All Products
Search

This Product

    Object Storage Service:Configure a resource group

    Document Center

    Object Storage Service:Configure a resource group

    Last Updated:Oct 11, 2023

    A resource group is a resource-based access control method. You can group your buckets based on your business requirements and configure different permissions for each resource group. This way, you can manage access to your buckets by group.

    Background information

    Enterprise users may create multiple Alibaba Cloud accounts to isolate resources for different projects, subsidiaries, and departments. However, this makes it difficult for enterprise users to manage, monitor, and audit the resources that reside in these Alibaba Cloud accounts in a centralized manner.

    account

    Object Storage Service (OSS) allows users to create resource groups to classify resources in an Alibaba Cloud account based on business scenarios. This way, the users within an enterprise can use the resource groups to efficiently manage resources in their projects.

    rg

    Usage notes

    • Resource groups are supported for buckets in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), US (Silicon Valley), US (Virginia), Japan (Tokyo), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), India (Mumbai), Germany (Frankfurt), UK (London), and UAE (Dubai).

    • A resource group can contain buckets in different regions. A bucket can belong only to one resource group.

    • Buckets can be transferred only between resource groups that are created by the same owner.

    Use the OSS console

    In the following example, test data of different departments in your company is stored in 20 buckets. You want to allow all your employees to write and read data stored in 10 of the buckets and only read data stored in the other 10 buckets. If you do not use resource groups, you must separately configure required permissions for each bucket. If you use resource groups, you can add buckets that require the same permissions to a resource group and configure the required permissions for the resource group. This way, you can efficiently configure and manage access to all buckets.

    You can also create user groups to grant the same permissions to multiple RAM users (your employees). A user group functions similarly to a resource group.

    1. Create a user group named UserGroup1 and add RAM users to the group.

      Create a user group named UserGroup1 in the RAM console. For more information, see Create a user group. After you create UserGroup1, add all RAM users that need to access data in your buckets to the user group. For more information, see Add a RAM user to a RAM user group.

    2. Create resource groups.

      1. Log on to the Resource Management console.

      2. In the left-side navigation pane, click Resource Group.

      3. On the Resource Group page, click Create Resource Group.

      4. In the Create Resource Group panel, configure the Display Name and Resource Group Identifier parameters. In this example, Display Name is set to ResourcegroupA and Resource Group Identifier is set to Group1.

      5. Click OK.

        After you click OK, the status of the resource group is Creating. Wait for approximately 3 seconds and click the 资源组_刷新列表 icon. If the status of the resource group becomes Available, ResourcegroupA is created.

      6. Repeat the preceding steps to create a resource group named ResourcegroupB.

    3. Select resource groups for your buckets.

      1. Log on to the OSS console.

      2. Click Buckets, and then click the examplebucket1 bucket.

      3. Choose Bucket Settings > Resource Group.

      4. On the Resource Group page, click Settings.

      5. Select ResourcegroupA for Resource Group and click Save.

      6. Repeat the preceding steps to select ResourcegroupA for the buckets that you want to authorize all your employees only to read and select ResourcegroupB for the buckets that you want to authorize all your employees to read and write.

    4. Configure the required permissions to access resource groups.

      1. Log on to the Resource Management console. In the left-side navigation pane, click Resource Group.

      2. Click Manage Permission in the Actions column of ResourcegroupA.

      3. On the page that appears, click Grant Permission.

      4. In the Grant Permission panel, configure the parameters. The following table describes the parameters.

        Parameter

        Description

        Authorized Scope

        Select Specific Resource Group. Then, select ResourcegroupA from the drop-down list.

        Principal

        Enter UserGroup1.

        Select Policy

        Select System Policy. In the Authorization Policy Name column, click AliyunOSSReadOnlyAccess to authorize RAM users in UserGroup1 to only read objects in buckets in ResourcegroupA.

      5. Click OK.

      6. Click Submit.

      7. Repeat the preceding steps to attach the AliyunOSSFullAccess policy to RAM users in UserGroup1 to authorize the RAM users to read and write objects in buckets in ResourcegroupB.

    Use OSS SDKs

    You can use only OSS SDK for Java and OSS SDK for Python to configure a resource group for a bucket. 

    import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.model.SetBucketResourceGroupRequest;

public class Demo {
    public static void main(String[] args) throws Throwable {
        // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the bucket. Example: examplebucket. 
        String bucketName = "examplebucket";
        // Specify the ID of the resource group. If you do not specify a resource group ID, the bucket belongs to the default resource group. 
        String rgId = "rg-aekz****";

        // Create an OSSClient instance. 
        OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);

        try {
            // Create a setBucketResourceGroupRequest object. 
            SetBucketResourceGroupRequest setBucketResourceGroupRequest = new SetBucketResourceGroupRequest(bucketName,rgId);
            // Configure the resource group to which the bucket belongs. 
            ossClient.setBucketResourceGroup(setBucketResourceGroupRequest);
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}
    # -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider

# Obtain access credentials from the environment variables. Before you run this sample code, make sure that you have configured environment variables OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET. 
auth = oss2.ProviderAuth(EnvironmentVariableCredentialsProvider())
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. 
# Specify the name of the bucket. Example: examplebucket. 
bucket = oss2.Bucket(auth, 'https://oss-cn-hangzhou.aliyuncs.com', 'examplebucket')

# Specify the ID of the resource group. If you do not specify the ID of the resource group, the bucket belongs to the default resource group. 
resource_group_id = 'rg-aek27tc****'

# Configure the resource group to which the bucket belongs. 
result = bucket.put_bucket_resource_group(resource_group_id)
print ('Resource group configuration is successful. Returned status: ' + str(result.status))

    Use RESTful APIs

    If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code. For more information, see PutBucketResourceGroup.