions. Bucket ACLs control access to buckets for accounts and user groups. A bucket owner can grant access permissions to other accounts or user groups by configuring the bucket ACL.

Table 1 lists users that you can grant access permissions to by configuring a bucket ACL.

Table 1 Authorized users supported by OBS

Authorized User

Description

Specific User

An account that has permission to access a bucket. The bucket owner assigns this permission by account ID or account name. Once a specific account is granted with certain access permissions, all IAM users who have OBS resource permissions under this account can have the same access permissions for the bucket. If you want to grant different permissions to different IAM users, you can use the bucket policy. For details, see Configuring a Bucket Policy.

Owner

An account that creates a bucket, or the account to which an IAM user who creates a bucket belongs. The bucket owner has all bucket access permissions by default. The read and write permissions for the bucket ACL are permanently available to the bucket owner, and cannot be modified.

NOTE:

If you remove the bucket read and write permissions from the bucket owner, the owner cannot obtain the list of objects in the bucket or upload objects to the bucket. Therefore, it is recommended that you do not change the permissions of the bucket owner.

Anonymous User

An anonymous user can be anyone, either registered or unregistered. If the access permission for a bucket and objects in the bucket is assigned to anonymous users, everyone can access the bucket and its objects.

NOTICE:

To ensure data security, it is recommended that you do not grant anonymous users with any bucket access permission through the bucket ACL.

Registered User

A registered user refers to any account registered with public cloud service, excluding IAM users or user groups created by any account. To obtain access permissions, a registered user must be authenticated (AK and SK are used for the identity authentication). If the registered user group is granted with the write permission for a bucket, any registered and authenticated public cloud service account can upload objects to the bucket, overwrite objects in the bucket, and delete objects from the bucket.

Log Delivery User

A log delivery user only delivers access logs of buckets and objects to the configured target bucket. OBS does not create or upload any file to a bucket automatically. Therefore, if you want to record access logs for buckets, you need to grant the permission to log delivery users who will deliver the access logs to your specified target bucket.

NOTICE:

After Logging is enabled, the bucket write permission, as well as the ACL read permission will be enabled automatically for log delivery users of the Target Bucket. If you manually disable such permissions, bucket logging fails.

OBS supports the following types of access permissions, as listed in Table 2.

Table 2 Access permissions supported by OBS

Permission

Option

Description

Bucket Access

Read

A grantee with this permission for a bucket can obtain the list of objects in the bucket and the metadata of the bucket.

Write

A grantee with this permission for a bucket can upload, overwrite, and delete any object in the bucket.

Permission Access

Read

A grantee with this permission for a bucket can obtain the ACL of the bucket.

The owner of this bucket has this permission permanently by default.

Write

A grantee with this permission for a bucket can update the ACL of the bucket.

The owner of this bucket has this permission permanently by default.

NOTE:

Granting new permissions for a bucket overwrites the existing permissions for the bucket instead of adding permissions for the bucket or object.

Application Scenarios of Bucket ACL

It is recommended that bucket ACLs be used in the following scenarios:

  • Grant the write permission of a bucket to the log delivery user, so that access logs can be delivered to the target bucket.
  • Grant the read and write permissions of a bucket to an account, so that bucket data can be shared or external buckets can be added. For example, if account A grants the bucket read and write permissions to account B, then account B can access the bucket by using the API and SDK, and can add an external bucket through OBS Browser.