• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Console Operation Guide
  5. Bucket Permissions
  6. Relationship Between Bucket ACLs and Bucket Policies

Relationship Between Bucket ACLs and Bucket Policies

If a bucket ACL and a bucket policy are used at the same time and their authorization conflicts, the bucket policy prevails.

A bucket ACL can be used to authorize permissions only to accounts. A bucket policy can be used to authorize permissions to accounts or users under the accounts.

Mapping Between Bucket ACLs and Bucket Policies

A bucket ACL is used to grant basic read and write permissions of a bucket. In a custom bucket policy, more bucket actions can be set. For details, see Bucket Policy Actions. Bucket policies are supplement to a bucket ACL. Despite granting permissions to log delivery user groups, bucket policies can replace the bucket ACL to manage the access permission of a bucket. Table 1 shows the mapping between bucket ACL access permissions and bucket policy actions.

Table 1 Mapping between bucket ACLs and bucket policies

ACL Permission

Item

Mapped Action in Custom Bucket Policies

Bucket access permissions

Read permission

  • ListBucket (Lists objects in the bucket, and gets the bucket metadata.)
  • ListBucketVersions (Lists versioning objects in the bucket.)
  • ListBucketMultipartUploads (Lists multipart upload tasks.)

Write permission

  • PutObject (Performs PUT upload, POST upload, multipart upload, initialization of uploaded parts, and merging of parts.)
  • DeleteObject (Deletes objects.)
  • DeleteObjectVersion (Deletes objects of certain versions.)

Access permissions

Read permission

GetBucketAcl (Obtains the bucket ACL information.)

Write permission

PutBucketAcl (Sets bucket ACL.)

Handling Conflicts Between Bucket ACLs and Bucket Policies

When certain permission is granted in the bucket ACL but prohibited in a bucket policy, a permission conflict occurs. For example, in the bucket ACL, the bucket read permission is granted to account B. In the bucket policy, account B is not allowed to perform the ListBucket operation on the bucket. As a result, account B cannot perform the ListBucket operation.

If a bucket ACL and a bucket policy are used at the same time and their authorization settings conflict, the bucket policy prevails.