757
OSS细粒度的权限控制
Access key 对OSS的bucket控制权限太高,需求对bucket更细粒度的权限控制:比如只能操作部分bucket,只能操作部分bucket的部分目录等,RAM的子账户功能可以实现该需求;
1.子账户创建
1)进入RAM管理控制台,选择用户管理
短信验证成功后,子账户创建完成
2)创建子账户的Access key
3)为子账户授权策略
点击授权
进行授权
注:用户可以自定义授权策略
自定义的授权策略这边创建完成后,子账户授权中:可授权策略是可以看到该自定义授权策略的;
自定义授权策略创建,参考自定义授权策略创建;
OSS支持的自定义授权权限参考OSS支持的自定义权限;
2.权限控制
1)子用户能够通过OSS控制台操作部分有权限的bucket:目前只能实现控制台能看到所有的bucket,但是只能操作部分有权限的bucket,没权限的bucket操作报错;
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ListBuckets",
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
}
]
}
2)OSS子账户控制台登录只能看到bucket部分子目录,其他目录不能操作:目前只能实现能看到该bucket下的所有目录,但只对部分目录有对应的权限;
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:gsdata-img1/gsdata/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:gsdata-img1"
],
"Condition": {
"StringLike": {
"oss:Delimiter": "/",
"oss:Prefix": [
""
]
}
}
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:gsdata-img1"
],
"Condition": {
"StringLike": {
"oss:Prefix": [
"gsdata/*"
]
}
}
}
]
}
3)SDK或者API操作有某个bucket的全部权限;
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
}
]
}
4)SDK或者API操作有bucket部分目录的全部权限;
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:myphotos/hangzhou/2015/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:myphotos"
],
"Condition":{
"StringLike":{
"oss:Prefix":"hangzhou/2015/*"
}
}
}
]
}
最后更新:2017-06-23 23:02:45