Overview

OBS Browser supports permission control based on bucket policies, bucket ACLs, and object ACLs.

  • Bucket policy: A bucket policy applies to the configured OBS bucket and objects in the bucket. An OBS bucket owner can use a bucket policy to grant permissions of buckets and objects in the buckets to IAM users or other accounts.

  • Access Control List (ACL): OBS provides ACL settings at bucket and object levels. Bucket and object ACLs are attached to accounts.

Bucket Policy

A bucket owner can edit a bucket policy to implement fine-grained bucket access control.

A bucket policy can be used to control access to the bucket and objects in the bucket. Specifically, you can define the effect, authorized users, resources, actions, and conditions of a bucket policy. Permissions attached to a bucket apply to all the objects in the bucket. After a bucket policy is created, access requests to the bucket are controlled by the bucket policy. The bucket policy controls access requests by allowing or denying the requests.

ACLs

A bucket or object ACL can assign the following users the read and write permissions to OBS resources:

Table 1 Users supported by OBS

Principal

Description

Owner

The owner of a bucket is the account that created the bucket. The bucket owner has all bucket access permissions by default. The read and write permissions for the bucket ACL are permanently available to the bucket owner, and cannot be modified.

The owner of an object is the account that uploads the object, who may not be the owner of the bucket to which the object belongs. The object owner has the read access to the object, as well as the read and write access to the object ACL, and such access permissions cannot be modified.

Important

NOTICE: Do not modify the bucket owner's read and write access permissions for the bucket.

Anonymous User

Unregistered common users of cloud services. If the permissions to access a bucket or an object are granted to anonymous users, everyone can access the object or bucket without identity authentication.

Important

NOTICE: If the permissions to access a bucket or an object are granted to anonymous users, everyone can access the object or bucket without identity authentication.

Registered User

A registered user refers to any account registered with the cloud services, excluding IAM users or user groups created by any account. To obtain access permissions, a registered user must be authenticated (AK and SK are used for the identity authentication). If the registered user group is granted with the write permission for a bucket, any registered and authenticated cloud service account can upload objects to the bucket, overwrite objects in the bucket, and delete objects from the bucket.

Log Delivery User

Note

Only the bucket ACL supports authorizing permissions to the log delivery user.

A log delivery user only delivers access logs of buckets and objects to the specified target bucket. OBS does not create or upload any file to a bucket automatically. Therefore, if you want to record bucket access logs, you need to grant the permission to the log delivery user who will deliver the access logs to your specified target bucket. The user only delivers logs within the service scope of OBS.

Important

NOTICE: After logging is enabled, the bucket write permission, as well as the ACL read permission for the target bucket will be enabled automatically for the log delivery user. If you manually disable such permissions, bucket logging will fail.

Table 2 lists the access permissions controlled by a bucket ACL.

Table 2 Access permissions controlled by a bucket ACL

Permission

Option

Description

Access to Bucket

Read

A grantee with the read access to a bucket can obtain the list of objects in the bucket and the metadata of the bucket.

Write

A grantee with the write access to a bucket can upload, overwrite, and delete any object in the bucket.

Access to ACL

Read

A grantee with the read access to a bucket ACL can obtain the ACL of the bucket.

The bucket owner has this permission permanently by default.

Write

A grantee with the write access to a bucket ACL can update the ACL of the bucket.

The bucket owner has this permission permanently by default.

Table 3 lists the access permissions of an object ACL.

Table 3 Access permissions controlled by an object ACL

Permission

Option

Description

Access to Object

Read

A grantee with the read access to an object can obtain the content of the object and the metadata of the object.

Access to ACL

Read

A grantee with the read access to an object ACL can obtain the ACL of the object.

The object owner has this permission permanently by default.

Write

A grantee with the write access to an object ACL can update the ACL of the object.

The object owner has this permission permanently by default.

Note

Every time you change the bucket or object access permission setting in an ACL, it overwrites the existing setting instead of adding a new access permission to the bucket or object.

Fragment management refers to the deletion of fragments. For the bucket owner and users who have the permission to initiate multipart tasks, deleting fragments is not restricted by bucket ACL settings. If a user has the permission to write, the user also has the permission to initiate multipart tasks.