通過RAM Policy,您可以集中系統管理使用者(如員工、系統或應用程式),並控制他們對資源的存取權限,例如授權使用者讀取特定資源。
前提條件
為RAM使用者授權自訂的權限原則
建立自訂權限原則。
您可以根據實際使用情境,選用下文的授權樣本,通過指令碼配置建立自訂權限原則。
關於權限原則的詳細資料,請參見RAM Policy。
重要在OSS ON雲盒中,Resource支援使用萬用字元星號(*)來指代某類具體的資源,格式為
acs:oss-cloudbox:{region}:{bucket_owner}:cloudbox/{cloudbox_id}/bucket/{bucket_name}/object/{object_name}。當Resource為
acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*,表示名為examplebucket的雲盒Bucket下的所有資源,該Bucket所屬的雲盒ID為cb-f8z7yvzgwfkl9q0h****。當Resource為
acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/abc*.txt,表示雲盒ID中cb-f8z7yvzgwfkl9q0h****examplebucket下首碼為abc且格式為.txt的所有檔案。
為RAM使用者授予自訂權限原則。
樣本一:授予RAM使用者對某個雲盒Bucket的完全控制許可權
以下樣本為授權RAM使用者對名為examplebucket的雲盒Bucket擁有完全控制許可權,該Bucket所屬的雲盒ID為cb-f8z7yvzgwfkl9q0h****。
授予使用者對雲盒Bucket的完全控制許可權有極高風險,應盡量避免。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss-cloudbox:*",
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket",
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
]
}
]
}樣本二:拒絕RAM使用者刪除某個雲盒Bucket下多個檔案的許可權
以下樣本為拒絕RAM使用者,刪除雲盒ID為cb-f8z7yvzgwfkl9q0h****的examplebucket下首碼為abc且格式為.txt的所有檔案:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss-cloudbox:DeleteObject"
],
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/abc*.txt"
]
}
]
}樣本三:授予RAM使用者列舉並讀取某個Bucket下所有資源的許可權
通過OSS SDK或命令列工具ossutil
以下樣本為授予RAM使用者通過OSS SDK或OSS命令列工具列舉並讀取名為examplebucket的雲盒Bucket下所有資源的許可權,該Bucket所屬的雲盒ID為
cb-f8z7yvzgwfkl9q0h****。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss-cloudbox:ListObjects", "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket" }, { "Effect": "Allow", "Action": "oss-cloudbox:GetObject", "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*" } ] }通過OSS控制台
以下樣本為授予RAM使用者通過OSS控制台列舉並讀取名為examplebucket的雲盒Bucket下所有資源的許可權,該Bucket所屬的雲盒ID為
cb-f8z7yvzgwfkl9q0h****。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:ListBuckets", "oss-cloudbox:GetBucketInfo", "oss-cloudbox:GetBucketLifecycle", "oss-cloudbox:GetBucketVersioning", "oss-cloudbox:GetBucketAcl" ], "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects", "oss-cloudbox:GetBucketAcl" ], "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket" }, { "Effect": "Allow", "Action": [ "oss-cloudbox:GetObject", "oss-cloudbox:GetObjectAcl" ], "Resource": "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*" } ] }
樣本四:拒絕RAM使用者刪除某個Bucket的許可權
以下樣本用於拒絕RAM使用者刪除名為examplebucket的雲盒Bucket,該Bucket所屬的雲盒ID為cb-f8z7yvzgwfkl9q0h****。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss-cloudbox:*",
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket",
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
]
},
{
"Effect": "Deny",
"Action": [
"oss-cloudbox:DeleteBucket"
],
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
]
}
]
}樣本五:授予RAM使用者訪問某個雲盒Bucket下多個目錄的許可權
假設用於存放照片的雲盒Bucket為mybucket,該Bucket下有一些目錄,代表照片的拍攝地,每個拍攝地目錄下還包含了年份子目錄。
mybucket[Bucket]
├── beijing
│ ├── 2014
│ └── 2015
├── hangzhou
│ ├── 2013
│ ├── 2014
│ └── 2015
└── qingdao
├── 2014
└── 2015您希望授予RAM使用者訪問mybucket/hangzhou/2014/和mybucket/hangzhou/2015/目錄的唯讀許可權。目錄層級的授權屬於授權的進階功能,根據使用情境不同,授權策略的複雜程度也不同,以下幾種情境可供參考。
授予RAM使用者僅擁有讀取目錄
examplebucket/hangzhou/2014/和examplebucket/hangzhou/2015/中檔案內容的許可權由於RAM使用者知道檔案的完整路徑,建議直接使用完整的檔案路徑來讀取目錄下的檔案內容。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:GetObject" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2014/*", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2015/*" ] } ] }授予RAM使用者使用OSS命令列工具訪問目錄
examplebucket/hangzhou/2014/和examplebucket/hangzhou/2015/並列舉目錄中檔案的許可權RAM使用者不清楚目錄中有哪些檔案,可以使用OSS命令列工具或API直接擷取目錄資訊,此情境下需要添加
ListObjects許可權。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:GetObject" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2014/*", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket" ], "Condition":{ "StringLike":{ "oss-cloudbox:Prefix": [ "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }授予RAM使用者使用OSS控制台訪問目錄的許可權
使用OSS控制台訪問目錄
mybucket/hangzhou/2014/和mybucket/hangzhou/2015/時,RAM使用者可以從根目錄開始,逐層進入要訪問的目錄。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:ListBuckets", "oss-cloudbox:GetBucketInfo", "oss-cloudbox:GetBucketLifecycle", "oss-cloudbox:GetBucketVersioning", "oss-cloudbox:GetBucketAcl" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:GetObject", "oss-cloudbox:GetObjectAcl" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2014/*", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket" ], "Condition": { "StringLike": { "oss-cloudbox:Delimiter": "/", "oss-cloudbox:Prefix": [ "", "hangzhou/", "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }
樣本六:拒絕RAM使用者刪除某個Bucket下任意檔案的許可權
以下樣本用於拒絕RAM使用者刪除名為examplebucket的雲盒Bucket下任意檔案的許可權,該Bucket所屬的雲盒ID為cb-f8z7yvzgwfkl9q0h****。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss-cloudbox:DeleteObject"
],
"Resource": [
"acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
]
}
]
}樣本七:拒絕RAM使用者訪問指定標籤Object的許可權
以下為添加Deny策略,用於拒絕RAM使用者訪問存名為examplebucket的雲盒Bucket下對象標籤為status:ok以及key1:value1的Object的許可權,該Bucket所屬的雲盒ID為cb-f8z7yvzgwfkl9q0h****。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss-cloudbox:GetObject"
],
"Resource": [
"acs:oss-cloudbox:*:174649585760****:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss-cloudbox:ExistingObjectTag/status":"ok",
"oss-cloudbox:ExistingObjectTag/key1":"value1"
}
}
}
]
}樣本八:授予RAM使用者通過特定的IP地址訪問OSS的許可權
在
Allow授權中增加IP地址限制以下樣本為在
Allow授權中增加IP地址限制,授予RAM使用者僅允許通過192.168.0.0/16、198.51.100.0/24兩個IP位址區段讀取名為examplebucket雲盒Bucket下所有資源的許可權,該Bucket所屬的雲盒ID為cb-f8z7yvzgwfkl9q0h****。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:ListBuckets", "oss-cloudbox:GetBucketInfo", "oss-cloudbox:GetBucketAcl" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects", "oss-cloudbox:GetObject" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"] } } } ] }在
Deny授權中增加IP地址限制以下樣本為在
Deny授權中增加IP地址限制,拒絕源IP地址不在192.168.0.0/16範圍內的RAM使用者對名為examplebucket雲盒Bucket執行任何操作,該Bucket所屬的雲盒ID為cb-f8z7yvzgwfkl9q0h****。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss-cloudbox:ListBuckets", "oss-cloudbox:GetBucketInfo", "oss-cloudbox:GetBucketAcl" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" ] }, { "Effect": "Allow", "Action": [ "oss-cloudbox:ListObjects", "oss-cloudbox:GetObject" ], "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket", "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/*" ] }, { "Effect": "Deny", "Action": "oss-cloudbox:*", "Resource": [ "acs:oss-cloudbox:*:*:cloudbox/cb-f8z7yvzgwfkl9q0h****/*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }
樣本九:通過RAM或STS服務向其他使用者授權
通過RAM或STS服務授權IP地址為192.168.0.1的使用者使用Java SDK用戶端執行以下操作。
列舉examplebucket中以
foo為首碼的對象。允許向examplebucket中上傳、下載和刪除以
file開頭的對象。
符合上述情境的RAM Policy配置樣本如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss-cloudbox:GetBucketAcl",
"oss-cloudbox:ListObjects"
],
"Resource": [
"acs:oss-cloudbox:*:177530505652XXXX:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk",
"oss-cloudbox:Prefix": "foo"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
},
{
"Action": [
"oss-cloudbox:PutObject",
"oss-cloudbox:GetObject",
"oss-cloudbox:DeleteObject"
],
"Resource": [
"acs:oss-cloudbox:*:177530505652XXXX:cloudbox/cb-f8z7yvzgwfkl9q0h****/bucket/examplebucket/object/file*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
}
]
}