Object Storage Service (OSS) provides the following access control lists (ACLs) to control access to objects: public-read-write, public-read, private, and default. This topic describes how to manage the ACLs of objects in a versioned bucket.
Usage notes
In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and endpoints.
In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Create an OSSClient instance.
To configure the ACL for an object, you must have the
oss:PutObjectAcl
permission. To query object ACLs, you must have theoss:GetObjectAcl
permission. For more information, see Attach a custom policy to a RAM user.
Object ACLs
The following table describes the ACLs.
ACL | Permissions | Description |
public-read-write | Public read and write | All users, including anonymous users, can read and write the object. |
public-read | Public read | Only the owner and authorized users of the object can write the object. Other users, including anonymous users, can only read the object. |
private | Private read and write | Only the owner and authorized users of the object can read and write the object. |
default | Default | The ACL of an object is the same as that of the bucket in which the object is stored. |
The ACL of an object takes precedence over the ACL of the bucket in which the object is stored. For example, if the ACL of a bucket is public-read and the ACL of an object in the bucket is private, only the owner and authorized users of the object can read and write the object.
Configure object ACLs
By default, the putObjectAcl
operation configures the ACL of the current version of an object in a versioning-enabled bucket. If the current version of the object is a delete marker, OSS returns 404 Not Found. You can specify a version ID in the request to configure the ACL of the specified version of an object.
The following sample code provides an example on how to configure the ACL of an object:
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
$provider = new EnvironmentVariableCredentialsProvider();
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// Specify the name of the bucket.
$bucket= "<yourBucketName>";
// Specify the full path of the object. Do not include the bucket name in the full path. Example: example/test.txt.
$object = "<yourObjectName>";
// Specify the ID of the version for which you want to configure the ACL.
$versionId = "<yourObjectVersionId>";
$config = array(
"provider" => $provider,
"endpoint" => $endpoint,
);
$ossClient = new OssClient($config);
try {
// Set the ACL of the specified version of the object to public-read.
$ossClient->putObjectAcl($bucket, $object, 'public-read', array(OssClient::OSS_VERSION_ID => $versionId));
} catch (OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n");
For more information about how to configure object ACLs, see PutObjectACL.
Query object ACLs
By default, the getObjectAcl operation queries the ACL of the current version of an object. If the current version of the object is a delete marker, OSS returns 404 Not Found. You can specify a version ID in the request to query the ACL of a specified version of an object.
The following sample code provides an example on how to query the ACL of an object:
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
$provider = new EnvironmentVariableCredentialsProvider();
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// Specify the name of the bucket.
$bucket= "<yourBucketName>";
// Specify the full path of the object. Do not include the bucket name in the full path. Example: example/test.txt.
$object = "<yourObjectName>";
// Specify the ID of the version for which you want to query the ACL.
$versionId = "<yourObjectVersionId>";
$config = array(
"provider" => $provider,
"endpoint" => $endpoint,
);
$ossClient = new OssClient($config);
try {
// Query the ACL of the object.
$acl = $ossClient->getObjectAcl($bucket, $object, array(OssClient::OSS_VERSION_ID => $versionId));
printf($acl . "\n");
} catch (OssException $e) {
printf(__FUNCTION__ . ": FAILED\n");
printf($e->getMessage() . "\n");
return;
}
print(__FUNCTION__ . ": OK" . "\n");
For more information about how to obtain the ACL of an object, see GetObjectACL.