Object权限控制
更新时间:2022-10-08
权限控制
设置对象的访问权限
目前BOS支持两种方式设置ACL. 具体可参考权限控制
第一种是使用Canned Acl,在put_object_acl的时候,通过头域的"x-bce-acl", "x-bce-grant-read", 或者 "x-bce-grant-permission"来设置对象的访问权限,当前可设置的权限包括private和public-read,三种类型的header不可以同时在一个请求中出现.
第二种方式是以自定义Acl样式, 具体可通过上传其json字符串, 设置access_control_list结构体, 或者直接上传ACL文件. 具体可参考权限控制概述
设置Canned ACL
Canned ACL是预定义的访问权限,用户可选择对某个对象进行设置,支持三种接口:
C++
1PutObjectAclRequest putObjectAclRequest(bucketName, objectKey);
2PutObjectAclResponse putObjectAclResponse;
3
4// 1. 使用x-bce-acl Header设置
5// cannedAcl支持:private、public-read
6std::string cannedAcl="public-read";
7putObjectAclRequest.set_canned_acl(cannedAcl);
8
9// 2. 使用x-bce-grant-read / x-bce-grant-read-permission Header设置
10// idStrings为id集合, 可一次传入多个id, 用逗号隔开, 字符串固定格式为:"id=/"xxxxx/", id=/"xxxxx/"";
11std::string idStrings="id=\"77f47fbbc29d41xxxxxxxxxx6\"";
12putObjectAclRequest.set_xbce_grant_read(idStrings);
13putObjectAclRequest.set_xbce_grant_full_control(idStrings);
14
15int ret = client.put_object_acl(putObjectAclRequest, &putObjectAclResponse);
16if (ret) {
17 LOGF(WARN, "client err: %d", ret);
18}
19if (putObjectAclResponse.is_fail()) {
20 LOGF(WARN,"put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
21 putObjectAclResponse.status_code(),
22 putObjectAclResponse.error().message().c_str(),
23 putObjectAclResponse.error().request_id().c_str());
24}
注意: 三种方式set_canned_acl(),set_xbce_grant_read(),set_xbce_grant_full_control()
一次put_object_acl()调用只能设置上述三种接口其中之一.
设置自定义ACL
用户可参考如下代码设置Bucket内的对象的自定义访问权限,支持三种不同参数:
Plain Text
1PutObjectAclRequest putObjectAclRequest(bucketName, objectKey);
2PutObjectAclResponse putObjectAclResponse;
3
4// 1. 通过上传acl json串
5std::string jsonAcl =
6 "{\"accessControlList\":[{\"grantee\":[{\"id\":\"*\"}],\"permission\":[\"READ\"]},{"
7 "\"grantee\":[{\"id\":\"cb5f8xxxxxxxxxx82bbc\"}],\"permission\":["
8 "\"FULL_CONTROL\"]}]}";
9std::string cannedAcl="public-read";
10putObjectAclRequest.set_json_acl(jsonAcl);
11
12
13// 2. 上传acl文件
14std::string aclFilePath = "/tmp/acl.json"
15int setRet = putObjectAclRequest.set_acl_file(aclFilePath);
16if (ret) {
17 LOGF(WARN, "client set_acl_file: %d", ret);
18}
19
20// 3. 通过设置access_control_list数据
21std::vector<Grant> grants;
22Grant grant;
23grantee.id = "77fxxxxxxxxxxx5fa406";
24grant.grantee.push_back(grantee);
25grant.permission.push_back("READ");
26grants.push_back(grant);
27putObjectAclRequest.set_access_control_list(grants);
28
29int ret = client.put_object_acl(putObjectAclRequest, &putObjectAclResponse);
30if (ret) {
31 LOGF(WARN, "client err: %d", ret);
32}
33if (putObjectAclResponse.is_fail()) {
34 LOGF(WARN,"put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
35 putObjectAclResponse.status_code(),
36 putObjectAclResponse.error().message().c_str(),
37 putObjectAclResponse.error().request_id().c_str());
38}
获取对象的访问权限
如下代码可获取一个对象的访问权限:
C++
1GetObjectAclRequest getObjectAclRequest(bucketName, objectKey);
2GetObjectAclResponse getObjectAclResponse;
3
4int ret = client()->get_object_acl(getObjectAclRequest, &getObjectAclResponse);
5if (ret) {
6 LOGF(WARN, "get_object_acl err: %d", ret);
7}
8
9if (getObjectAclResponse.is_fail()) {
10 LOGF(WARN,
11 "get_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
12 getObjectAclResponse.status_code(),
13 getObjectAclResponse.error().message().c_str(),
14 getObjectAclResponse.error().request_id().c_str());
15}
16
17//获取具体权限(两种方式)
18std::vector<Grant> objectAcl = getObjectAclResponse.access_control_list();
19std::string objectAclJsonStr = getObjectAclResponse.json_access_control_list();
Plain Text
1//acl具体结构
2struct Grantee {
3 std::string id;
4};
5struct Grant {
6 std::vector<Grantee> grantee;
7 std::vector<std::string> permission;
8 //std::vector<std::string> resource;
9 //std::vector<std::string> notResource;
10 //Condition condition;
11 //std::string effect;
12}
注意: acl涉及到的具体结构体Grant, 在bucket acl和object acl体系中共用
目前object acl体系中只用到其中grantee, permission两个字段.
其余注释的字段均为bucket acl体系独有.
删除对象的访问权限
对设置过访问权限的对象,可以调用此接口进行删除:
C++
1DeleteObjectAclRequest deleteObjectAclRequest(BUCKET_NAME, OBJECT_NAME);
2DeleteObjectAclResponse deleteObjectAclResponse;
3
4int ret = client.delete_object_acl(deleteObjectAclRequest, &deleteObjectAclResponse);
5if (ret) {
6 LOGF(WARN, "client err: %d", ret);
7}
8if (deleteObjectAclResponse.is_fail()) {
9 LOGF(WARN, "put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
10 deleteObjectAclResponse.status_code(),
11 deleteObjectAclResponse.error().message().c_str(),
12 deleteObjectAclResponse.error().request_id().c_str());
13}