This topic describes how to manage the access control list (ACL) of an object.

Object ACLs

The following table describes the ACLs that you can configure for an object.

ACL Description Value
Inherited from the bucket The ACL of the object is the same as the ACL of the bucket in which the object is stored. default
Private Only the object owner and authorized users are granted the read and write permissions on the object. private
Public read Only the object owner and authorized users are granted the read and write permissions on the object. Other users are granted only the read permissions on the object. Exercise caution when you set the ACL of the object to this value. public-read
Public read/write All users are granted the read and write permissions on the object. Exercise caution when you set the ACL of the object to this value. public-read-write

Sample code

By default, the ACL of an object is default when the object is created. You can use bucket.set_object_acl to modify the ACL of the object.
require 'aliyun/oss'
client = Aliyun::OSS::Client.new(
  # Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
  endpoint: 'https://oss-cn-hangzhou.aliyuncs.com',
  # The AccessKey pair of an Alibaba Cloud account has permissions on all API operations. Using these credentials to perform operations in OSS is a high-risk operation. We recommend that you use a RAM user to call API operations or perform routine O&M. To create a RAM user, log on to the RAM console. 
  access_key_id: 'AccessKeyId', access_key_secret: 'AccessKeySecret')

# Specify the bucket name. Example: examplebucket. 
bucket = client.get_bucket('examplebucket')
# Replace my-object with the full path of the object. The full path cannot contain the bucket name. 
acl = bucket.get_object_acl('my-object')
puts acl # default
bucket.set_object_acl('my-object', Aliyun::OSS::ACL::PUBLIC_READ)
acl = bucket.get_object_acl('my-object')
puts acl # public-read                
  • If you do not set the object ACL, the object inherits the ACL of the bucket in which the object is stored.
  • If the ACL of an object is not set to default, the object ACL takes precedence over the ACL of the bucket in which the object is stored.
  • If the ACL of an object is set to public-read or public-read-write, you can directly access the object in a browser by using the object URL such as http://bucket-name.oss-cn-hangzhou.aliyuncs.com/object.jpg.
  • You can create an anonymous client to access an object whose ACL is set to public-read or public-read-write.
        require 'aliyun/oss'
    
        # If you do not specify access_key_id and access_key_secret, an anonymous client is created. The client can only access objects whose ACL is public-read or public-read-write. 
        client = Aliyun::OSS::Client.new(endpoint: 'endpoint')    
    
        bucket.get_object('my-object', :file => 'local_file')                    

References

  • For more information about the API operation that you can call to configure the ACL of an object, see PutObjectACL.
  • For more information about the API operation that you can call to obtain the ACL of an object, see GetObjectACL.