Configuring an Object ACL¶
Function¶
Access control lists (ACLs) allow resource owners to grant other accounts the permissions to access resources. By default, only the resource owner has full control over resources when a bucket or object is created. That is, the bucket creator has full control over the bucket, and the object uploader has full control over the object. Other accounts do not have the permissions to access resources. If resource owners want to grant other accounts the read and write permissions on resources, they can use ACLs. ACLs grant permissions to accounts. After an account is granted permissions, both the account and its IAM users can access the resources. If an object is encrypted with SSE-KMS, the ACL configured for it is not in effect in the cross-tenant case.
Restrictions¶
To configure an object ACL, you must be the bucket owner or have the required permission (obs:object:PutObjectAcl in IAM or PutObjectAcl in a bucket policy).
An object can have a maximum of 100 rules in its ACL.
Method¶
ObsClient.setObjectAcl(bucketName, objectKey, acl, versionId, aclControl, extensionHeaders)
Request Parameters¶
Parameter | Type | Mandatory (Yes/No) | Description |
|---|---|---|---|
bucketName | str | Yes | Explanation: Bucket name Restrictions:
Default value: None |
objectKey | str | Yes | Explanation: Object name. An object is uniquely identified by an object name in a bucket. An object name is a complete path that does not contain the bucket name. Value range: The value must contain 1 to 1,024 characters. Default value: None |
acl | No | Explanation: ACL of an object. Value range: See Table 2. Default value: None | |
versionId | str | No | Explanation: Object version ID, for example, G001117FCE89978B0000401205D5DC9A Value range: The value must contain 32 characters. Default value: None |
aclControl | No | Explanation: Pre-defined ACL. For details, see Table 3. Default value: None | |
extensionHeaders | dict | No | Explanation: Extension headers. Value range: See User-defined Headers. Default value: None |
Note
acl and aclControl are mutually exclusive.
Parameter | Type | Mandatory (Yes/No) | Description |
|---|---|---|---|
owner | Yes if used as a request parameter | Explanation: Bucket owner For details, see Table 4. Restrictions: Owner and Grants must be used together and they cannot be used with aclControl. Default value: None | |
grants | list of Grant | Yes if used as a request parameter | Explanation: List of grantees' permission information. For details, see Table 5. Restrictions: Owner and Grants must be used together and they cannot be used with aclControl. Default value: None |
delivered | bool | No if used as a request parameter | Explanation: Whether the bucket ACL is applied to objects in the bucket. This parameter is valid only when you configure the object ACL. Value range: True: The bucket ACL is applied to objects in the bucket. False: The bucket ACL is not applied to objects in the bucket. Default value: False |
Constant | Default Value | Description |
|---|---|---|
HeadPermission.PRIVATE | private | Private read/write A bucket or object can only be accessed by its owner. |
HeadPermission.PUBLIC_READ | public-read | Public read and private write If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket. If it is granted on an object, anyone can read the content and metadata of the object. |
HeadPermission.PUBLIC_READ_WRITE | public-read-write | Public read/write If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions in the bucket, and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart upload tasks. If it is granted on an object, anyone can read the content and metadata of the object. |
HeadPermission.PUBLIC_READ_DELIVERED | public-read-delivered | Public read on a bucket as well as objects in the bucket If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions, and read the content and metadata of objects in the bucket. Note PUBLIC_READ_DELIVERED cannot be applied to objects. |
HeadPermission.PUBLIC_READ_WRITE_DELIVERED | public-read-write-delivered | Public read/write on a bucket as well as objects in the bucket If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket, and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart uploads. They can also read the content and metadata of objects in the bucket. Note PUBLIC_READ_WRITE_DELIVERED cannot be applied to objects. |
HeadPermission.BUCKET_OWNER_FULL_CONTROL | public-read-write-delivered | If this permission is granted on an object, only the bucket and object owners have the full control over the object. By default, if you upload an object to a bucket owned by another user, the bucket owner does not have the permissions on your object. After you grant this permission to the bucket owner, the bucket owner can have full control over your object. |
Parameter | Type | Mandatory (Yes/No) | Description |
|---|---|---|---|
owner_id | str | Yes if used as a request parameter | Explanation: Account (domain) ID of the owner Value range: To obtain the account ID, see How Do I Get My Account ID and IAM User ID? Default value: None |
owner_name | str | No if used as a request parameter | Explanation: Account name of the owner Value range: To obtain the account ID, see How Do I Get My Account ID and IAM User ID? Default value: None |
Parameter | Type | Mandatory (Yes/No) | Description |
|---|---|---|---|
grantee | Yes if used as a request parameter | Explanation: Grantee Value range: See Table 7. Default value: None | |
permission | str | Yes if used as a request parameter | Explanation: Granted permission Value range: See Table 6. Default value: None |
delivered | bool | No if used as a request parameter | Explanation: Whether the bucket ACL is applied to all objects in the bucket Value range: True: The bucket ACL is applied to all objects in the bucket. False: The bucket ACL is not applied to all objects in the bucket. Default value: False |
Constant | Description |
|---|---|
READ | Read permission A grantee with this permission for a bucket can obtain the list of objects, multipart uploads, bucket metadata, and object versions in the bucket. A grantee with this permission for an object can obtain the object content and metadata. |
WRITE | Write permission A grantee with this permission for a bucket can upload, overwrite, and delete any object or part in the bucket. Such permission for an object is not applicable. |
READ_ACP | Permission to read ACL configurations A grantee with this permission can obtain the ACL of a bucket or object. A bucket or object owner has this permission for the bucket or object permanently. |
WRITE_ACP | Permission to modify ACL configurations A grantee with this permission can update the ACL of a bucket or object. A bucket or object owner has this permission for the bucket or object permanently. A grantee with this permission can modify the ACL, thus obtaining full access permissions. |
FULL_CONTROL | Full control access, including read and write permissions for a bucket and its ACL, or for an object and its ACL. A grantee with this permission for a bucket has READ, WRITE, READ_ACP, and WRITE_ACP permissions for the bucket. A grantee with this permission for an object has READ, READ_ACP, and WRITE_ACP permissions for the object. |
Parameter | Type | Mandatory (Yes/No) | Description |
|---|---|---|---|
grantee_id | str | Yes if the parameter is used as a request parameter and group is left blank | Explanation: Account (domain) ID of the grantee Value range: Default value: None |
grantee_name | str | No if used as a request parameter | Explanation: Account name of the grantee Restrictions:
Default value: None |
group | str | Yes if the parameter is used as a request parameter and grantee_id is left blank | Explanation: Authorized user group Value range: See Table 8. Default value: None |
Constant | Description |
|---|---|
ALL_USERS | All users |
AUTHENTICATED_USERS | Authorized users. This constant is deprecated. |
LOG_DELIVERY | Log delivery group. This constant is deprecated. |
Responses¶
Parameter | Type | Description |
|---|---|---|
status | int | Explanation: HTTP status code Value range: A status code is a group of digits ranging from 2xx (indicating successes) to 4xx or 5xx (indicating errors). It indicates the status of a response. Default value: None |
reason | str | Explanation: Reason description. Default value: None |
errorCode | str | Explanation: Error code returned by the OBS server. If the value of status is less than 300, this parameter is left blank. Default value: None |
errorMessage | str | Explanation: Error message returned by the OBS server. If the value of status is less than 300, this parameter is left blank. Default value: None |
requestId | str | Explanation: Request ID returned by the OBS server Default value: None |
indicator | str | Explanation: Error indicator returned by the OBS server. Default value: None |
hostId | str | Explanation: Requested server ID. If the value of status is less than 300, this parameter is left blank. Default value: None |
resource | str | Explanation: Error source (a bucket or an object). If the value of status is less than 300, this parameter is left blank. Default value: None |
header | list | Explanation: Response header list, composed of tuples. Each tuple consists of two elements, respectively corresponding to the key and value of a response header. Default value: None |
body | object | Explanation: Result content returned after the operation is successful. If the value of status is larger than 300, the value of body is null. The value varies with the API being called. For details, see Bucket-Related APIs and Object-Related APIs. Default value: None |
Setting an Object ACL by Specifying acl¶
This example sets the ACL for object objectname to read and write for an IAM user (userid).
from obs import ObsClient
import os
from obs import ACL
from obs import Owner
from obs import Grant, Permission
from obs import Grantee
import traceback
# Obtain an AK and SK pair using environment variables or import the AK and SK pair in other ways. Using hard coding may result in leakage.
# Obtain an AK and SK pair on the management console.
ak = os.getenv("AccessKeyID")
sk = os.getenv("SecretAccessKey")
# (Optional) If you use a temporary AK and SK pair and a security token to access OBS, obtain them from environment variables.
# security_token = os.getenv("SecurityToken")
# Set server to the endpoint of the region where the bucket is located.
server = "https://your-endpoint"
# Create an obsClient instance.
# If you use a temporary AK and SK pair and a security token to access OBS, you must specify security_token when creating an instance.
obsClient = ObsClient(access_key_id=ak, secret_access_key=sk, server=server)
try:
# Specify the account ID of the bucket owner (ownerid as an example).
owner = Owner(owner_id='ownerid')
# Grant the read and write permissions to an IAM user (userid).
grantee = Grantee(grantee_id='userid')
grant0 = Grant(grantee=grantee, permission=Permission.READ)
grant0 = Grant(grantee=grantee, permission=Permission.WRITE)
# Set the ACL.
acl = ACL(owner=owner, grants=[grant0])
bucketName = "examplebucket"
objectKey = "objectname"
# Configure the object ACL by specifying acl.
resp = obsClient.setObjectAcl(bucketName, objectKey, acl)
# If status code 2xx is returned, the API is called successfully. Otherwise, the API call fails.
if resp.status < 300:
print('Set Object Acl Succeeded')
print('requestId:', resp.requestId)
else:
print('Set Object Acl Failed')
print('requestId:', resp.requestId)
print('errorCode:', resp.errorCode)
print('errorMessage:', resp.errorMessage)
except:
print('Set Object Acl Failed')
print(traceback.format_exc())
Setting an Object ACL by Specifying aclControl¶
This example sets a pre-defined object ACL to private read and write.
from obs import ObsClient
import os
from obs import HeadPermission
import traceback
# Obtain an AK and SK pair using environment variables or import the AK and SK pair in other ways. Using hard coding may result in leakage.
# Obtain an AK and SK pair on the management console.
ak = os.getenv("AccessKeyID")
sk = os.getenv("SecretAccessKey")
# (Optional) If you use a temporary AK and SK pair and a security token to access OBS, obtain them from environment variables.
# security_token = os.getenv("SecurityToken")
# Set server to the endpoint of the region where the bucket is located.
server = "https://your-endpoint"
# Create an obsClient instance.
# If you use a temporary AK and SK pair and a security token to access OBS, you must specify security_token when creating an instance.
obsClient = ObsClient(access_key_id=ak, secret_access_key=sk, server=server)
try:
# Set the pre-defined ACL to PRIVATE to ensure high security.
aclControl = HeadPermission.PRIVATE
bucketName = "examplebucket"
objectKey = "objectname"
# Configure the object ACL by specifying acl.
resp = obsClient.setObjectAcl(bucketName, objectKey, aclControl=aclControl)
# If status code 2xx is returned, the API is called successfully. Otherwise, the API call fails.
if resp.status < 300:
print('Set Object Acl Succeeded')
print('requestId:', resp.requestId)
else:
print('Set Object Acl Failed')
print('requestId:', resp.requestId)
print('errorCode:', resp.errorCode)
print('errorMessage:', resp.errorMessage)
except:
print('Set Object Acl Failed')
print(traceback.format_exc())