• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Console Operation Guide
  5. Object Permissions
  6. Object ACL Overview

Object ACL Overview

OBS offers account-based ACLs. The bucket owner (which can be the bucket creator or any other user under the same account of the bucket creator) can use ACLs to grant access permissions to other accounts, such as the object read, ACL read, and ACL write permissions.

By default, only the bucket owner can access objects in the bucket. All users under the same account have the same permissions by default. You can also assign different permissions to users under the same account by configuring the bucket policy. A bucket ACL can only authorize permissions to accounts. However, you can use bucket policies to assign permissions to accounts and users under the accounts.

If both the bucket ACL and object ACL are configured and the authorized permissions conflict, the object ACL permissions prevail.

OBS can use an ACL to enable object access permissions to be assigned to the following types of authorized users, as described in Table 1.

Table 1 Authorized users supported by OBS

Authorized User

Description

Owner

Bucket creator or any other user under the same account of the bucket creator. The owner of a bucket has the ACL read and write permissions permanently by default.

Anonymous User

A user that is not registered with OBS. If the access permission for a bucket and objects in the bucket is assigned to anonymous users, all users can access the bucket and its objects.

Registered User

A user that is registered with OBS. For example, a registered user can access OBS Browser using AKs and SKs.

Specific User

An account that has permission to access a bucket. The bucket owner assigns this permission by account ID or account name.

OBS supports the following types of object access permissions, as described in

Table 2 Authorized users supported by OBS

Permission

Option

Description

Bucket Access

Read

Allowed to obtain the object content and metadata.

Permission Access

Read

Allowed to obtain the ACL of the object.

The owner of this object has this permission permanently by default.

Write

Allowed to update the ACL of the object.

The owner of this object has this permission permanently by default.

NOTE:
  • A request supports a maximum of 100 permissions.
  • New permissions directly overwrite existing permissions on an object.

Application Scenarios of Object ACLs

Object ACLs are recommended for the following scenarios:

  • Object-level access control is required. A bucket policy can grant access permission to an object or a set of objects. If you want to further specify an access permission for an object in the set of objects for which a bucket policy has been configured, then the object ACL is recommended for easier access control over single objects.
  • Object is accessed through a link. Generally, if you want to grant anonymous users the permission to read an object through a link, use object ACL.

Handling Conflicts Between an Object ACL and Bucket ACL

If both the bucket ACL and object ACL are configured, the object ACL permission takes precedence over the bucket ACL permission. If a bucket policy is also configured and the object access permission defined in the bucket policy conflicts with the access permission configured in the object ACL, the deny statement in the bucket policy prevails.

Mapping Relationship Between Object ACLs and Bucket Policies

An object ACL is used to grant basic read and write permissions for the object. More actions can be performed by configuring the bucket policy with advanced settings. For details, see the info tips for actions and conditions. The following table describes the mapping relationship between object ACL access permissions and bucket policy actions.

Object ACL Permission

Option

Configurable Action in Bucket Policy

Access to object

Read

  • GetObject
  • GetObjectVersion

Access to object ACL

Read

  • GetObjectAcl
  • GetObjectVersionAcl

Write

  • PutObjectAcl
  • PutObjectVersionAcl