vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0044.html
zhangyue 32b9354795 OBS PERMS DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-04-18 07:48:10 +00:00

81 lines
15 KiB
HTML
Raw Blame History

<a name="obs_40_0044"></a><a name="obs_40_0044"></a>
<h1 class="topictitle1">Granting IAM User Groups Specified Permissions on Certain OBS Folders</h1>
<div id="body0000001128664300"><div class="section" id="obs_40_0044__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0044__p3431154410448">This topic describes how to grant certain operation permissions on specific folders in an OBS bucket to multiple IAM users or user groups.</p>
</div>
<div class="section" id="obs_40_0044__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0044__p103657437515">IAM custom policies</p>
</div>
<div class="section" id="obs_40_0044__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0044__p817120327254">After the configuration is complete, you can perform allowed operations using APIs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.</p>
<p id="obs_40_0044__p2095722518592">This is because when you log in to OBS Console or OBS Browser+, APIs (such as <strong id="obs_40_0044__b109481258171710">ListAllMyBuckets</strong> and <strong id="obs_40_0044__b767019018182">ListBucket</strong>) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.</p>
<p id="obs_40_0044__p7807163365117">To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the <strong id="obs_40_0044__b1023814132458">obs:bucket:ListAllMyBuckets</strong> and <strong id="obs_40_0044__b423961364510">obs:bucket:ListBucket</strong> permissions to the custom policy. (In this case, these two permissions are configured in permission 2 and 3.)</p>
<div class="note" id="obs_40_0044__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p1518015112445"><strong id="obs_40_0044__b1175714464297">obs:bucket:ListAllMyBuckets</strong> applies to all resources. You need to select all resources.</p>
<p id="obs_40_0044__p256692825216"><strong id="obs_40_0044__b173404902917">obs:bucket:ListBucket</strong> applies only to the authorized bucket. You can select all resources or a specified bucket as needed.</p>
</div></div>
</div>
<div class="section" id="obs_40_0044__section1565643713464"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0044__ol170633855216"><li id="obs_40_0044__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0044__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0044__b2096717161570">Service List</strong> &gt; <strong id="obs_40_0044__b196721655710">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0044__b6967131605713">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0044__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0044__b17330625152910">Permissions</strong>.</span></li><li id="obs_40_0044__li1388483016366"><span>Click <strong id="obs_40_0044__b3955112255715">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0044__li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0044__fig61012351811"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0044__image1010283101813" src="en-us_image_0000001386340170.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0044__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0044__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="25.25%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0044__p23757272286">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="74.75%" id="mcps1.3.4.2.5.2.2.2.3.1.2"><p id="obs_40_0044__p63751027152820">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0044__row17375102752819"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p1737572772816">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p83758278280">Name of the custom policy</p>
</td>
</tr>
<tr id="obs_40_0044__row1937592712288"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p173753272284">Policy View</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0044__b2790543214">Visual editor</strong> is used here.</p>
</td>
</tr>
<tr id="obs_40_0044__row133751227142812"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p203751027172816">Policy Content</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p1928318374535">[Permission 1]</p>
<ul id="obs_40_0044__ul1488325514462"><li id="obs_40_0044__li10883125510469">Select <strong id="obs_40_0044__b1866817151147">Allow</strong>.</li><li id="obs_40_0044__li988318554466">Select <strong id="obs_40_0044__b10564181443">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0044__li77471332151019">Select all the object-related permissions under <strong id="obs_40_0044__b153651023363">ReadOnly</strong>, <strong id="obs_40_0044__b496392414610">ReadWrite</strong>, and <strong id="obs_40_0044__b375318354615">Permissions</strong>.</li><li id="obs_40_0044__li595411121418">On the <strong id="obs_40_0044__b1243537131317">All</strong> tab, choose <strong id="obs_40_0044__b645910101070">Specific</strong> &gt; <strong id="obs_40_0044__b246020102071">Specify resource path</strong> to specify a folder.<p id="obs_40_0044__p4392013822">[Path Format]</p>
<p id="obs_40_0044__p9933155311298"><strong id="obs_40_0044__b576132216156">obs:*:*:object:</strong><em id="obs_40_0044__i175434291158">Bucket name</em><strong id="obs_40_0044__b1526353310150">/</strong><em id="obs_40_0044__i94341139151511">Folder name</em><strong id="obs_40_0044__b169031642181517">/*</strong></p>
<p id="obs_40_0044__p14703335307">[Notes]</p>
<p id="obs_40_0044__p9142175873014">For bucket resources, IAM automatically generates the prefix of the resource path <strong id="obs_40_0044__b720530101913">obs:*:*:object:</strong>.</p>
<p id="obs_40_0044__p17463217363">You can add <em id="obs_40_0044__i187511017141713">Bucket name/Object name</em> at the end of the generated path prefix to specify a resource path. Wildcards (*) are also supported. For example, <strong id="obs_40_0044__b144871906242">OBS:*:*:object:example-002/folder-001/*</strong> indicates any object in folder <strong id="obs_40_0044__b554372202419">folder-001</strong> of bucket <strong id="obs_40_0044__b39723219244">example-002</strong>.</p>
</li></ul>
<p id="obs_40_0044__p1094344019260">[Permission 2] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.</p>
<ul id="obs_40_0044__ul17943540162618"><li id="obs_40_0044__li10943104052620">Select <strong id="obs_40_0044__b195554342271">Allow</strong>.</li><li id="obs_40_0044__li9943184022620">Select <strong id="obs_40_0044__b152051737162710">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0044__li19883155554614">Select <strong id="obs_40_0044__b12933739192712">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0044__li1991741116547">On the <strong id="obs_40_0044__b2116731162813">All</strong> tab, choose <strong id="obs_40_0044__b14118143182811">Specific</strong> &gt; <strong id="obs_40_0044__b3120113116285">Specify resource path</strong> to specify a bucket.<p id="obs_40_0044__p2045623815299">[Path Format]</p>
<p id="obs_40_0044__p74565384297"><strong id="obs_40_0044__b172671627397">obs:*:*:bucket:</strong><em id="obs_40_0044__i734662053613">Bucket name</em></p>
</li><li id="obs_40_0044__li1588752312315">On the <strong id="obs_40_0044__b17782230124419">(Optional) Add request condition</strong> tab, click <strong id="obs_40_0044__b2448123915442">Add Request Condition</strong>.<ul id="obs_40_0044__ul12427164311341"><li id="obs_40_0044__li347333313220"><strong id="obs_40_0044__b4846192444519">Condition key</strong>: Select <strong id="obs_40_0044__b124631354154516">obs:prefix</strong> from the drop-down list.</li><li id="obs_40_0044__li988010439332"><strong id="obs_40_0044__b2751199114613">Operator</strong>: Select <strong id="obs_40_0044__b1560329114613">StringStartWith</strong> from the drop-down list.</li><li id="obs_40_0044__li1167275203417"><strong id="obs_40_0044__en-us_topic_0104029905_b33832910436">Value</strong>: <em id="obs_40_0044__en-us_topic_0104029905_en-us_topic_0101094788_i102251116161316">Folder name</em><strong id="obs_40_0044__b15352191112476">/</strong></li></ul>
<p id="obs_40_0044__p10505450163414">[Notes]</p>
<p id="obs_40_0044__p4861328352">If you want a user to have only the permission to list a folder in the bucket, add a request condition for action <strong id="obs_40_0044__b2027203614487">obs:bucket:ListBucket</strong>. <strong id="obs_40_0044__b789255075811">prefix</strong> is included in the request for listing objects in a bucket. In this way, when you specify <strong id="obs_40_0044__b1932193919597">prefix</strong> to list objects whose names start with <em id="obs_40_0044__i174551427143719">Folder name</em><strong id="obs_40_0044__b156943360360">/</strong>, the objects in the bucket can be listed.</p>
</li></ul>
<div class="p" id="obs_40_0044__p7700251153917">[Permission 3] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.<ul id="obs_40_0044__ul1854216504393"><li id="obs_40_0044__li155421350103914">Select <strong id="obs_40_0044__b1361117610481">Allow</strong>.</li><li id="obs_40_0044__li4542450103916">Select <strong id="obs_40_0044__b19890121285411">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0044__li135421450183918">Select <strong id="obs_40_0044__b227391915546">obs:bucket:ListAllMyBuckets</strong> under <strong id="obs_40_0044__b795072805513">ListOnly</strong>.</li><li id="obs_40_0044__li15542105020399">Select <strong id="obs_40_0044__b1174619265568">All</strong> for <strong id="obs_40_0044__b1537101185719">Resources</strong>.</li></ul>
</div>
</td>
</tr>
<tr id="obs_40_0044__row207159108539"><td class="cellrowborder" valign="top" width="25.25%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0044__p83756273285">Scope</p>
</td>
<td class="cellrowborder" valign="top" width="74.75%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0044__p1037542711283">The default value is <strong id="obs_40_0044__b860181361">Global services</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0044__li1293324623719"><span>Click <strong id="obs_40_0044__b32951079577">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0044__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0044__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0044__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0044__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p>
</div></div>
</p></li></ol>
</div>
<div class="section" id="obs_40_0044__section15823527415"><h4 class="sectiontitle">Verification</h4><ol id="obs_40_0044__ol5278184513146"><li id="obs_40_0044__li027864581416"><span>Log in to OBS Console as an IAM user.</span></li><li id="obs_40_0044__li187691522131319"><span>In the bucket list, click bucket <strong id="obs_40_0044__b1120725410174">example-002</strong> to go to the overview page.</span><p><div class="note" id="obs_40_0044__note1582471119493"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p78251911174916">After the configuration is complete, it is normal if the system still displays a message indicating that you do not have required permissions, because OBS Console also calls other APIs for advanced settings, but you can still perform the operations allowed on the folder.</p>
</div></div>
</p></li><li id="obs_40_0044__li11765154017509"><span>In the navigation pane, select <strong id="obs_40_0044__b430811332119">Objects</strong>. It is normal that a message indicating no permission is displayed and no object can be viewed.</span><p><div class="note" id="obs_40_0044__note3156142165415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p141561321195411">The reason why there is no required permission is that listing objects on OBS Console is to list objects in the root folder. This rule does not match the configured custom policy for listing objects in folder <strong id="obs_40_0044__b13188125619298">folder-001/</strong>.</p>
</div></div>
</p></li><li id="obs_40_0044__li7706170175111"><span>In the search box, enter <strong id="obs_40_0044__b1593118142616">folder-001/</strong> to view the list of objects in <strong id="obs_40_0044__b182861144132616">folder-001</strong>. Objects <strong id="obs_40_0044__b1273081272711">222.txt</strong> and <strong id="obs_40_0044__b18722131532719">111.txt</strong> are displayed.</span></li><li id="obs_40_0044__li584842925718"><span>Click <strong id="obs_40_0044__b12655185116331">Create Folder</strong> to create folder <strong id="obs_40_0044__b185938552336">folder-002</strong>.</span></li><li id="obs_40_0044__li1629212395918"><span>Click <strong id="obs_40_0044__b587712754116">Upload Object</strong> to upload file <strong id="obs_40_0044__b11764182154111">333.txt</strong>.</span><p><div class="note" id="obs_40_0044__note127411448185420"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0044__p137411348205417">If some other permissions are required, hover your cursor over the username and choose <strong id="obs_40_0044__b1419118113463">Identity and Access Management</strong> &gt; <strong id="obs_40_0044__b16592553462">Permissions</strong>, and then repeat the operations above to configure custom policies as needed.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0019.html">Granting Permissions to Multiple IAM Users or User Groups Under the Account</a></div>
</div>
</div>
View Git Blame Copy Permalink