• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Console Operation Guide
  5. Bucket Permissions
  6. Overview

Overview

Bucket access permissions can be managed by bucket ACLs or bucket policies. In OBS, resources refer to buckets, objects, and sub-resources associated with buckets and objects.

OBS Resources

Buckets and objects are basic resources, to which the access needs to be controlled. Buckets and objects have associated sub-resources, and access permission control can be implemented for the sub-resources as well. Controlling access is basically to control the permissions to read and write buckets or objects. For sub-resources of buckets and objects, it is to control the permissions to obtain and configure the sub-resources.

A bucket has the following sub-resources:

  • Versioning: Contains the configuration information about bucket versioning.
  • Logging: Records logs about the access requests for buckets.
  • Tags: Contains the configuration information about bucket tags.
  • Event Notification: Contains the configuration information about bucket event notifications.
  • Permissions: Contains the configuration information about access permissions for buckets.
  • Lifecycle Rule: Contains the configuration information about lifecycle rules.
  • Static Website Hosting: Contains the configuration information about website hosting.
  • Cross-Domain Resource Sharing (CORS): Contains the configuration information about CORS requests.

An object has the following sub-resources:

  • Cold object: Contains the configuration information about the object in the Cold storage class, including its validity period and speeds for restoration.
  • Metadata: information about the object's metadata
  • Object ACL: Contains the configuration information about the access control list (ACL) of the object.

A bucket ACL only manages access permissions for the bucket. However, a bucket policy can manage access permissions for the bucket, sub-resources of the bucket, and sub-resources of objects in the bucket. For different resources, the bucket access permission control can manage requests for the resources by allowing different operations to be performed on different resources (for details, see Bucket Policy Action).

Bucket Owner

A bucket has only one owner, which is the account that creates the bucket. Each account has an ID, and can have multiple IAM users created under the account. If a bucket is created by an IAM user, the bucket owner is the account to which the IAM user belongs. Figure 1 illustrates the relationships between account, bucket owner, and IAM user.

Figure 1 Bucket owner

Bucket Permission Verification

Bucket access permissions are managed by bucket ACLs, bucket policies and IAM user permission settings. When an operation request for a bucket is received, OBS determines whether the requesting user has the permission to perform the operation according to the IAM user permission settings, the bucket ACL, and the bucket policy.

  1. User permissions: If the request is initiated by an IAM user, OBS first verifies whether the user group of the IAM user has the permission for accessing OBS resources, and then checks whether the user has the permission to access the bucket. If the request is initiated by an account, this verification is not needed.
  2. Bucket access permissions: A bucket policy and bucket ACL together manage the specific access permissions that can be performed by an IAM user or account on a bucket. For details about how a bucket ACL and bucket policy determine the access permissions, see Handling Conflicts Between Bucket ACLs and Bucket Policies.