ACLs

An ACL is a list that defines grantees and their granted permissions.

Bucket and object ACLs are attached to accounts. By default, an ACL is created when a bucket or object is created, authorizing the owner the full control over the bucket or object.

To implement simple and practical authorization for users, the OBS ACL has the following features:

  • The ACL takes effect for both the account and the users under the account.

  • When the owner of a bucket is the same as the owner of an object, the ACL configured on the bucket takes effect on the bucket and objects in the bucket by default.

  • An ACL can be carried when a bucket is created, or an ACL can be configured after a bucket is created. An object can carry an ACL when it is uploaded. You can also configure the ACL after the object is uploaded successfully.

ACLs are write and read control rules attached to accounts, whose permission granularity is not as fine as bucket policies and IAM policies. Generally, it is recommended that you use IAM permissions and bucket policies for access control.

Table 1 lists users to whom you can grant bucket access permissions by configuring an ACL.

Table 1 Authorized users supported by OBS

Principal

Description

Specific User

ACLs can be used to grant accounts with bucket/object access permissions. Once a specific account is granted with certain bucket/object access permissions, all IAM users who have OBS resource permissions under this account can have the same access permissions to operate the bucket or object.

You can configure bucket policies to grant different permissions to different IAM users.

Owner

The owner of a bucket is the account that created the bucket. The bucket owner has all bucket access permissions by default. The read and write permissions to the bucket ACL are permanently available to the bucket owner, and cannot be modified.

An object owner is the account that uploads the object, but may not be the owner of the bucket that stores the object. The object owner has all control over the object by default. The read and write permissions to the object ACL are permanently available to the object owner, and cannot be modified.

Important

NOTICE: Do not modify the bucket owner's read and write access permissions for the bucket.

Anonymous users

Visitors who have not registered. If the permissions to access a bucket or an object are granted to anonymous users, everyone can access the object or bucket without identity authentication.

Important

NOTICE: If the permissions to access a bucket or an object are granted to anonymous users, everyone can access the object or bucket without identity authentication.

Log delivery user groups

Note

Only the bucket ACL supports authorizing permissions to the log delivery user.

A log delivery user group only delivers access logs of buckets and objects to the configured target bucket. OBS does not create or upload any file to a bucket automatically. Therefore, if you want to record access logs for buckets, you need to grant the permission to a log delivery user group who will deliver the access logs to your specified target bucket. This user group is only used to record internal logs of OBS.

Important

NOTICE: After logging is enabled, the log delivery user will be automatically granted the permission to read the bucket ACL and write the bucket where logs are saved. If you manually disable such permissions, bucket logging fails.

Bucket ACL

Table 2 lists the access permissions of a bucket ACL.

Table 2 Access permissions controlled by a bucket ACL

Permission Related Concepts

Option

Description

Access to Bucket

Read

A grantee with the read access to a bucket can obtain the list of objects in the bucket and the metadata of the bucket.

Object read

A grantee with this permission can obtain the object content and metadata.

Write

A grantee with the write access to a bucket can upload, overwrite, and delete any object in the bucket.

Access to ACL

Read

A grantee with the read access to a bucket ACL can obtain the ACL of the bucket.

The bucket owner has this permission permanently by default.

Write

A grantee with the write access to a bucket ACL can update the ACL of the bucket.

The bucket owner has this permission permanently by default.

Table 3 lists the access permissions of an object ACL.

Table 3 Access permissions controlled by an object ACL

Permission Related Concepts

Option

Description

Access to Object

Read

A grantee with the read access to an object can obtain the content and the metadata of the object.

Access to ACL

Read

A grantee with the read access to an object ACL can obtain the ACL of the object.

The object owner has this permission permanently by default.

Write

A grantee with the write access to an object ACL can update the ACL of the object.

The object owner has this permission permanently by default.

Note

Every time you change the bucket or object access permission setting in an ACL, it overwrites the existing setting instead of adding a new access permission to the bucket or object.

Application Scenarios of Bucket ACLs

You can configure bucket ACLs to:

  • Grant an account the read and write access to a bucket, so that data in the bucket can be shared or external buckets can be added. For example, after account A grants account B the read and write access to a bucket, account B can access the bucket by adding an external bucket through OBS Browser+ or using APIs.

  • Grant the log delivery user group with the write access to the target bucket, so that access logs can be delivered to the target bucket.

Application Scenarios of Object ACLs

You can configure object ACLs to:

  • Control access to objects. A bucket policy can control access to a single object or a set of objects. If you want to further separately control access to a single object in the set of objects for which a bucket policy has been configured, the object ACL is recommended.

  • Access an object through a URL. Generally, if you want to grant anonymous users the permission to read an object through a URL, use the object ACL.

Configuring an ACL Using Header Fields

Access Control Policies

You can set an access control policy in a header when creating a bucket or uploading an object (for details about the examples, see Creating a Bucket and Uploading Objects - PUT). Only the access control policies predefined in OBS are available. The x-obs-acl is special, which can be configured with six types of permissions. No matter what type of permissions is configured, the owner has full control permission for the buckets or objects. The following table lists the predefined policies.

Table 4 Predefined access control policies in OBS

Policy

Description

private

Indicates that a bucket or object can be accessed only by its owner.

public-read

If this permission is set for a bucket, everyone can obtain the object list, multipart tasks, bucket metadata, and multiple object versions.

If this permission is set for an object, everyone can obtain the content and metadata of the object.

public-read-write

If this permission is configured for a bucket, everyone can obtain the object list, multipart uploads, bucket metadata, and object versions, and can upload or delete objects, initiate multipart uploads, upload parts, assemble parts, copy parts, and cancel multipart uploads.

If this permission is set for an object, everyone can obtain the content and metadata of the object.

public-read-delivered

If this permission is set for a bucket, everyone can obtain the object list, multipart tasks, bucket metadata, and multiple object versions, and obtain the content and metadata of the objects in the bucket.

This permission does not apply to objects.

public-read-write-delivered

If this permission is configured for a bucket, everyone can obtain the object list, multipart uploads, bucket metadata, and object versions, and can upload or delete objects, initiate multipart uploads, upload parts, assemble parts, copy parts, and cancel multipart uploads. Users can also obtain content and metadata of objects in the bucket.

This permission does not apply to objects.

bucket-owner-full-control

If this permission is configured for an object, the bucket and object owners have the full control over the object.

By default, if you upload an object to a bucket of any other user, the bucket owner does not have the permissions on your object. After you grant this policy to the bucket owner, the bucket owner can have full control over your object.

Note

By default, the access control policy is private.

You can also use the following header fields to set access control policies when creating a bucket or uploading an object.

Table 5 Header fields for setting bucket or object ACLs

Header

Description

x-obs-grant-read

Used to grant the READ permission to all users in a specific account.

x-obs-grant-write

Used to grant the WRITE permission to all users in a specific account.

x-obs-grant-read-acp

Used to grant the READ_ACP permission to all users in a specific account.

x-obs-grant-write-acp

Used to grant the WRITE_ACP permission to all users in a specific account.

x-obs-grant-full-control

Used to grant the FULL_CONTROL permission to all users in a specific account.

x-obs-grant-read-delivered

Used to grant the READ permission for buckets and objects in the buckets to all users in a specific account, and objects inherit the permissions of their bucket.

This permission does not apply to objects.

x-obs-grant- full-control- delivered

Used to grant the FULL_CONTROL permission for buckets and objects in the buckets to all users in a specific account, and objects inherit the permissions of their bucket.

This permission does not apply to objects.