yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity

OBS Permission 0825 Version

Browse Source 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: weihongmin1 <weihongmin1@huawei.com>
Co-committed-by: weihongmin1 <weihongmin1@huawei.com>
This commit is contained in:
Wei, Hongmin
2025-09-29 12:30:31 +00:00
committed by zuul
parent 66d959f7d2
commit 60127db659
10 changed files with 445 additions and 667 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/obs/perms-cfg/ALL_META.TXT.json
View File

@ -130,7 +130,7 @@
"node_id":"obs_40_0005.xml",
"product_code":"obs",
"code":"8",
"des":"An access control list (ACL) is a list of rules that specifies which users or systems are granted or denied access to a particular bucket or object.Bucket and object ACLs",
"des":"Access control lists (ACLs) allow resource owners to grant other accounts the access to resources. OBS ACLs define the read and write permissions that are attached to acc",
"doc_type":"perms-cfg",
"kw":"ACLs,Permission Control Methods,Permission Configuration Guide",
"search_title":"",

2
docs/obs/perms-cfg/CLASS.TXT.json
View File

@ -63,7 +63,7 @@
"code":"7"
},
{
"desc":"An access control list (ACL) is a list of rules that specifies which users or systems are granted or denied access to a particular bucket or object.Bucket and object ACLs",
"desc":"Access control lists (ACLs) allow resource owners to grant other accounts the access to resources. OBS ACLs define the read and write permissions that are attached to acc",
"product_code":"obs",
"title":"ACLs",
"uri":"obs_40_0005.html",

6
docs/obs/perms-cfg/obs_40_0001.html
View File

@ -15,7 +15,7 @@
</thead>
<tbody><tr id="obs_40_0001__row31131324201112"><td class="cellrowborder" valign="top" width="15%" headers="mcps1.3.2.4.2.4.1.1 "><p id="obs_40_0001__p411392481118">IAM permissions</p>
</td>
<td class="cellrowborder" valign="top" width="40%" headers="mcps1.3.2.4.2.4.1.2 "><p id="obs_40_0001__p15113152418112">IAM permissions define the actions that can be performed on your cloud resources. In other words, IAM permissions specify what actions are allowed or denied. After an IAM user is created, the administrator needs to add the user to a group. IAM can grant the user group required permissions so that all users in the group automatically inherit the permissions of the user group.</p>
<td class="cellrowborder" valign="top" width="40%" headers="mcps1.3.2.4.2.4.1.2 "><p id="obs_40_0001__p15113152418112">IAM permissions are mainly used to manage IAM users' or user groups' access to cloud services and resources. You can grant IAM permissions to IAM users or user groups to allow or deny certain actions on specific cloud services and resources. After an IAM user is created, the administrator needs to add the user to a group. IAM can grant the user group required permissions so that all users in the group automatically inherit the permissions of the user group.</p>
</td>
<td class="cellrowborder" valign="top" width="45%" headers="mcps1.3.2.4.2.4.1.3 "><ul id="obs_40_0001__ul319124042416"><li id="obs_40_0001__li659151842013">Controlling access to all OBS buckets under an account</li><li id="obs_40_0001__li6730112282013">Controlling access to all OBS objects under an account</li><li id="obs_40_0001__li859111882010">Controlling access to specified OBS resources under an account</li></ul>
</td>
@ -138,14 +138,12 @@
<ul id="obs_40_0001__ul51633454011"><li id="obs_40_0001__li171637457020">Grant permissions to a single object:<p id="obs_40_0001__p616364517011"><a name="obs_40_0001__li171637457020"></a><a name="li171637457020"></a>If you already have IAM permissions and bucket policies configured for a set of objects, you can use an ACL to grant permissions to a single object in the set.</p>
</li><li id="obs_40_0001__li616310451017">Allow an object to be accessible to all anonymous Internet users:<p id="obs_40_0001__p2163845807"><a name="obs_40_0001__li616310451017"></a><a name="li616310451017"></a>You can use an ACL header to specify read and write permissions on an object during upload.</p>
</li></ul>
<div class="section" id="obs_40_0001__section168541631121519"><h4 class="sectiontitle">Relationships Between Bucket ACLs and Bucket Policies</h4><p id="obs_40_0001__p457674219154">Bucket ACLs control read and write permissions on buckets. Custom bucket policies allow a more refined control over more actions on buckets. In many cases, bucket policies can replace bucket ACLs to manage access to buckets more precisely. <a href="obs_40_0043.html">Relationship Between Bucket ACLs and Bucket Policies</a> shows the mapping between bucket ACLs and bucket policies.</p>
</div>
<div class="section" id="obs_40_0001__section1381514334364"><h4 class="sectiontitle">OBS Permission Control Principles</h4><ul id="obs_40_0001__ul631195033614"><li id="obs_40_0001__li18311135019369">Least privilege<p id="obs_40_0001__p142592375119"><a name="obs_40_0001__li18311135019369"></a><a name="li18311135019369"></a>Grant IAM users only the minimum permissions needed to complete a task. For example, if an IAM user only needs to upload and download objects to a directory, grant this user only the permissions to do so.</p>
</li><li id="obs_40_0001__li167001731153110">Separation of duties<p id="obs_40_0001__p17997134183813"><a name="obs_40_0001__li167001731153110"></a><a name="li167001731153110"></a>Assign different IAM users to manage resources and permissions. For example, you can let one IAM user assign permissions, and let another IAM user manage OBS resources.</p>
</li><li id="obs_40_0001__li633219564361">Restriction by condition<p id="obs_40_0001__p10455442191615"><a name="obs_40_0001__li633219564361"></a><a name="li633219564361"></a>To enhance the security of the resources in a bucket, you can configure specific conditions to control when a permission is applied. For example, you can configure a bucket policy for OBS to accept requests only from a specific IP address.</p>
</li></ul>
</div>
<div class="section" id="obs_40_0001__section54731919133310"><h4 class="sectiontitle">Which Permissions Apply When They Conflict?</h4><p id="obs_40_0001__p99321121194018">In the OBS permission control elements, there are allow and deny effects, which indicate the permission to allow or deny an action.</p>
<div class="section" id="obs_40_0001__section54731919133310"><a name="obs_40_0001__section54731919133310"></a><a name="section54731919133310"></a><h4 class="sectiontitle">Which Permissions Apply When They Conflict?</h4><p id="obs_40_0001__p99321121194018">In the OBS permission control elements, there are allow and deny effects, which indicate the permission to allow or deny an action.</p>
<p id="obs_40_0001__p2366102212325">Following the least-privilege principle, the permission is defaulted to deny, and an explicit deny statement always takes precedence over an allow statement. For example, if IAM permissions grant a user access to an object, a bucket policy denies the user's access to that object, and there is no ACL, this user's access will be denied.</p>
<p id="obs_40_0001__p1416134111327">If no method specifies an allow statement, then the request will be denied by default. Only if no method specifies a deny statement and one or more methods specify an allow statement, will the request be allowed. For example, if a bucket has multiple bucket policies with allow statements, adding such a new bucket policy applies the allowed permissions to the bucket, but adding a new bucket policy with a deny statement will make the permissions work differently. The deny statement will take precedence over allow statements, even if the denied permissions are allowed in other bucket policies.</p>
<div class="fignone" id="obs_40_0001__fig137808145374"><span class="figcap"><b>Figure 3 </b>Authorization process</span><br><span><img id="obs_40_0001__image85113268311" src="en-us_image_0000001664558420.png"></span></div>

2
docs/obs/perms-cfg/obs_40_0003.html
View File

@ -5,7 +5,7 @@
<p id="obs_40_0003__p1456812431508">IAM permissions apply to all OBS buckets and objects. To grant an IAM user the permission to operate OBS resources, you need to assign one or more OBS permission sets to the user group that the user belongs to.</p>
<p id="obs_40_0003__p9631520165012">OBS is a global service because it is available in all physical regions. If users in the global project are assigned IAM permissions, they do not need to switch regions to access OBS.</p>
<p id="obs_40_0003__p28301569268">You can grant permissions to users by roles and policies.</p>
<ul id="obs_40_0003__ul6830126162610"><li id="obs_40_0003__li1682355416298">Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism only provides a limited number of service-level roles for authorization. When using roles to grant permissions, you also need to assign other dependency roles. However, roles are not the best choice for fine-grained authorization and secure access control.</li><li id="obs_40_0003__li14830365263">Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant OBS users only the permissions to manage a certain type of OBS resources. </li></ul>
<ul id="obs_40_0003__ul6830126162610"><li id="obs_40_0003__li1682355416298">Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism only provides a limited number of service-level roles for authorization. When using roles to grant permissions, you also need to assign other dependency roles. However, roles are not the best choice for fine-grained authorization and secure access control.</li><li id="obs_40_0003__li14830365263">Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant an IAM user only the permissions to manage a specific bucket. </li></ul>
<div class="note" id="obs_40_0003__note1018554855215"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0003__p13185164825218">Due to data caching, a role and policy involving OBS actions will take effect 10 to 15 minutes after it is attached to a user or a user group.</p>
</div></div>
<p id="obs_40_0003__p4554141720431">IAM presets system permissions for each cloud service so that you can quickly configure basic permissions. <a href="#obs_40_0003__table143320246431">Table 1</a> describes all system permissions of OBS.</p>

284
docs/obs/perms-cfg/obs_40_0005.html
View File

File diff suppressed because it is too large Load Diff

2
docs/obs/perms-cfg/obs_40_0007.html
View File

@ -3,7 +3,7 @@
<h1 class="topictitle1">Accessing OBS Using Permanent Access Keys</h1>
<div id="body1597061276141"><p id="obs_40_0007__p8384154201114">OBS REST APIs support authenticated requests and anonymous requests. Anonymous requests are typically used for public access, such as accessing hosted static websites. In most cases, authenticated requests are required for accessing OBS resources. An authenticated request contains a signature value that is calculated based on the requester's access keys (AK and SK) and the specific information carried in the request body. You only need to prepare the access keys for the SDK. The SDK will then automatically calculate the signature for you. However, if a client uses REST APIs to develop a program to access OBS, the client needs to calculate the signature based on the signature algorithm defined by OBS and add the signature to the request.</p>
<p id="obs_40_0007__p15291241">Users can create permanent access keys (a pair of AK and SK) on the <strong id="obs_40_0007__b536018488218">My Credentials</strong> page.</p>
<ul id="obs_40_0007__ul36784332"><li id="obs_40_0007__li32558606">AK: a unique ID of the secret access key (SK). An AK is used together with an SK to encrypt and sign a request.</li><li id="obs_40_0007__li24592002">SK: a secret access key used together with its AK to verify a request sender and prevent the request from being tampered with.</li></ul>
<ul id="obs_40_0007__ul36784332"><li id="obs_40_0007__li32558606">AK: a unique ID of the secret access key (SK). An AK is used together with an SK to encrypt and sign a request. For details, see <a href="https://docs.otc.t-systems.com/object-storage-service/api-ref/calling_apis/authentication/user_signature_authentication.html" target="_blank" rel="noopener noreferrer">User Signature Authentication</a>.</li><li id="obs_40_0007__li24592002">SK: a secret access key used together with its AK to verify a request sender and prevent the request from being tampered with.</li></ul>
<p class="msonormal" id="obs_40_0007__p62623536">An AK can also identify an IAM user. OBS identifies an IAM user by their AK and SK, and then checks whether they have the permissions to access the resources they are requesting.</p>
<p id="obs_40_0007__p136071453104913">For details about how to obtain the permanent access keys, see <a href="https://docs.otc.t-systems.com/en-us/browsertg/obs/obs_03_1007.html" target="_blank" rel="noopener noreferrer">Where Can I Obtain Access Keys (AK and SK)?</a></p>
</div>

2
docs/obs/perms-cfg/obs_40_0009.html
View File

@ -6,7 +6,7 @@
<p id="obs_40_0009__p485730113312"><strong id="obs_40_0009__b317316469135">Sharing a file</strong></p>
<p id="obs_40_0009__p728652492213">All URLs generated during file sharing are temporary and remain valid for a specified period of time.</p>
<p id="obs_40_0009__p23269357438">A temporary URL uses V4 temporarily authorized requests. The following is an example:</p>
<pre class="screen" id="obs_40_0009__screen732623584313">https://oss.<em id="obs_40_0009__i77546494">regionid</em>.example.region.com/<em id="obs_40_0009__i1717434918">bucketname</em>/<em id="obs_40_0009__i1877416498">objectname</em>?X-Amz-Algorithm=<em id="obs_40_0009__i1071048494">xxx</em>&amp;X-Amz-Credential=<em id="obs_40_0009__i11717411494">xxx</em>&amp;X-Amz-Date=<em id="obs_40_0009__i07047498">xxx</em>&amp;X-Amz-Expires=900&amp;X-Amz-Signature=<em id="obs_40_0009__i8713464915">xxx</em>&amp;X-Amz-SignedHeaders=<em id="obs_40_0009__i1671148498">xxx</em>&amp;response-content-disposition=<em id="obs_40_0009__i9714484913">xxx</em></pre>
<pre class="screen" id="obs_40_0009__screen732623584313">https://<em id="obs_40_0009__i1717434918">bucketname</em>.oss.<em id="obs_40_0009__i77546494">regionid</em>.example.region.com/<em id="obs_40_0009__i1877416498">objectname</em>?X-Amz-Algorithm=<em id="obs_40_0009__i1071048494">xxx</em>&amp;X-Amz-Credential=<em id="obs_40_0009__i11717411494">xxx</em>&amp;X-Amz-Date=<em id="obs_40_0009__i07047498">xxx</em>&amp;X-Amz-Expires=900&amp;X-Amz-Signature=<em id="obs_40_0009__i8713464915">xxx</em>&amp;X-Amz-SignedHeaders=<em id="obs_40_0009__i1671148498">xxx</em>&amp;response-content-disposition=<em id="obs_40_0009__i9714484913">xxx</em></pre>
<p id="obs_40_0009__p78796553521">For details about the temporary authentication and parameters, see <a href="https://docs.otc.t-systems.com/en-us/api_obs/obs/en-us_topic_0125560420.html" target="_blank" rel="noopener noreferrer">V4 Temporarily Authorized Request</a> in the <em id="obs_40_0009__i188166914813">Object Storage Service API Reference</em>. A temporary URL also contains the <strong id="obs_40_0009__b128263913819">response-content-disposition</strong> parameter that defines whether an object is to be downloaded or previewed in a browser. The browser obtains the value of <strong id="obs_40_0009__b19838395819">response-content-disposition</strong> based on the <strong id="obs_40_0009__b38313918815">Content-Type</strong> of the shared object.</p>
<p id="obs_40_0009__p52403316294">After you share an object by choosing <strong id="obs_40_0009__b10272191912013">More</strong> &gt; <strong id="obs_40_0009__b1727220197208">Copy Object URL</strong> on OBS Console, the system will generate a URL that contains the temporary authentication information, valid for 900 seconds since its generation by default. Each time you click <strong id="obs_40_0009__b17360142022216">Copy Object URL</strong>, OBS will obtain the authentication information again to generate a new sharing URL whose validity period is reset.</p>
</div>

2
docs/obs/perms-cfg/obs_40_0010.html
View File

@ -2,7 +2,7 @@
<h1 class="topictitle1">Accessing OBS Using an IAM Agency</h1>
<div id="body1593432992233"><p id="obs_40_0010__p8060118">The IAM agency is a function of Identity and Access Management (IAM). In scenarios such as CDN private bucket retrieval and cross-region replication, IAM agencies are required to grant other accounts or cloud services the permissions to access and to securely and efficiently manage OBS resources.</p>
<p id="obs_40_0010__p598510401451">If you want to synchronously replicate encrypted objects, you need to select or create an agency to authorize OBS to access Key Management Service (KMS) when creating a cross-region replication rule.</p>
<p id="obs_40_0010__p598510401451">For example, when creating a cross-region replication rule, if you want to synchronously replicate encrypted objects, you need to select or create an agency to authorize OBS to access Key Management Service (KMS).</p>
<p id="obs_40_0010__p7715152117311">For details about IAM agencies, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0026.html" target="_blank" rel="noopener noreferrer">Identity and Access Management User Guide</a>.</p>
</div>
<div>

9
docs/obs/perms-cfg/obs_40_0039.html
View File

@ -8,7 +8,14 @@
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0039__row17798202266"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="obs_40_0039__p1331912514266">2025-04-07</p>
<tbody><tr id="obs_40_0039__row1666016011171"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="obs_40_0039__p107669421713">2025-08-20</p>
</td>
<td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="obs_40_0039__p13766204101718">This issue is the fifth official release.</p>
<p id="obs_40_0039__p127661642176">This issue incorporates the following change:</p>
<p id="obs_40_0039__p4337134511819">Updated the description about the domain name structure in <a href="obs_40_0009.html">Accessing OBS Using a Temporary URL</a>.</p>
</td>
</tr>
<tr id="obs_40_0039__row17798202266"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="obs_40_0039__p1331912514266">2025-04-07</p>
</td>
<td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="obs_40_0039__p1331913517263">This issue is the fourth official release.</p>
<p id="obs_40_0039__p1131945112617">This issue incorporates the following changes:</p>

801
docs/obs/perms-cfg/obs_40_0041.html
View File

File diff suppressed because it is too large Load Diff