All Products
Search
Document Center

Object Storage Service:Manage object ACLs in PHP

Last Updated:Mar 08, 2024

Object Storage Service (OSS) provides the following access control lists (ACLs) to control access to objects: public-read-write, public-read, private, and default. This topic describes how to manage the ACLs of objects in a versioned bucket.

Usage notes

  • In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and endpoints.

  • In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Create an OSSClient instance.

  • To configure the ACL for an object, you must have the oss:PutObjectAcl permission. To query object ACLs, you must have the oss:GetObjectAcl permission. For more information, see Attach a custom policy to a RAM user.

Object ACLs

The following table describes the ACLs.

ACL

Permissions

Description

public-read-write

Public read and write

All users, including anonymous users, can read and write the object.

public-read

Public read

Only the owner and authorized users of the object can write the object. Other users, including anonymous users, can only read the object.

private

Private read and write

Only the owner and authorized users of the object can read and write the object.

default

Default

The ACL of an object is the same as that of the bucket in which the object is stored.

The ACL of an object takes precedence over the ACL of the bucket in which the object is stored. For example, if the ACL of a bucket is public-read and the ACL of an object in the bucket is private, only the owner and authorized users of the object can read and write the object.

Configure object ACLs

By default, the putObjectAcl operation configures the ACL of the current version of an object in a versioning-enabled bucket. If the current version of the object is a delete marker, OSS returns 404 Not Found. You can specify a version ID in the request to configure the ACL of the specified version of an object.

The following sample code provides an example on how to configure the ACL of an object:

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;

// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
$provider = new EnvironmentVariableCredentialsProvider();
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// Specify the name of the bucket. 
$bucket= "<yourBucketName>";
// Specify the full path of the object. Do not include the bucket name in the full path. Example: example/test.txt. 
$object = "<yourObjectName>";
// Specify the ID of the version for which you want to configure the ACL. 
$versionId = "<yourObjectVersionId>";

$config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
    );
    $ossClient = new OssClient($config);

try {
    // Set the ACL of the specified version of the object to public-read. 
    $ossClient->putObjectAcl($bucket, $object, 'public-read', array(OssClient::OSS_VERSION_ID => $versionId));
  
} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}

print(__FUNCTION__ . ": OK" . "\n");

For more information about how to configure object ACLs, see PutObjectACL.

Query object ACLs

By default, the getObjectAcl operation queries the ACL of the current version of an object. If the current version of the object is a delete marker, OSS returns 404 Not Found. You can specify a version ID in the request to query the ACL of a specified version of an object.

The following sample code provides an example on how to query the ACL of an object:

<?php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\Credentials\EnvironmentVariableCredentialsProvider;
use OSS\OssClient;
use OSS\CoreOssException;

// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
$provider = new EnvironmentVariableCredentialsProvider();
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
$endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// Specify the name of the bucket. 
$bucket= "<yourBucketName>";
// Specify the full path of the object. Do not include the bucket name in the full path. Example: example/test.txt. 
$object = "<yourObjectName>";
// Specify the ID of the version for which you want to query the ACL. 
$versionId = "<yourObjectVersionId>";

$config = array(
        "provider" => $provider,
        "endpoint" => $endpoint,
    );
    $ossClient = new OssClient($config);

try {
    // Query the ACL of the object. 
    $acl = $ossClient->getObjectAcl($bucket, $object, array(OssClient::OSS_VERSION_ID => $versionId));
    printf($acl . "\n");

} catch (OssException $e) {
    printf(__FUNCTION__ . ": FAILED\n");
    printf($e->getMessage() . "\n");
    return;
}

print(__FUNCTION__ . ": OK" . "\n");

For more information about how to obtain the ACL of an object, see GetObjectACL.