Introductions of Permissions
Permission Definition
The BOS permission management includes the following three types of permissions. You can set the appropriate permission according to your business scenarios.
Definition of bucket standard permission
Permission Name | Permission Description |
---|---|
Private |
|
Public read |
|
Public read-write |
|
Definition of coarse-grained custom permission
If you believe that the above bucket standard permissions cannot meet the service requirements, you can select to generate the coarse-grained custom permissions on demand. This permission supports the setting of READ, LIST, WRITE, MODIFY, and FULL_CONTROL for the specified user. You can specify the accessible resources through this permission, as well as the IP address and referer whitelist with this permission.
The coarse-grained custom permissions supported by BOS are described as follows:
Permission Name | Permission Supported Operation |
---|---|
READ | Users are allowed to read the object and its related information in the bucket, but they have no list permission. The specific operation permissions include GetBucketLocation, HeadBucket, GetObject, GetObjectMeta, ListParts, RestoreObject. The APIs corresponding to the READ permission include both Bucket-level API (such as GetBucketLocation) and Object-level API (such as GetObject and ListParts). |
LIST | With the list permission, you can view the object list in the specified bucket and get all uncompleted MultipartUploads. The specific operation permissions include ListObjects and ListMultipartUploads. The APIs corresponding to the LIST permission includes the bucket level API only. |
WRITE | Users are allowed to create, overwrite and delete the object in a bucket. The specific operation permissions include PutObject, PostObject InitiateMultipartUpload, UploadPart, CompleteMultipartUpload, AbortMultipartUpload, AppendObject, DeleteObject, DeleteMultipleObjects and FetchObject. The API corresponding to the WRITE permission includes the Object-level API only. |
MODIFY | Users can carry out the PutObject and AppendObject operations, and cannot add or delete the data. The main function of this permission is to combine with Deny to prevent the bucket data from being tampered with. |
FULL_CONTROL | It includes all permissions above. In addition to all operation permissions of READ, LIST and WRITE, the FULL_CONTROL permission also includes the following operation permissions: PutBucketAcl, GetBucketACL, PutBucketCors, GetBucketCors and DeleteBucketCors. The API corresponding to the FULL_CONTROL permission includes both the bucket-level and object-level APIs. |
Definition of fine-grained custom permission
If you believe that the coarse-grained custom permissions above cannot meet your requirements for fine authorization, you can use the fine-grained custom permissions provided by BOS. The fine-grained custom permissions supported by BOS include both the bucket and object permissions.
Bucket related permissions
Bucket Related Permissions | Supported Operations |
---|---|
GetBucket | This permission indicates that users are allowed to get the bucket content and its related information. For example, list the objects in bucket and list all uncompleted Multipart Uploads in the bucket during the three-step upload. |
GetBucketAcl | This permission indicates that users are allowed to get the bucket ACL information. |
PutBucketAcl | This permission indicates that users are allowed to add the bucket ACL. |
GetBucketCors | This permission indicates that users are allowed to get the Cross-Origin Resource Sharing (CORS) rules in the bucket. |
PutBucketCors | This permission indicates that users are allowed to set or delete a CORS rule in the specified bucket. |
GetBucketStyle | This permission indicates that users are allowed to get or list the Bucket Style rules. |
PutBucketStyle | This permission indicates that users are allowed to add or delete the Bucket Style rules. |
GetBucketMirroring | This permission indicates that users are allowed to get the mirroring-based back-to-origin-related information of the bucket. |
PutBucketMirroring | This permission indicates that users are allowed to add or delete the mirroring-based back-to-origin-related information of the bucket. |
GetCopyRightProtection | This permission indicates that users are allowed to get the copyright protection configuration information of the bucket. |
PutCopyRightProtection | This permission indicates that users are allowed to enable or disable the copyright protection feature of the bucket. |
Object related permissions
Object Related Permissions | Supported Operations |
---|---|
PutObject | This permission indicates that users are allowed to perform the object upload related operations, such as PutObject, PostObject, AppendObject, FetchObject, CopyObject, Three-step Upload, and Three-step Copy. |
GetObject | Only GetObject and GetObjectMeta operations are supported. The API corresponding to the GetObject permission includes the object-level API only. |
DeleteObject | This permission indicates that users are allowed to delete a single object or objects in a batch. |
RenameObject | This permission indicates that users are allowed to rename the object. |
ListParts | This permission indicates that users are allowed to list all parts with specified UploadId uploaded successfully during the three-step upload, and users can view the current progress of the three-step upload. |
GetObjectMeta | This permission indicates that users are allowed to list the meta information of the object. |
GetObjectAcl | This permission indicates that users are allowed to get the object ACL. |
PutObjectAcl | This permission indicates that users are allowed to add and delete the object ACL. |
Descriptions:
- The fine-grained and coarse-grained permissions of READ, LIST, WRITE, FULL_CONTROL, and MODIFY do not affect each other.
- The coarse-grained permissions take precedence over the fine-grained permissions. If both coarse-grained permissions and fine-grained permissions are configured, the coarse-grained permissions overwrite the fine-grained permissions, and the coarse-grained permissions should prevail.
- The bucket-level fine granularity refers to relevant operations for buckets.
- The object-level fine granularity refers to relevant operations for objects.