Access control lists (ACLs) can be used to define the access permissions of users or user groups on data stored in Object Storage Service (OSS). After a request is sent to access data stored in OSS, OSS checks the ACL of the data and verifies whether the requester has required permissions. You can configure the ACL of an object when you upload the object or modify the ACL of an uploaded object.
Usage notes
- If you do not set the object ACL, the object ACL is default. In that case, the ACL of the object is the same as that of the bucket in which the object is stored.
- If you set the object ACL to a value that is different from the bucket ACL, the object ACL takes precedence. For example, if the ACL of an object is set to public read, all authenticated and anonymous users can read the object regardless of the bucket ACL.
ACL types
The following table describes object ACL types.
ACL | Description |
---|---|
public-read-write | Public read/write: All users, including anonymous users, can perform read and write
operations on objects in the bucket.
Warning When you set the object ACL to this value, all users can access the object over the
Internet and write data to the object. This may result in unexpected access to the
data in your bucket and unexpectedly high fees. If a user uploads prohibited data
or information, your legitimate interests and rights may be infringed. Therefore,
we recommend that you do not set the object ACL to public read/write except in special
cases.
|
public-read | Only the bucket owner can write data to the object. Other users, including anonymous
users, can only read the object.
Warning All users can access the object over the Internet. This may result in unexpected access
to the data in your bucket and unexpectedly high fees. Exercise caution when you set
the object ACL to public read.
|
private | Private: Only the bucket owner is allowed to perform read and write permissions on
the object. Other users cannot access the object.
Note You can configure and send the object URL to share your private objects with your
partners. For more information, see Add signatures to URLs.
|
default | Default value: The ACL of the object is the same as that of the bucket in which the object is stored. |
Use the OSS console
Use ossbrowser
ossbrowser supports the same object-wide operations as the OSS console. You can follow the on-screen instructions in ossbrowser to modify the ACL of an object. For more information about how to use ossbrowser, see Use ossbrowser.
Use OSS SDKs
The following code provides examples on how to modify the ACL of an object by using OSS SDKs for common programming languages. For more information about how to modify the ACL of an object by using OSS SDKs for other programming languages, see Overview.
// The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
String endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
// Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you use a RAM user to call API operations or perform routine operations and maintenance. To create a RAM user, log on to https://ram.console.aliyun.com.
String accessKeyId = "<yourAccessKeyId>";
String accessKeySecret = "<yourAccessKeySecret>";
// Create an OSSClient instance.
OSS ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret);
// Configure the ACL of the specified object to public read.
ossClient.setObjectAcl("<yourBucketName>", "<yourObjectName>", CannedAccessControlList.PublicRead);
// Shut down the OSSClient instance.
ossClient.shutdown();
using Aliyun.OSS;
using Aliyun.OSS.Common;
var endpoint = "<yourEndpoint>";
var accessKeyId = "<yourAccessKeyId>";
var accessKeySecret = "<yourAccessKeySecret>";
var bucketName = "<yourBucketName>";
var objectName = "<yourObjectName>";
// Create an OSSClient instance.
var client = new OssClient(endpoint, accessKeyId, accessKeySecret);
// Configure the object ACL.
try
{
// Use SetObjectAcl to configure the ACL of the object.
client.SetObjectAcl(bucketName, objectName, CannedAccessControlList.PublicRead);
Console.WriteLine("Set Object:{0} ACL succeeded ", objectName);
}
catch (Exception ex)
{
Console.WriteLine("Set Object ACL failed with error info: {0}", ex.Message);
}
// Query the ACL of the object.
try
{
// Use GetObjectAcl to query the ACL of the object.
var result = client.GetObjectAcl(bucketName, objectName);
Console.WriteLine("Get Object ACL succeeded, Id: {0} ACL: {1}",
result.Owner.Id, result.ACL.ToString());
}
catch (OssException ex)
{
Console.WriteLine("Failed with error code: {0}; Error info: {1}. \nRequestID: {2}\tHostID: {3}",
ex.ErrorCode, ex.Message, ex.RequestId, ex.HostId);
}
catch (Exception ex)
{
Console.WriteLine("Failed with error info: {0}", ex.Message);
}
Use ossutil
For more information about how to use ossutil to configure or modify the ACL of a bucket, see Configure or modify the ACLs of objects.
Use the RESTful API
If your program requires more custom options to configure the ACL of an object, you can call RESTful API operations. In this case, you must manually write code to calculate the signature. For more information, see PutObjectACL.
References
In addition to object ACLs, OSS provides bucket ACLs, bucket policies, and RAM policies for you to control access to your buckets and objects in OSS. For more information, see Overview.