Object权限控制

更新时间：2022-10-08

权限控制

设置对象的访问权限

目前BOS支持两种方式设置ACL. 具体可参考权限控制

第一种是使用Canned Acl，在put_object_acl的时候，通过头域的"x-bce-acl", "x-bce-grant-read", 或者 "x-bce-grant-permission"来设置对象的访问权限，当前可设置的权限包括private和public-read，三种类型的header不可以同时在一个请求中出现.

第二种方式是以自定义Acl样式, 具体可通过上传其json字符串, 设置access_control_list结构体, 或者直接上传ACL文件. 具体可参考权限控制概述

设置Canned ACL

Canned ACL是预定义的访问权限，用户可选择对某个对象进行设置，支持三种接口：

                C++
                
            

                PutObjectAclRequest putObjectAclRequest(bucketName, objectKey);
PutObjectAclResponse putObjectAclResponse;

// 1. 使用x-bce-acl Header设置
// cannedAcl支持:private、public-read
std::string cannedAcl="public-read";
putObjectAclRequest.set_canned_acl(cannedAcl);

// 2. 使用x-bce-grant-read / x-bce-grant-read-permission Header设置
// idStrings为id集合, 可一次传入多个id, 用逗号隔开, 字符串固定格式为:"id=/"xxxxx/", id=/"xxxxx/"";
std::string idStrings="id=\"77f47fbbc29d41xxxxxxxxxx6\"";
putObjectAclRequest.set_xbce_grant_read(idStrings);
putObjectAclRequest.set_xbce_grant_full_control(idStrings);

int ret = client.put_object_acl(putObjectAclRequest, &putObjectAclResponse);
if (ret) {
    LOGF(WARN, "client err: %d", ret);
}
if (putObjectAclResponse.is_fail()) {
    LOGF(WARN,"put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
         putObjectAclResponse.status_code(),
         putObjectAclResponse.error().message().c_str(),
         putObjectAclResponse.error().request_id().c_str());
}
            

注意: 三种方式set_canned_acl(),set_xbce_grant_read(),set_xbce_grant_full_control()
一次put_object_acl()调用只能设置上述三种接口其中之一.

设置自定义ACL

用户可参考如下代码设置Bucket内的对象的自定义访问权限，支持三种不同参数：

Plain Text

1PutObjectAclRequest putObjectAclRequest(bucketName, objectKey);
2PutObjectAclResponse putObjectAclResponse;
3
4// 1. 通过上传acl json串
5std::string jsonAcl =
6                "{\"accessControlList\":[{\"grantee\":[{\"id\":\"*\"}],\"permission\":[\"READ\"]},{"
7                "\"grantee\":[{\"id\":\"cb5f8xxxxxxxxxx82bbc\"}],\"permission\":["
8                "\"FULL_CONTROL\"]}]}";
9std::string cannedAcl="public-read";
10putObjectAclRequest.set_json_acl(jsonAcl);
11
12
13// 2. 上传acl文件
14std::string aclFilePath = "/tmp/acl.json"
15int setRet = putObjectAclRequest.set_acl_file(aclFilePath);
16if (ret) {
17    LOGF(WARN, "client set_acl_file: %d", ret);
18}
19
20// 3. 通过设置access_control_list数据
21std::vector<Grant> grants;
22Grant grant;
23grantee.id = "77fxxxxxxxxxxx5fa406";
24grant.grantee.push_back(grantee);
25grant.permission.push_back("READ");
26grants.push_back(grant);
27putObjectAclRequest.set_access_control_list(grants);
28
29int ret = client.put_object_acl(putObjectAclRequest, &putObjectAclResponse);
30if (ret) {
31    LOGF(WARN, "client err: %d", ret);
32}
33if (putObjectAclResponse.is_fail()) {
34    LOGF(WARN,"put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
35         putObjectAclResponse.status_code(),
36         putObjectAclResponse.error().message().c_str(),
37         putObjectAclResponse.error().request_id().c_str());
38}

获取对象的访问权限

如下代码可获取一个对象的访问权限：

                C++
                
            

                GetObjectAclRequest getObjectAclRequest(bucketName, objectKey);
GetObjectAclResponse getObjectAclResponse;

int ret = client()->get_object_acl(getObjectAclRequest, &getObjectAclResponse);
if (ret) {
    LOGF(WARN, "get_object_acl err: %d", ret);
}

if (getObjectAclResponse.is_fail()) {
    LOGF(WARN,
         "get_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
         getObjectAclResponse.status_code(),
         getObjectAclResponse.error().message().c_str(),
         getObjectAclResponse.error().request_id().c_str());
}

//获取具体权限(两种方式)
std::vector<Grant> objectAcl = getObjectAclResponse.access_control_list();
std::string objectAclJsonStr = getObjectAclResponse.json_access_control_list();
            

Plain Text

1//acl具体结构
2struct Grantee {
3    std::string id;
4};
5struct Grant {
6    std::vector<Grantee> grantee;
7    std::vector<std::string> permission;
8    //std::vector<std::string> resource;
9    //std::vector<std::string> notResource;
10    //Condition condition;
11    //std::string effect;
12}

注意: acl涉及到的具体结构体Grant, 在bucket acl和object acl体系中共用
目前object acl体系中只用到其中grantee, permission两个字段.
其余注释的字段均为bucket acl体系独有.

删除对象的访问权限

对设置过访问权限的对象，可以调用此接口进行删除：

                C++
                
            

                DeleteObjectAclRequest deleteObjectAclRequest(BUCKET_NAME, OBJECT_NAME);
DeleteObjectAclResponse deleteObjectAclResponse;

int ret = client.delete_object_acl(deleteObjectAclRequest, &deleteObjectAclResponse);
if (ret) {
    LOGF(WARN, "client err: %d", ret);
}
if (deleteObjectAclResponse.is_fail()) {
    LOGF(WARN, "put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
         deleteObjectAclResponse.status_code(),
         deleteObjectAclResponse.error().message().c_str(),
         deleteObjectAclResponse.error().request_id().c_str());
}
            

列举存储空间中的文件

删除文件

百度智能云

BOS 对象存储