You can grant the read and write permissions on a specific object in an Object Storage Service (OSS) bucket by configuring the access control list (ACL) of the object. An object ACL allows you to manage permissions on a specific object without affecting access permissions on other objects. The ACL of an object can be public-read, public-read-write, or private. You can configure the ACL of an object when you create the object or modify the ACL of an existing object.
Usage notes
If you do not configure the ACL of an object, the default object ACL is used. In this case, the ACL of the object is the same as that of the bucket in which the object is stored.
If you set the object ACL to a value that is different from the bucket ACL, the object ACL takes precedence. For example, if you set the ACL of an object in a bucket to public-read, the object can be accessed by using anonymous requests, regardless of the ACL of the bucket.
Procedure
Use an Alibaba Cloud SDK
You can set object ACLs only with the Java SDK, version 3.15.0 or later.
import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.model.CannedAccessControlList;
import com.aliyun.oss.common.auth.CredentialsProviderFactory;
import com.aliyun.oss.common.auth.EnvironmentVariableCredentialsProvider;
import com.aliyun.oss.ClientBuilderConfiguration;
import com.aliyun.oss.common.comm.SignVersion;
import com.aliyun.oss.common.auth.DefaultCredentialProvider;
public class Demo {
public static void main(String[] args) throws Exception {
// Specify the data endpoint of the OSS on CloudBox bucket.
String endpoint = "https://cb-f8z7yvzgwfkl9q0h****.cn-hangzhou.oss-cloudbox.aliyuncs.com";
// Obtain access credentials from environment variables. Before running this sample code, make sure the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
// Specify the name of the OSS on CloudBox bucket, such as examplebucket.
String bucketName = "examplebucket";
// Specify the region where the OSS on CloudBox bucket is located.
String region = "cn-hangzhou";
// Specify the CloudBox ID.
String cloudBoxId = "cb-f8z7yvzgwfkl9q0h****";
// Specify the full path of the object. The path cannot include the bucket name. Example: testfolder/exampleobject.txt.
String objectName = "testfolder/exampleobject.txt";
// Create an OSSClient instance.
// When the OSSClient instance is no longer used, call the shutdown method to release resources.
ClientBuilderConfiguration conf = new ClientBuilderConfiguration();
conf.setSignatureVersion(SignVersion.V4);
OSS ossClient = OSSClientBuilder.create()
.endpoint(endpoint)
.credentialsProvider(new DefaultCredentialProvider(credentialsProvider.getCredentials()))
.clientConfiguration(conf)
.region(region)
.cloudBoxId(cloudBoxId)
.build();
try {
// Set the access permissions of the object to private.
ossClient.setObjectAcl(bucketName, objectName, CannedAccessControlList.Private);
} catch (OSSException oe) {
System.out.println("Caught an OSSException, which means your request made it to OSS, "
+ "but was rejected with an error response for some reason.");
System.out.println("Error Message:" + oe.getErrorMessage());
System.out.println("Error Code:" + oe.getErrorCode());
System.out.println("Request ID:" + oe.getRequestId());
System.out.println("Host ID:" + oe.getHostId());
} catch (ClientException ce) {
System.out.println("Caught an ClientException, which means the client encountered "
+ "a serious internal problem while trying to communicate with OSS, "
+ "such as not being able to access the network.");
System.out.println("Error Message:" + ce.getMessage());
} finally {
if (ossClient != null) {
ossClient.shutdown();
}
}
}
}
Use ossutil
For more information about how to use ossutil to set or modify an object ACL, see put-object-acl.
Use a REST API
If your program requires advanced customization, you can send REST API requests directly. This requires you to manually write code to sign the requests. For more information, see PutObjectACL.