Object permission control
Permission control
Set access permissions for objects
Currently, BOS supports two methods for setting ACLs. For details, refer to Permission Control
The first method is to use Canned ACL. During put_object_acl, the object access permission is set via the header "x-bce-acl", "x-bce-grant-read" or "x-bce-grant-permission". Currently configurable permissions include private and public-read. The three types of headers cannot appear in the same request simultaneously.
The second method is to set the access_control_list structure in the custom Acl style, specifically by uploading its json string, or directly upload an ACL file. For details, refer to Permission Control Overview
Set Canned ACL
Canned ACL is a predefined access permission, allowing users to set it for specific objects, supporting three interfaces:
1PutObjectAclRequest putObjectAclRequest(bucketName, objectKey);
2PutObjectAclResponse putObjectAclResponse;
3 // 1. Use x-bce-acl Header to set
4 // cannedAcl supports: private, public-read
5std::string cannedAcl="public-read";
6putObjectAclRequest.set_canned_acl(cannedAcl);
7 // 2. Use x-bce-grant-read / x-bce-grant-read-permission Header to set
8 // idStrings is a collection of IDs. Multiple IDs can be passed at once, separated by commas, in the fixed string format: "id=/"xxxxx/", id=/"xxxxx/"";
9std::string idStrings="id=\"77f47fbbc29d41xxxxxxxxxx6\"";
10putObjectAclRequest.set_xbce_grant_read(idStrings);
11putObjectAclRequest.set_xbce_grant_full_control(idStrings);
12int ret = client.put_object_acl(putObjectAclRequest, &putObjectAclResponse);
13if (ret) {
14 LOGF(WARN, "client err: %d", ret);
15}
16if (putObjectAclResponse.is_fail()) {
17 LOGF(WARN,"put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
18 putObjectAclResponse.status_code(),
19 putObjectAclResponse.error().message().c_str(),
20 putObjectAclResponse.error().request_id().c_str());
21}Note: Three methods: set_canned_acl(),set_xbce_grant_read(),set_xbce_grant_full_control()
Only one of the above three interfaces can be set by a single put_object_acl() call.
Set custom ACL
Users can refer to the following code to set bucket's custom access permissions, supporting three different parameters:
1PutObjectAclRequest putObjectAclRequest(bucketName, objectKey);
2PutObjectAclResponse putObjectAclResponse;
3 // 1. Upload ACL json string
4std::string jsonAcl =
5 "{\"accessControlList\":[{\"grantee\":[{\"id\":\"*\"}],\"permission\":[\"READ\"]},{"
6 "\"grantee\":[{\"id\":\"cb5f8xxxxxxxxxx82bbc\"}],\"permission\":["
7 "\"FULL_CONTROL\"]}]}";
8std::string cannedAcl="public-read";
9putObjectAclRequest.set_json_acl(jsonAcl);
10 // 2. Upload ACL file
11std::string aclFilePath = "/tmp/acl.json"
12int setRet = putObjectAclRequest.set_acl_file(aclFilePath);
13if (ret) {
14 LOGF(WARN, "client set_acl_file: %d", ret);
15}
16 // 3. Set access_control_list data
17std::vector<Grant> grants;
18Grant grant;
19grantee.id = "77fxxxxxxxxxxx5fa406";
20grant.grantee.push_back(grantee);
21grant.permission.push_back("READ");
22grants.push_back(grant);
23putObjectAclRequest.set_access_control_list(grants);
24int ret = client.put_object_acl(putObjectAclRequest, &putObjectAclResponse);
25if (ret) {
26 LOGF(WARN, "client err: %d", ret);
27}
28if (putObjectAclResponse.is_fail()) {
29 LOGF(WARN,"put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
30 putObjectAclResponse.status_code(),
31 putObjectAclResponse.error().message().c_str(),
32 putObjectAclResponse.error().request_id().c_str());
33}Obtain access permissions for objects
The following code retrieves an object's access permission:
1GetObjectAclRequest getObjectAclRequest(bucketName, objectKey);
2GetObjectAclResponse getObjectAclResponse;
3int ret = client()->get_object_acl(getObjectAclRequest, &getObjectAclResponse);
4if (ret) {
5 LOGF(WARN, "get_object_acl err: %d", ret);
6}
7if (getObjectAclResponse.is_fail()) {
8 LOGF(WARN,
9 "get_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
10 getObjectAclResponse.status_code(),
11 getObjectAclResponse.error().message().c_str(),
12 getObjectAclResponse.error().request_id().c_str());
13}
14 // Obtain specific permissions (two methods)
15std::vector<Grant> objectAcl = getObjectAclResponse.access_control_list();
16std::string objectAclJsonStr = getObjectAclResponse.json_access_control_list();1// ACL specific structure
2struct Grantee {
3 std::string id;
4};
5struct Grant {
6 std::vector<Grantee> grantee;
7 std::vector<std::string> permission;
8 //std::vector<std::string> resource;
9 //std::vector<std::string> notResource;
10 //Condition condition;
11 //std::string effect;
12}Note: The specific structure Grant involved in ACL is shared between bucket ACL and object ACL systems
Currently, only the grantee and permission fields are utilized in the object acl system.
. The remaining annotated fields are unique to the bucket acl system.
Delete access permissions for objects
For objects with set access permissions, this interface can be called to delete:
1DeleteObjectAclRequest deleteObjectAclRequest(BUCKET_NAME, OBJECT_NAME);
2DeleteObjectAclResponse deleteObjectAclResponse;
3int ret = client.delete_object_acl(deleteObjectAclRequest, &deleteObjectAclResponse);
4if (ret) {
5 LOGF(WARN, "client err: %d", ret);
6}
7if (deleteObjectAclResponse.is_fail()) {
8 LOGF(WARN, "put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
9 deleteObjectAclResponse.status_code(),
10 deleteObjectAclResponse.error().message().c_str(),
11 deleteObjectAclResponse.error().request_id().c_str());
12}