感谢您的反馈!
本文主要介绍在使用阿里云对象存储OSS过程中,在以下场景中,如何授权子用户和STS临时用户通过OSS SDK、OSS命令行或者OSS控制台管理OSS资源的部分权限,进行细粒度的权限控制。
对RAM用户授予OSS细粒度的访问权限,具体操作如下:
说明:由于主账号的
Access Key
对于OSS的Bucket控制权限级别较大,使用安全性不高,因此建议使用子账号赋予OSS的不同权限,可以安全地限制对产品的使用,同时也可实现对OSS的细粒度的访问授权限制。
以下主要介绍通过OSS SDK管理Bucket,或者通过OSS管理控制台或客户端管理Bucket的授权策略:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
}
]
}
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ListBuckets",
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
}
]
}
可通过OSS SDK、OSS命令行或者OSS控制台完成,具体内容如下所示:
myphotos
,具体策略如下:{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListBuckets", "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:myphotos" }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:myphotos/*" } ] }
说明:为了操作体验的优化,登录OSS控制台时,OSS控制台会额外调用ListBuckets、GetBucketAcl和GetObjectAcl,用来确定存储空间属性是公开还是私有。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:myphotos"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": "acs:oss:*:*:myphotos/*"
}
]
}
192.168.0.0/16
,172.12.0.0/16
两个IP段读取myphotos
中的信息。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "172.12.0.0/16"] } } } ] }
说明:因为权限策略的鉴权规则是Deny优先,所以通过192.168.0.0/16以外的IP地址访问myphotos中的内容时,OSS会提示没有权限。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }
假设用于存放照片的存储空间名为myphotos,该存储空间中的目录代表照片的拍摄地,每个拍摄地目录中又有年份子目录。
myphotos[Bucket] ├── beijing │ ├── 2014 │ └── 2015 ├── hangzhou │ ├── 2013 │ ├── 2014 │ └── 2015 //授予此目录只读权限 └── qingdao ├── 2014 └── 2015
若要授权RAM用户访问myphotos/hangzhou/2015/
目录的只读权限。目录级别的授权属于授权的高级功能,根据使用场景不同,授权策略的复杂程度也不同,以下几种场景可供参考:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] } ] }
myphotos/hangzhou/2015/
目录,并列出目录中文件的权限。RAM用户可以使用OSS命令行工具或API直接获取目录信息,通常会将这样的权限授予软件开发者。
说明:此场景需要新增ListObjects的权限。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:myphotos" ], "Condition":{ "StringLike":{ "oss:Prefix":"hangzhou/2015/*" } } } ] }
myphotos/hangzhou/2015/
目录,可视化的客户端类似Windows文件管理器,RAM用户可以从根目录开始,逐层进入要访问的目录。 { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:myphotos" ], "Condition": { "StringLike": { "oss:Delimiter": "/", "oss:Prefix": [ "", "hangzhou/", "hangzhou/2015/*" ] } } } ] }
说明:此场景需要新增以下权限。
- 列出所有
Bucket
的权限。- 列出
myphotos
下目录的权限。- 列出
myphotos/hangzhou
下的目录的权限。
更多的授权设置,请参见授权策略管理。