百度智能云
All Product Document

          Object Storage

          • Object Storage
          • >
          • Console Operation Guide
          • >
          • Manage Bucket
          • >
          • Set Bucket Read and Write Permissions
          • >
          • Introductions of Permissions

          Introductions of Permissions

          Last Updated2022-01-30

          Permission Definition

          The BOS permission management includes the following three types of permissions. You can set the appropriate permission according to your business scenarios.

          Definition of bucket standard permission

          Permission Name Permission Description
          Private
          • The bucket creator exclusively has all permissions of this bucket. Other users cannot write the data in this bucket or access and read this bucket.
          • It is applicable for scenarios to store private files.
          Public read
          • The bucket creator exclusively has all permissions of this bucket. Other users can access and read the content of this bucket, but cannot write the data in this bucket.
          • It is applicable for scenarios to store files requiring the public read, such as notification file and ads content.
          • Note: If this permission is enabled, all users on the Internet can access and read the files in this bucket.
          Public read-write
          • Anyone (including the bucket creator) can access and write files.
          • Note: if this permission is enabled, all users on the Internet can read and write the files in this bucket.

          Definition of coarse-grained custom permission

          If you believe that the above bucket standard permissions cannot meet the service requirements, you can select to generate the coarse-grained custom permissions on demand. This permission supports the setting of READ, LIST, WRITE, MODIFY, and FULL_CONTROL for the specified user. You can specify the accessible resources through this permission, as well as the IP address and referer whitelist with this permission.

          The coarse-grained custom permissions supported by BOS are described as follows:

          Permission Name Permission Supported Operation
          READ Users are allowed to read the object and its related information in the bucket, but they have no list permission. The specific operation permissions include GetBucketLocation, HeadBucket, GetObject, GetObjectMeta, ListParts, RestoreObject. The APIs corresponding to the READ permission include both Bucket-level API (such as GetBucketLocation) and Object-level API (such as GetObject and ListParts).
          LIST With the list permission, you can view the object list in the specified bucket and get all uncompleted MultipartUploads. The specific operation permissions include ListObjects and ListMultipartUploads. The APIs corresponding to the LIST permission includes the bucket level API only.
          WRITE Users are allowed to create, overwrite and delete the object in a bucket. The specific operation permissions include PutObject, PostObject InitiateMultipartUpload, UploadPart, CompleteMultipartUpload, AbortMultipartUpload, AppendObject, DeleteObject, DeleteMultipleObjects and FetchObject. The API corresponding to the WRITE permission includes the Object-level API only.
          MODIFY Users can carry out the PutObject and AppendObject operations, and cannot add or delete the data. The main function of this permission is to combine with Deny to prevent the bucket data from being tampered with.
          FULL_CONTROL It includes all permissions above. In addition to all operation permissions of READ, LIST and WRITE, the FULL_CONTROL permission also includes the following operation permissions: PutBucketAcl, GetBucketACL, PutBucketCors, GetBucketCors and DeleteBucketCors. The API corresponding to the FULL_CONTROL permission includes both the bucket-level and object-level APIs.

          Definition of fine-grained custom permission

          If you believe that the coarse-grained custom permissions above cannot meet your requirements for fine authorization, you can use the fine-grained custom permissions provided by BOS. The fine-grained custom permissions supported by BOS include both the bucket and object permissions.



          Bucket Related Permissions Supported Operations
          GetBucket This permission indicates that users are allowed to get the bucket content and its related information. For example, list the objects in bucket and list all uncompleted Multipart Uploads in the bucket during the three-step upload.
          GetBucketAcl This permission indicates that users are allowed to get the bucket ACL information.
          PutBucketAcl This permission indicates that users are allowed to add the bucket ACL.
          GetBucketCors This permission indicates that users are allowed to get the Cross-Origin Resource Sharing (CORS) rules in the bucket.
          PutBucketCors This permission indicates that users are allowed to set or delete a CORS rule in the specified bucket.
          GetBucketStyle This permission indicates that users are allowed to get or list the Bucket Style rules.
          PutBucketStyle This permission indicates that users are allowed to add or delete the Bucket Style rules.
          GetBucketMirroring This permission indicates that users are allowed to get the mirroring-based back-to-origin-related information of the bucket.
          PutBucketMirroring This permission indicates that users are allowed to add or delete the mirroring-based back-to-origin-related information of the bucket.
          GetCopyRightProtection This permission indicates that users are allowed to get the copyright protection configuration information of the bucket.
          PutCopyRightProtection This permission indicates that users are allowed to enable or disable the copyright protection feature of the bucket.


          Object Related Permissions Supported Operations
          PutObject This permission indicates that users are allowed to perform the object upload related operations, such as PutObject, PostObject, AppendObject, FetchObject, CopyObject, Three-step Upload, and Three-step Copy.
          GetObject Only GetObject and GetObjectMeta operations are supported. The API corresponding to the GetObject permission includes the object-level API only.
          DeleteObject This permission indicates that users are allowed to delete a single object or objects in a batch.
          RenameObject This permission indicates that users are allowed to rename the object.
          ListParts This permission indicates that users are allowed to list all parts with specified UploadId uploaded successfully during the three-step upload, and users can view the current progress of the three-step upload.
          GetObjectMeta This permission indicates that users are allowed to list the meta information of the object.
          GetObjectAcl This permission indicates that users are allowed to get the object ACL.
          PutObjectAcl This permission indicates that users are allowed to add and delete the object ACL.

          Descriptions:

          • The fine-grained and coarse-grained permissions of READ, LIST, WRITE, FULL_CONTROL, and MODIFY do not affect each other.
          • The coarse-grained permissions take precedence over the fine-grained permissions. If both coarse-grained permissions and fine-grained permissions are configured, the coarse-grained permissions overwrite the fine-grained permissions, and the coarse-grained permissions should prevail.
          • The bucket-level fine granularity refers to relevant operations for buckets.
          • The object-level fine granularity refers to relevant operations for objects.
          Previous
          Bucket Quota Management
          Next
          Set Read and Write Permissions of Bucket