Bucket access permissions can be managed by bucket ACLs or bucket policies. In OBS, resources refer to buckets, objects, and sub-resources associated with buckets and objects.
Buckets and objects are basic resources, to which the access needs to be controlled. Buckets and objects have associated sub-resources, and access permission control can be implemented for the sub-resources as well. Controlling access is basically to control the permissions to read and write buckets or objects. For sub-resources of buckets and objects, it is to control the permissions to obtain and configure the sub-resources.
A bucket has the following sub-resources:
An object has the following sub-resources:
A bucket ACL only manages access permissions for the bucket. However, a bucket policy can manage access permissions for the bucket, sub-resources of the bucket, and sub-resources of objects in the bucket. For different resources, the bucket access permission control can manage requests for the resources by allowing different operations to be performed on different resources (for details, see Bucket Policy Action).
A bucket has only one owner, which is the account that creates the bucket. Each account has an ID, and can have multiple IAM users created under the account. If a bucket is created by an IAM user, the bucket owner is the account to which the IAM user belongs. Figure 1 illustrates the relationships between account, bucket owner, and IAM user.
Bucket access permissions are managed by bucket ACLs, bucket policies and IAM user permission settings. When an operation request for a bucket is received, OBS determines whether the requesting user has the permission to perform the operation according to the IAM user permission settings, the bucket ACL, and the bucket policy.