RAM(Resource Access Management)是阿里云提供的资源访问控制服务,RAM Policy是基于用户的授权策略。通过设置RAM Policy,您可以集中管理您的用户(例如员工、系统或应用程序),以及控制用户可以访问您名下哪些资源的权限,例如限制您的用户只拥有对某一个Bucket的读权限。

注意
  • RAM Policy操作比较复杂,强烈推荐您使用简单易用的图形化配置方式Bucket Policy
  • 如果您选择使用RAM Policy,建议您通过官方工具RAM策略编辑器快速生成所需的RAM Policy。

常见Policy示例

  • 完全授权的Policy

    完全授权的Policy表示允许应用对OSS进行任何操作。

    警告 完全授权的Policy对移动应用来说是不安全的授权,不推荐使用。
    {
      "Statement": [
        {
          "Action": [
            "oss:*"
          ],
          "Effect": "Allow",
          "Resource": ["acs:oss:*:*:*"]
        }
      ],
      "Version": "1"
    }
    对OSS的操作 结果
    列举所有创建的Bucket 成功
    上传不带前缀的Object,test.txt 成功
    下载不带前缀的Object,test.txt 成功
    上传带前缀的Object,user1/test.txt 成功
    下载带前缀的Object,user1/test.txt 成功
    列举不带前缀的Object,test.txt 成功
    列举带前缀的Object,user1/test.txt 成功
  • 不限制前缀的只读不写Policy

    此Policy表示应用可以对Bucketapp-base-oss下所有的Object进行列举和下载操作。

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    对OSS的操作 结果
    列举所有创建的Bucket 失败
    上传不带前缀的Object,test.txt 失败
    下载不带前缀的Object,test.txt 成功
    上传带前缀的Object,user1/test.txt 失败
    下载带前缀的Object,user1/test.txt 成功
    列举不带前缀的Object,test.txt 成功
    列举带前缀的Object,user1/test.txt 成功
  • 限制前缀的只读不写Policy

    此Policy表示应用可以对Bucketapp-base-oss下带有前缀user1/的Object进行列举和下载操作,但无法下载其他前缀的Object。采用此种Policy,如果不同的应用对应不同的前缀,就可以达到在同一个Bucket中空间隔离的效果。

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    对OSS的操作 结果
    列举所有创建的Bucket 失败
    上传不带前缀的Object,test.txt 失败
    下载不带前缀的Object,test.txt 失败
    上传带前缀的Object,user1/test.txt 失败
    下载带前缀的Object,user1/test.txt 成功
    列举不带前缀的Object,test.txt 成功
    列举带前缀的Object,user1/test.txt 成功
  • 不限制前缀的只写不读Policy

    此Policy表示应用可以对Bucketapp-base-oss进行上传Object的操作。

    {
        "Statement": [
          {
            "Action": [
              "oss:PutObject"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    对OSS的操作 结果
    列举所有创建的Bucket 失败
    上传不带前缀的Object,test.txt 成功
    下载不带前缀的Object,test.txt 失败
    上传带前缀的Object,user1/test.txt 成功
    下载带前缀的Object,user1/test.txt 成功
    列举不带前缀的Object,test.txt 成功
    列举带前缀的Object,user1/test.txt 成功
  • 限制前缀的只写不读Policy

    此Policy表示应用可以对Bucketapp-base-oss下带有前缀user1/的Object进行上传操作。但无法上传其他前缀的Object。采用此种Policy,如果不同的应用对应不同的前缀,就可以达到在同一个Bucket中空间隔离的效果。

    {
        "Statement": [
          {
            "Action": [
              "oss:PutObject"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    对OSS的操作 结果
    列举所有创建的Bucket 失败
    上传不带前缀的Object,test.txt 失败
    下载不带前缀的Object,test.txt 失败
    上传带前缀的Object,user1/test.txt 成功
    下载带前缀的Object,user1/test.txt 失败
    列举不带前缀的Object,test.txt 失败
    列举带前缀的Object,user1/test.txt 失败
  • 不限制前缀的读写Policy

    此Policy表示应用可以对Bucketapp-base-oss下所有的Object进行列举、下载、上传和删除操作。

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:PutObject",
              "oss:DeleteObject",
              "oss:ListParts",
              "oss:AbortMultipartUpload",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    对OSS的操作 结果
    列举所有创建的Bucket 失败
    上传不带前缀的Object,test.txt 成功
    下载不带前缀的Object,test.txt 成功
    上传带前缀的Object,user1/test.txt 成功
    下载带前缀的Object,user1/test.txt 成功
    列举不带前缀的Object,test.txt 成功
    列举带前缀的Object,user1/test.txt 成功
  • 限制前缀的读写Policy

    此Policy表示应用可以对Bucketapp-base-oss下带有前缀user1/的Object进行列举、下载、上传和删除操作,但无法对其他前缀的Object进行读写操作。采用此种Policy,如果不同的应用对应不同的前缀,就可以达到在同一个Bucket中空间隔离的效果。

    {
        "Statement": [
          {
            "Action": [
              "oss:GetObject",
              "oss:PutObject",
              "oss:DeleteObject",
              "oss:ListParts",
              "oss:AbortMultipartUpload",
              "oss:ListObjects"
            ],
            "Effect": "Allow",
            "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"]
          }
        ],
        "Version": "1"
      }
    对OSS的操作 结果
    列举所有创建的Bucket 失败
    上传不带前缀的Object,test.txt 失败
    下载不带前缀的Object,test.txt 失败
    上传带前缀的Object,user1/test.txt 成功
    下载带前缀的Object,user1/test.txt 成功
    列举不带前缀的Object,test.txt 成功
    列举带前缀的Object,user1/test.txt 成功

复杂Policy示例

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetBucketAcl",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:177530505652XXXX:mybucket"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:UserAgent": "java-sdk",
                    "oss:Prefix": "foo"
                },
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        },
        {
            "Action": [
                "oss:PutObject",
                "oss:GetObject",
                "oss:DeleteObject"
            ],
            "Resource": [
                "acs:oss:*:177530505652XXXX:mybucket/file*"
            ],
            "Effect": "Allow",
            "Condition": {
                "IpAddress": {
                    "acs:SourceIp": "192.168.0.1"
                }
            }
        }
    ]
}
以上是一个较为复杂的授权Policy,用户使用类似的Policy通过RAM或STS服务向其他用户授权。Policy当中有一个Statement(一条Policy当中可以有多条Statement)。Statement里面规定了相应的Action、Resource、Effect和Condition。该Policy的含义如下:
  • 把用户自己名下的mybucketmybucket/file*资源授权给相应的用户。
  • 支持GetBucketAcl、GetBucket、PutObject、GetObject和DeleteObject这几种操作。
  • Condition中的条件表示UserAgent为java-sdk,源IP为192.168.0.1的时候鉴权才能通过,被授权的用户才能访问相关的资源。
  • Prefix这个Condition是在GetBucket(ListObjects)的时候起作用的,关于这个字段的详情请参见GetBucket(ListObjects)

Version

Version定义了Policy的版本,本文档中Version设置为1

Statement

通过Statement描述授权语义,其中可以根据业务场景包含多条语义,每条包含对Action、Effect、Resource和Condition的描述。每次请求系统会逐条依次匹配检查,所有匹配成功的Statement会根据Effect的设置不同分为通过(Allow)、禁止(Deny),其中禁止(Deny)的优先。如果匹配成功的都为通过,该条请求即鉴权通过。如果匹配成功有一条禁止,或者没有任何条目匹配成功,该条请求被禁止访问。

Action

Action分为三大类:

  • Service级别操作,对应的是GetService操作,用来列出所有属于该用户的Bucket列表。
  • Bucket级别操作,对应类似于oss:PutBucketAcl、oss:GetBucketLocation之类的操作,操作的对象是Bucket,它们的名称和相应的接口名称一一对应。
  • Object级别操作,分为oss:GetObject、oss:PutObject、oss:DeleteObject和oss:AbortMultipartUpload,操作对象是Object。

如想授权某一类的Object的操作,可以选择这几种的一种或几种。另外,所有的Action前面都必须加上oss:,如上面例子所示。Action是一个列表,可以有多个Action。具体的Action和API接口的对应关系如下:

  • Service级别
    API Action
    GetService(ListBuckets) oss:ListBuckets
  • Bucket 级别
    API Action
    PutBucket oss:PutBucket
    GetBucket (ListObjects) oss:ListObjects
    GetBucketVersions (ListObjectVersions) oss:ListObjectVersions
    PutBucketVersioning oss:PutBucketVersioning
    GetBucketVersioning oss:GetBucketVersioning
    PutBucketAcl oss:PutBucketAcl
    GetBucketAcl oss:GetBucketAcl
    DeleteBucket oss:DeleteBucket
    GetBucketLocation oss:GetBucketLocation
    GetBucketInfo oss:GetBucketInfo
    GetBucketLogging oss:GetBucketLogging
    PutBucketLogging oss:PutBucketLogging
    DeleteBucketLogging oss:DeleteBucketLogging
    GetBucketWebsite oss:GetBucketWebsite
    PutBucketWebsite oss:PutBucketWebsite
    DeleteBucketWebsite oss:DeleteBucketWebsite
    GetBucketReferer oss:GetBucketReferer
    PutBucketReferer oss:PutBucketReferer
    GetBucketLifecycle oss:GetBucketLifecycle
    PutBucketLifecycle oss:PutBucketLifecycle
    DeleteBucketLifecycle oss:DeleteBucketLifecycle
    ListMultipartUploads oss:ListMultipartUploads
    ListParts oss:ListParts
    PutBucketCors oss:PutBucketCors
    GetBucketCors oss:GetBucketCors
    DeleteBucketCors oss:DeleteBucketCors
    PutBucketVersioning oss:PutBucketVersioning
    GetBucketVersions(ListObjectVersions) oss::ListObjectVersions
    PutBucketPolicy oss:PutBucketPolicy
    GetBucketPolicy oss:GetBucketPolicy
    DeleteBucketPolicy oss:DeleteBucketPolicy
    PutBucketTags oss:PutBucketTagging
    GetBucketTags oss:GetBucketTagging
    DeleteBucketTags oss:DeleteBucketTagging
    PutBucketEncryption oss:PutBucketEncryption
    GetBucketEncryption oss:GetBucketEncryption
    DeleteBucketEncryption oss:DeleteBucketEncryption
    PutBucketRequestPayment oss:PutBucketRequestPayment
    GetBucketRequestPayment oss:GetBucketRequestPayment
    PutBucketReplication oss:PutBucketReplication
    GetBucketReplication oss:GetBucketReplication
    DeleteBucketReplication oss:DeleteBucketReplication
    GetBucketReplicationLocation oss:GetBucketReplicationLocation
    GetBucketReplicationProgress oss:GetBucketReplicationProgress
  • Object级别
    API Action
    PutObject oss:PutObject
    PostObject
    InitiateMultipartUpload
    UploadPart
    CompleteMultipart
    AppendObject
    CompleteMultipartUpload
    PutSymlink
    GetObject oss:GetObject
    HeadObject
    GetObjectMeta
    SelectObject
    GetSymlink
    DeleteObject oss:DeleteObject
    DeleteMultipleObjects
    CopyObject oss:GetObject,oss:PutObject
    UploadPartCopy
    GetObjectAcl oss:GetObjectAcl
    PutObjectAcl oss:PutObjectAcl
    RestoreObject oss:RestoreObject
    PutObjectTagging oss:PutObjectTagging
    GetObjectTagging oss:GetObjectTagging
    DeleteObjectTagging oss:DeleteObjectTagging
    GetObject(请求参数中指定versionId) oss:GetObjectVersion
    PutObjectACL(请求参数中指定versionId) oss:PutObjectVersionAcl
    GetObjectAcl(请求参数中指定versionId) oss:GetObjectVersionAcl
    RestoreObject(请求参数中指定versionId) oss:RestoreObjectVersion
    DeleteObject(请求参数中指定versionId) oss:DeleteObjectVersion
    PutObjectTagging(请求参数中指定versionId) oss:PutObjectVersionTagging
    GetObjectTagging(请求参数中指定versionId) oss:GetObjectVersionTagging
    DeleteObjectTagging(请求参数中指定versionId) oss:DeleteObjectVersionTagging
    PutLiveChannel oss:PutLiveChannel
    ListLiveChannel oss:ListLiveChannel
    DeleteLiveChannel oss:DeleteLiveChannel
    PutLiveChannelStatus oss:PutLiveChannelStatus
    GetLiveChannelInfo oss:GetLiveChannel
    GetLiveChannelStat oss:GetLiveChannelStat
    GetLiveChannelHistory oss:GetLiveChannelHistory
    PostVodPlaylist oss:PostVodPlaylist
    GetVodPlaylist oss:GetVodPlaylist
    ImgSaveAs oss:PostProcessTask
    AbortMultipartUpload oss:AbortMultipartUpload

Resource

Resource指代的是OSS的某个具体资源或者某些资源,支持通配符星号(*)。Resource的规则是acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}。针对Bucket级别的操作不需要最后的正斜线(/)和{object_name},即acs:oss:{region}:{bucket_owner}:{bucket_name}。Resource也是一个列表,可以有多个Resource。其中的region字段暂时不做支持,设置为*

Effect

Effect代表本条的Statement的授权结果,分为通过(Allow)和禁止(Deny)。多条Statement同时匹配成功时,禁止(Deny)的优先级更高。

例如,禁止用户对某一目录进行删除,但对于其他文件有全部权限:
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:*"
      ],
      "Resource": [
        "acs:oss:*:*:bucketname"
      ]
    },
    {
      "Effect": "Deny",
      "Action": [
        "oss:DeleteObject"
      ],
      "Resource": [
        "acs:oss:*:*:bucketname/index/*",
      ]
    }
  ]
}

Condition

Condition代表Policy授权的一些条件,上面的示例里面可以设置对于acs:UserAgent的检查、acs:SourceIp的检查,还可以使用oss:Prefix项在GetBucket的时候对资源进行限制。

OSS支持的Condition如下:

Condition 功能 取值
acs:SourceIp 指定IP网段 普通的ip,支持*通配
acs:UserAgent 指定HTTP User-Agent 头 字符串
acs:CurrentTime 指定合法的访问时间 ISO8601格式
acs:SecureTransport 是否是HTTPS协议 “true”或者”false”
oss:Prefix 用作ListObjects时的Prefix 合法的Object Name
如果需要禁止用户通过HTTP访问,可添加以下Deny策略。如果希望针对特定操作或者资源设置,可以通过配置Action和Resource字段实现。
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "acs:SecureTransport": [
                        "true"
                    ]
                }
            }
        }
    ]
}

最佳实践

OSS提供了RAM策略编辑器帮助您快速生成RAM Policy。您也可以使用图形化管理工具ossbrowser的简化Policy授权,一键完成对RAM用户(子账号)授予特定Bucket或特定目录的权限 。

针对具体场景的授权策略配置示例请参见教程示例:控制存储空间和文件夹的访问权限