百度智能云
All Product Document

          Object Storage

          • Object Storage
          • >
          • FAQs
          • >
          • Authentication and Privilege Management

          Authentication and Privilege Management

          Last Updated2020-10-20

          What is the difference between bucket ACL and STS?

          BOS privileges are divided into: Resource-based privilege and user-based privilege.

          • Where resource-based privilege refers to the user privilege control over a certain resource, for example, Bucket ACL.
          • And user-based privilege refers to the resource privilege control over a certain user, for which one example is STS Temporarily Authorized.

          The privilege control over both bucket ACL and STS are achieved based on ACL files. Featured in close syntax, the both support grantee (the subject to which the access is granted, not required for STS because STS is a user-based privilege), privilege (operation), resource, conditions and other fields.

          From the perspective of application scenario, bucket ACL is more suitable for a scenario in which the grantee is a certain account or all users (including anonymous users) of Baidu AI Cloud, while STS is more suitable for a scenario in which the access is temporarily authorized, for example, a mobile phone temporarily needs to upload an photo.

          What is the difference between GetObject privilege and READ privilege?

          GetObject privilege includes only two API operations: GetObject and GetObjectMeta. While READ privilege includes another three operations in addition to those included in GetObject privilege, which are GetBucketLocation, Headbucket and ListParts. Please refer to Bucket Access Management for more information.

          Which of object privilege and bucket privilege will prevail in case of any discrepancy?

          In the object privilege setting, the object privilege is identical to the bucket privilege by default. You can also set the object as a public reading or private privilege as needed. In case of any discrepancy between the object reading privilege and the object privilege, the object privilege will prevail.

          In the BOS, how to set the account to have the privilege to create read and write, but not to delete?

          You can upload the ACL files to set the fine grain privilege of bucket. For more information, please refer to Privilege Control by Uploading ACL Files

          Previous
          Security Problems
          Next
          Bucket Access and Management