Set Permission to Access Bucket

Last Updated：2021-09-13

Interface Description

This interface is used to set the access control of the bucket. At present, ACL can be set for BOS in two ways. The first one is to set ACL through “x-bce-acl" in the header field using CannedAcl during PutBucketAcl. At present, the settable access control includes private, public-read, and public-read-write (case sensitive). The second one is to upload an ACL file. For the file format, see ACL File Format.

Considerations

Setting the "x-bce-acl" and uploading the ACL file in the same request are not supported for the BOS system.

Only the bucket owner and the user with the FULL_CONTROL permission can set the object ACL.

The bucket ACL is set to private by default during the creation of the bucket.

Request URI

PUT /v1/{bucketName}/?acl

Parameter Name	Parameter Type	Required	Description	Example Value	Parameter Position
bucketName	String	Yes	Bucket name	"bucketName_example"	Path

Request Header Parameters

Parameter Name	Parameter type	Required	Description	Example value
xBceAcl	String	No	The ACL set by the bucket supports private, public-read, and public-read-write.	"xBceAcl_example"

Request Body Parameters

Instructions for Data Structure of Request Body Field

Parameter Name	Parameter Type	Required?	Description	Example Value
accessControlList	List	No	It identifies the beginning of the ACL body, and it consists of one or more ACL configuration items. The ACL configuration item is composed of grantee+permission+resource+condition.

Data Structure Description of AccessControlList Field

Parameter Name	Parameter Type	Required?	Description	Example Value
effect	String	No	Specify whether to run the Request matching the acl configuration item. The value is “Allow” or “Deny”. “Allow” indicates that the request is executeale, and “Deny” indicates that the request is denied for execution.	Allow
grantee	List	Yes	Identify the grantee.
permission	List	Yes	Permission affected by the ACL configuration item. The optional values include READ, LIST, WRITE, and GetObject. For the detailed explanation of the permission, see Permission Supported by Bucket ACL.
resource	List	No	Resource affected by ACL configuration item, which represents the access control set for the resource within the specified range of resources. The wildcard is supported, e.g., /or /xxx. If the resource field is not entered or the bucket name is entered, it is equivalent to setting the Resource field to [, /_]. That is, the access control is set for buckets and all objects.
notResouce	String	No	Resource affected by ACL configuration item, which represents the access control set for the resource outside the specified range of notResource. The wildcard is supported. For example, / or /xxx*, which represents the access control set for the objects other than ObjectKey in BucketName or other than those with the prefix XXX. If the notResource field is not entered, it is equivalent to that notResource is not configured. That is, the default configuration is adopted, and the access control is set for buckets and all objects.
condition	Condition	No	Limitation condition contained in the ACL configuration item, which can be configured with the IP address and referer list.

Data Structure Description of Grantee Field

Parameter Name	Parameter type	Required	Description	Example value
id	String	No	It identifies the account ID of grantee. You can log in to the console and click “User Information” -> “Basic Information” under the account name to view the user account ID.	10eb6f5ff6ff4605bf044313e8f3ffa5

Data Structure Description of Condition Field

Parameter Name	Parameter Type	Required	Description	Example Value
currentTime	CurrentTime	No	Time limitation condition contained in the condition configuration item, which supports the configuration of "dateLessThan", "dateLessThanEquals", "dateGreaterThan", and "dateGreaterThanEquals". You can select any number of four configuration items for setting. The valid matching condition is that all configuration item settings need to be matched.
secureTransport	Boolean	No	Identify whether only the HTTPS access is allowed. The optional values include "true" and "false". If it is not set, it is considered as "false". When it is set to "true", it indicates that only the HTTPS access is allowed.	true
ipAddress	List	No	Identify the IP with access control granted.
referer	Referer	No	Identify the referer with access control granted.

Data Structure Description of CurrentTime Field

Parameter Name	Parameter Type	Required?	Description	Example Value
dateLessThan	String	No		2020-07-01T12:00:00Z
dateGreaterThan	String	No		2018-03-01T15:00:00Z

Data Structure Description of Referer Field

Parameter Name	Parameter Type	Required?	Description	Example Value
stringLike	List	No
stringEquals	List	No

Response Body Parameters

None

Request Example

PUT /v1/bucketName_example/?acl
Common Request Header
x-bce-acl: xBceAcl_example


{
  "accessControlList" : [ {
    "notResouce" : "notResouce",
    "condition" : {
      "currentTime" : {
        "dateLessThan" : "2020-07-01T12:00:00Z",
        "dateGreaterThan" : "2018-03-01T15:00:00Z"
      },
      "secureTransport" : true,
      "referer" : {
        "stringLike" : [ "http://www.abc.com/*" ],
        "stringEquals" : [ "http://www.abc.com" ]
      },
      "ipAddress" : [ "192.168.1.1" ]
    },
    "resource" : [ "bucket1/*" ],
    "effect" : "Allow",
    "grantee" : [ {
      "id" : "10eb6f5ff6ff4605bf044313e8f3ffa5"
    } ],
    "permission" : [ "FULL_CONTROL" ]
  } ]
}

Response Example