757
OSS細粒度的權限控製
Access key 對OSS的bucket控製權限太高,需求對bucket更細粒度的權限控製:比如隻能操作部分bucket,隻能操作部分bucket的部分目錄等,RAM的子賬戶功能可以實現該需求;
1.子賬戶創建
1)進入RAM管理控製台,選擇用戶管理
短信驗證成功後,子賬戶創建完成
2)創建子賬戶的Access key
3)為子賬戶授權策略
點擊授權
進行授權
注:用戶可以自定義授權策略
自定義的授權策略這邊創建完成後,子賬戶授權中:可授權策略是可以看到該自定義授權策略的;
自定義授權策略創建,參考自定義授權策略創建;
OSS支持的自定義授權權限參考OSS支持的自定義權限;
2.權限控製
1)子用戶能夠通過OSS控製台操作部分有權限的bucket:目前隻能實現控製台能看到所有的bucket,但是隻能操作部分有權限的bucket,沒權限的bucket操作報錯;
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ListBuckets",
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
}
]
}
2)OSS子賬戶控製台登錄隻能看到bucket部分子目錄,其他目錄不能操作:目前隻能實現能看到該bucket下的所有目錄,但隻對部分目錄有對應的權限;
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:gsdata-img1/gsdata/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:gsdata-img1"
],
"Condition": {
"StringLike": {
"oss:Delimiter": "/",
"oss:Prefix": [
""
]
}
}
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:gsdata-img1"
],
"Condition": {
"StringLike": {
"oss:Prefix": [
"gsdata/*"
]
}
}
}
]
}
3)SDK或者API操作有某個bucket的全部權限;
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:myphotos",
"acs:oss:*:*:myphotos/*"
]
}
]
}
4)SDK或者API操作有bucket部分目錄的全部權限;
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:myphotos/hangzhou/2015/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:myphotos"
],
"Condition":{
"StringLike":{
"oss:Prefix":"hangzhou/2015/*"
}
}
}
]
}
最後更新:2017-06-23 23:02:45