Object权限控制
更新时间:2022-10-08
权限控制
设置对象的访问权限
目前BOS支持两种方式设置ACL. 具体可参考权限控制
第一种是使用Canned Acl,在put_object_acl的时候,通过头域的"x-bce-acl", "x-bce-grant-read", 或者 "x-bce-grant-permission"来设置对象的访问权限,当前可设置的权限包括private和public-read,三种类型的header不可以同时在一个请求中出现.
第二种方式是以自定义Acl样式, 具体可通过上传其json字符串, 设置access_control_list结构体, 或者直接上传ACL文件. 具体可参考权限控制概述
设置Canned ACL
Canned ACL是预定义的访问权限,用户可选择对某个对象进行设置,支持三种接口:
PutObjectAclRequest putObjectAclRequest(bucketName, objectKey);
PutObjectAclResponse putObjectAclResponse;
// 1. 使用x-bce-acl Header设置
// cannedAcl支持:private、public-read
std::string cannedAcl="public-read";
putObjectAclRequest.set_canned_acl(cannedAcl);
// 2. 使用x-bce-grant-read / x-bce-grant-read-permission Header设置
// idStrings为id集合, 可一次传入多个id, 用逗号隔开, 字符串固定格式为:"id=/"xxxxx/", id=/"xxxxx/"";
std::string idStrings="id=\"77f47fbbc29d41xxxxxxxxxx6\"";
putObjectAclRequest.set_xbce_grant_read(idStrings);
putObjectAclRequest.set_xbce_grant_full_control(idStrings);
int ret = client.put_object_acl(putObjectAclRequest, &putObjectAclResponse);
if (ret) {
LOGF(WARN, "client err: %d", ret);
}
if (putObjectAclResponse.is_fail()) {
LOGF(WARN,"put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
putObjectAclResponse.status_code(),
putObjectAclResponse.error().message().c_str(),
putObjectAclResponse.error().request_id().c_str());
}注意: 三种方式set_canned_acl(),set_xbce_grant_read(),set_xbce_grant_full_control()
一次put_object_acl()调用只能设置上述三种接口其中之一.
设置自定义ACL
用户可参考如下代码设置Bucket内的对象的自定义访问权限,支持三种不同参数:
PutObjectAclRequest putObjectAclRequest(bucketName, objectKey);
PutObjectAclResponse putObjectAclResponse;
// 1. 通过上传acl json串
std::string jsonAcl =
"{\"accessControlList\":[{\"grantee\":[{\"id\":\"*\"}],\"permission\":[\"READ\"]},{"
"\"grantee\":[{\"id\":\"cb5f8xxxxxxxxxx82bbc\"}],\"permission\":["
"\"FULL_CONTROL\"]}]}";
std::string cannedAcl="public-read";
putObjectAclRequest.set_json_acl(jsonAcl);
// 2. 上传acl文件
std::string aclFilePath = "/tmp/acl.json"
int setRet = putObjectAclRequest.set_acl_file(aclFilePath);
if (ret) {
LOGF(WARN, "client set_acl_file: %d", ret);
}
// 3. 通过设置access_control_list数据
std::vector<Grant> grants;
Grant grant;
grantee.id = "77fxxxxxxxxxxx5fa406";
grant.grantee.push_back(grantee);
grant.permission.push_back("READ");
grants.push_back(grant);
putObjectAclRequest.set_access_control_list(grants);
int ret = client.put_object_acl(putObjectAclRequest, &putObjectAclResponse);
if (ret) {
LOGF(WARN, "client err: %d", ret);
}
if (putObjectAclResponse.is_fail()) {
LOGF(WARN,"put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
putObjectAclResponse.status_code(),
putObjectAclResponse.error().message().c_str(),
putObjectAclResponse.error().request_id().c_str());
}获取对象的访问权限
如下代码可获取一个对象的访问权限:
GetObjectAclRequest getObjectAclRequest(bucketName, objectKey);
GetObjectAclResponse getObjectAclResponse;
int ret = client()->get_object_acl(getObjectAclRequest, &getObjectAclResponse);
if (ret) {
LOGF(WARN, "get_object_acl err: %d", ret);
}
if (getObjectAclResponse.is_fail()) {
LOGF(WARN,
"get_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
getObjectAclResponse.status_code(),
getObjectAclResponse.error().message().c_str(),
getObjectAclResponse.error().request_id().c_str());
}
//获取具体权限(两种方式)
std::vector<Grant> objectAcl = getObjectAclResponse.access_control_list();
std::string objectAclJsonStr = getObjectAclResponse.json_access_control_list();//acl具体结构
struct Grantee {
std::string id;
};
struct Grant {
std::vector<Grantee> grantee;
std::vector<std::string> permission;
//std::vector<std::string> resource;
//std::vector<std::string> notResource;
//Condition condition;
//std::string effect;
}注意: acl涉及到的具体结构体Grant, 在bucket acl和object acl体系中共用
目前object acl体系中只用到其中grantee, permission两个字段.
其余注释的字段均为bucket acl体系独有.
删除对象的访问权限
对设置过访问权限的对象,可以调用此接口进行删除:
DeleteObjectAclRequest deleteObjectAclRequest(BUCKET_NAME, OBJECT_NAME);
DeleteObjectAclResponse deleteObjectAclResponse;
int ret = client.delete_object_acl(deleteObjectAclRequest, &deleteObjectAclResponse);
if (ret) {
LOGF(WARN, "client err: %d", ret);
}
if (deleteObjectAclResponse.is_fail()) {
LOGF(WARN, "put_object_acl: [status_code = %d], [message = %s], [requestid = %s]",
deleteObjectAclResponse.status_code(),
deleteObjectAclResponse.error().message().c_str(),
deleteObjectAclResponse.error().request_id().c_str());
}