This topic describes how to manage the access control lists (ACLs) of objects in a versioned bucket.
Usage notes
In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and endpoints.
In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Initialization.
To configure the ACL for an object, you must have the
oss:PutObjectAclpermission. To query object ACLs, you must have theoss:GetObjectAclpermission. For more information, see Attach a custom policy to a RAM user.
Set object access permissions
By default, the PutObjectACL operation is called to configure the ACL of the current version of an object. If the current version of the object is a delete marker, Object Storage Service (OSS) returns 404 Not Found. You can specify a version ID in the request to configure the ACL of a specified version of an object.
The following code provides an example on how to configure the ACL of an object:
using Aliyun.OSS;
using Aliyun.OSS.Common;
// Replace yourEndpoint with the endpoint of the region where the bucket is located. For example, if the bucket is in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
var endpoint = "yourEndpoint";
// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
var accessKeyId = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_ID");
var accessKeySecret = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET");
// Specify the bucket name. Example: examplebucket.
var bucketName = "examplebucket";
// Specify the full path of the object. The full path cannot contain the bucket name. Example: exampledir/exampleobject.txt.
var objectName = "exampledir/exampleobject.txt";
// Specify the version ID of the object.
var versionid = "yourArchiveObjectVersionid";
// Specify the region where the bucket is located. For example, if the bucket is in the China (Hangzhou) region, set the region to cn-hangzhou.
const string region = "cn-hangzhou";
// Create a ClientConfiguration instance and modify the default parameters as needed.
var conf = new ClientConfiguration();
// Use Signature V4.
conf.SignatureVersion = SignatureVersion.V4;
// Create an OssClient instance.
var client = new OssClient(endpoint, accessKeyId, accessKeySecret, conf);
client.SetRegion(region);
// Set the object ACL.
try
{
// Call SetObjectAcl to set the object ACL.
var request = new SetObjectAclRequest(bucketName, objectName, CannedAccessControlList.Private)
{
// Set the ACL of a specific version of the object.
VersionId = versionid
};
client.SetObjectAcl(request);
Console.WriteLine("Set Object:{0} ACL succeeded ", objectName);
}
catch (Exception ex)
{
Console.WriteLine("Set Object ACL failed with error info: {0}", ex.Message);
}Get object access permissions
By default, the GetObjectACL operation is called to query the ACL of the current version of an object. If the current version of the object is a delete marker, Object Storage Service (OSS) returns 404 Not Found. You can specify a version ID in the request to query the ACL of the specified version of an object.
The following code provides an example on how to query the ACL of an object:
using Aliyun.OSS;
using Aliyun.OSS.Common;
// Replace yourEndpoint with the endpoint of the region where the bucket is located. For example, if the bucket is in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
var endpoint = "yourEndpoint";
// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
var accessKeyId = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_ID");
var accessKeySecret = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET");
// Specify the bucket name. Example: examplebucket.
var bucketName = "examplebucket";
// Specify the full path of the object. The full path cannot contain the bucket name. Example: exampledir/exampleobject.txt.
var objectName = "exampledir/exampleobject.txt";
// Specify the version ID of the object.
var versionid = "yourArchiveObjectVersionid";
// Specify the region where the bucket is located. For example, if the bucket is in the China (Hangzhou) region, set the region to cn-hangzhou.
const string region = "cn-hangzhou";
// Create a ClientConfiguration instance and modify the default parameters as needed.
var conf = new ClientConfiguration();
// Use Signature V4.
conf.SignatureVersion = SignatureVersion.V4;
// Create an OssClient instance.
var client = new OssClient(endpoint, accessKeyId, accessKeySecret, conf);
client.SetRegion(region);
// Get the object ACL.
try
{
// Call GetObjectAcl to get the object ACL.
var request = new GetObjectAclRequest(bucketName, objectName)
{
// Get the ACL of a specific version of the object.
VersionId = versionid
};
var result = client.GetObjectAcl(request);
Console.WriteLine("Get Object ACL succeeded, Id: {0} ACL: {1}",
result.Owner.Id, result.ACL.ToString());
}
catch (OssException ex)
{
Console.WriteLine("Failed with error code: {0}; Error info: {1}. \nRequestID: {2}\tHostID: {3}",
ex.ErrorCode, ex.Message, ex.RequestId, ex.HostId);
}
catch (Exception ex)
{
Console.WriteLine("Failed with error info: {0}", ex.Message);
}References
For more information about the API operation to set object access permissions, see PutObjectACL.
For more information about the API operation to retrieve object access permissions, see GetObjectACL.