Overview¶
OBS Browser supports permission control based on bucket policies, bucket ACLs, and object ACLs.
Bucket policy: A bucket policy applies to the configured OBS bucket and objects in the bucket. An OBS bucket owner can use a bucket policy to grant permissions of buckets and objects in the buckets to IAM users or other accounts.
Access Control List (ACL): OBS provides ACL settings at bucket and object levels. Bucket and object ACLs are attached to accounts.
Bucket Policy¶
A bucket owner can edit a bucket policy to implement fine-grained bucket access control.
A bucket policy can be used to control access to the bucket and objects in the bucket. Specifically, you can define the effect, authorized users, resources, actions, and conditions of a bucket policy. Permissions attached to a bucket apply to all the objects in the bucket. After a bucket policy is created, access requests to the bucket are controlled by the bucket policy. The bucket policy controls access requests by allowing or denying the requests.
ACLs¶
A bucket or object ACL can assign the following users the read and write permissions to OBS resources:
Principal | Description |
|---|---|
Owner | The owner of a bucket is the account that created the bucket. The bucket owner has all bucket access permissions by default. The read and write permissions to the bucket ACL are permanently available to the bucket owner, and cannot be modified. The owner of an object is the account that uploads the object, who may not be the owner of the bucket to which the object belongs. The object owner has the read access to the object, as well as the read and write permission to the object ACL, and such access permissions cannot be modified. Important NOTICE: Do not modify the bucket owner's read and write access permissions for the bucket. |
Anonymous User | Unregistered common users of cloud services. If the permissions to access a bucket or an object are granted to anonymous users, everyone can access the object or bucket without identity authentication. Important NOTICE: If the permissions to access a bucket or an object are granted to anonymous users, everyone can access the object or bucket without identity authentication. |
Registered User | A registered user refers to any account registered with the cloud services, excluding IAM users or user groups created by any account. To obtain access permissions, a registered user must be authenticated (AK and SK are used for the identity authentication). If the registered user group is granted with the write permission for a bucket, any registered and authenticated cloud service account can upload objects to the bucket, overwrite objects in the bucket, and delete objects from the bucket. |
Log Delivery User Note Only the bucket ACL supports authorizing permissions to the log delivery user. | A log delivery user only delivers access logs of buckets and objects to the specified target bucket. OBS does not create or upload any file to a bucket automatically. Therefore, if you want to record bucket access logs, you need to grant the permission to the log delivery user who will deliver the access logs to your specified target bucket. The user only delivers logs within the service scope of OBS. Important NOTICE: After logging is enabled, the bucket write permission, as well as the ACL read permission for the target bucket will be enabled automatically for the log delivery user. If you manually disable such permissions, bucket logging fails. |
Table 2 lists the access permissions controlled by a bucket ACL.
Permission | Option | Description |
|---|---|---|
Access to Bucket | Read | A grantee with the read access to a bucket can obtain the list of objects in the bucket and the metadata of the bucket. |
Write | A grantee with the write access to a bucket can upload, overwrite, and delete any object in the bucket. | |
Access to ACL | Read | A grantee with the read access to a bucket ACL can obtain the ACL of the bucket. The bucket owner has this permission permanently by default. |
Write | A grantee with the write access to a bucket ACL can update the ACL of the bucket. The bucket owner has this permission permanently by default. |
Table 3 lists the access permissions of an object ACL.
Permission | Option | Description |
|---|---|---|
Access to Object | Read | A grantee with the read access to an object can obtain the content of the object and the metadata of the object. |
Access to ACL | Read | A grantee with the read access to an object ACL can obtain the ACL of the object. The object owner has this permission permanently by default. |
Write | A grantee with the write access to an object ACL can update the ACL of the object. The object owner has this permission permanently by default. |
Note
Every time you change the bucket or object access permission setting in an ACL, it overwrites the existing setting instead of adding a new access permission to the bucket or object.
Fragment management refers to the deletion of fragments. For the bucket owner and users who have the permission to initiate multipart tasks, deleting fragments is not restricted by bucket ACL settings. If a user has the permission to write, the user also has the permission to initiate multipart tasks.