子账号权限管理

可授权 NOS Action 和对应资源

Note

${bucket} 和 ${object} 分别表示具体桶名称以及对象名称 ${region}表示分区名称,目前支持 * 、cn-east-1、cn-north-1,其中 * 表示所有分区,cn-east-1表示杭州分区,cn-north-1表示北京分区

ActionAction 描述资源
comb:nos:PutObject上传对象至桶comb:nos:${region}:*:${bucket}/${object}
comb:nos:DeleteObject删除对象comb:nos:${region}:*:${bucket}/${object}
comb:nos:DeleteMultiObject删除多个对象comb:nos:${region}:*:${bucket}
comb:nos:GetObject读取对象内容comb:nos:${region}:*:${bucket}/${object}
comb:nos:PutBucket创建桶comb:nos:${region}:*:${bucket}
comb:nos:GetBucket拉取全部对象comb:nos:${region}:*:${bucket}
comb:nos:HeadObject获取对象信息comb:nos:${region}:*:${bucket}/${object}
comb:nos:InitMultiUpload初始化分块上传comb:nos:${region}:*:${bucket}/${object}
comb:nos:UploadPart上传分块数据comb:nos:${region}:*:${bucket}/${object}
comb:nos:CompleteMultiUpload提交分块上传comb:nos:${region}:*:${bucket}/${object}
comb:nos:ListPart拉取全部分块信息comb:nos:${region}:*:${bucket}/${object}
comb:nos:ListMultiUpload列出桶的分块上传列表comb:nos:${region}:*:${bucket}
comb:nos:AbortMultiUpload终止分块上传comb:nos:${region}:*:${bucket}/${object}
comb:nos:CopyObject拷贝对象comb:nos:${region}:*:${bucket}/${object}
comb:nos:MoveObject移动对象comb:nos:${region}:*:${bucket}/${object}
comb:nos:UpdateObjectMeta修改对象元数据comb:nos:${region}:*:${bucket}/${object}
comb:nos:PutBucketAcl修改桶的ACLcomb:nos:${region}:*:${bucket}
comb:nos:GetBucketCors获取桶的跨域信息comb:nos:${region}:*:${bucket}
comb:nos:PutBucketCors增加桶的跨域信息comb:nos:${region}:*:${bucket}
comb:nos:DeleteBucketCors删除桶的跨域信息comb:nos:${region}:*:${bucket}
comb:nos:GetBucketDefault404获取桶的静态网页default404信息comb:nos:${region}:*:${bucket}
comb:nos:PutBucketDefault404设置桶的静态网页default404信息comb:nos:${region}:*:${bucket}
comb:nos:GetBucketDomain获取桶的自定义域名comb:nos:${region}:*:${bucket}
comb:nos:PutBucketDomain增加桶的自定义域名comb:nos:${region}:*:${bucket}
comb:nos:DeleteBucketDomain删除桶的自定义域名comb:nos:${region}:*:${bucket}
comb:nos:GetBucketLocation获取桶的分区comb:nos:${region}:*:${bucket}
comb:nos:GetBucketLoggingInfo获取桶的日志信息comb:nos:${region}:*:${bucket}
comb:nos:PutLoggingInfo设置桶的日志信息comb:nos:${region}:*:${bucket}
comb:nos:GetBucketMirrorStorage获取桶的镜像回源信息comb:nos:${region}:*:${bucket}
comb:nos:PutBucketMirrorStorage设置桶的镜像回源信息comb:nos:${region}:*:${bucket}
comb:nos:GetBucketReferer获取桶的referer防盗链信息comb:nos:${region}:*:${bucket}
comb:nos:PutBucketReferer设置桶的referer防盗链信息comb:nos:${region}:*:${bucket}
comb:nos:GetBucketSync获取桶的跨分区同步信息comb:nos:${region}:*:${bucket}
comb:nos:PutBucketSync设置桶的跨分区同步信息comb:nos:${region}:*:${bucket}
comb:nos:DelBucketSync删除桶的跨分区同步信息comb:nos:${region}:*:${bucket}
comb:nos:GetBucketWebsite获取桶的静态网站配置信息comb:nos:${region}:*:${bucket}
comb:nos:PutBucketWebsite设置桶的静态网站配置信息comb:nos:${region}:*:${bucket}
comb:nos:DeleteBucketWebsite删除桶的静态网站配置信息comb:nos:${region}:*:${bucket}

NOS API 接口和对应的 NOS Action

Note

ListBucket 的 Action 默认对所有子账号开放。

APIAction 描述Action
PutObject上传对象至桶comb:nos:PutObject
DeleteObject删除对象comb:nos:DeleteObject
DeleteMultiObject删除多个对象comb:nos:DeleteMultiObject
GetObject读取对象内容comb:nos:GetObject
GetBucket拉取全部对象comb:nos:GetBucket
PutBucket创建桶comb:nos:PutBucket
ListObject拉取全部对象comb:nos:GetBucket
HeadObject获取对象信息comb:nos:HeadObject
InitMultiUpload初始化分块上传comb:nos:InitMultiUpload
UploadPart上传分块数据comb:nos:UploadPart
CompleteMultiUpload提交分块上传comb:nos:CompleteMultiUpload
ListPart拉取全部分块信息comb:nos:ListPart
ListMultiUpload列出桶的分块上传列表comb:nos:ListMultiUpload
AbortMultiUpload终止分块上传comb:nos:AbortMultiUpload
CopyObject拷贝对象comb:nos:CopyObject
MoveObject移动对象comb:nos:MoveObject
UpdateObjectMeta修改对象元数据comb:nos:UpdateObjectMeta
PutBucketAcl修改桶的ACLcomb:nos:PutBucketAcl
GetBucketCors获取桶的跨域信息comb:nos:GetBucketCors
PutBucketCors增加桶的跨域信息comb:nos:PutBucketCors
DeleteBucketCors删除桶的跨域信息comb:nos:DeleteBucketCors
GetBucketDefault404获取桶的静态网页default404信息comb:nos:GetBucketDefault404
PutBucketDefault404设置桶的静态网页default404信息comb:nos:PutBucketDefault404
GetBucketDomain获取桶的自定义域名comb:nos:GetBucketDomain
PutBucketDomain增加桶的自定义域名comb:nos:PutBucketDomain
DeleteBucketDomain删除桶的自定义域名comb:nos:DeleteBucketDomain
GetBucketLocation获取桶的分区comb:nos:GetBucketLocation
GetBucketLoggingInfo获取桶的日志信息comb:nos:GetBucketLoggingInfo
PutLoggingInfo设置桶的日志信息comb:nos:PutLoggingInfo
GetBucketMirrorStorage获取桶的镜像回源信息comb:nos:GetBucketMirrorStorage
PutBucketMirrorStorage设置桶的镜像回源信息comb:nos:PutBucketMirrorStorage
GetBucketReferer获取桶的referer防盗链信息comb:nos:GetBucketReferer
PutBucketReferer设置桶的referer防盗链信息comb:nos:PutBucketReferer
GetBucketSync获取桶的跨分区同步信息comb:nos:GetBucketSync
PutBucketSync设置桶的跨分区同步信息comb:nos:PutBucketSync
DelBucketSync删除桶的跨分区同步信息comb:nos:DelBucketSync
GetBucketWebsite获取桶的静态网站配置信息comb:nos:GetBucketWebsite
PutBucketWebsite设置桶的静态网站配置信息comb:nos:PutBucketWebsite
DeleteBucketWebsite删除桶的静态网站配置信息comb:nos:DeleteBucketWebsite

策略管理

NOS 管理权限 (NosFullAccess) 包括如下 Action:

  • comb:nos:PutObject
  • comb:nos:DeleteObject
  • comb:nos:DeleteMultiObject
  • comb:nos:GetObject
  • comb:nos:GetBucket
  • comb:nos:PutBucket
  • comb:nos:HeadObject
  • comb:nos:InitMultiUpload
  • comb:nos:UploadPart
  • comb:nos:CompleteMultiUpload
  • comb:nos:ListPart
  • comb:nos:ListMultiUpload
  • comb:nos:AbortMultiUpload
  • comb:nos:CopyObject
  • comb:nos:MoveObject
  • comb:nos:UpdateObjectMeta
  • comb:nos:PutBucketAcl
  • comb:nos:GetBucketCors
  • comb:nos:PutBucketCors
  • comb:nos:DeleteBucketCors
  • comb:nos:GetBucketDefault404
  • comb:nos:PutBucketDefault404
  • comb:nos:GetBucketDomain
  • comb:nos:PutBucketDomain
  • comb:nos:DeleteBucketDomain
  • comb:nos:GetBucketLocation
  • comb:nos:GetBucketLoggingInfo
  • comb:nos:PutLoggingInfo
  • comb:nos:GetBucketMirrorStorage
  • comb:nos:PutBucketMirrorStorage
  • comb:nos:GetBucketReferer
  • comb:nos:PutBucketReferer
  • comb:nos:GetBucketSync
  • comb:nos:PutBucketSync
  • comb:nos:DelBucketSync
  • comb:nos:GetBucketWebsite
  • comb:nos:PutBucketWebsite
  • comb:nos:DeleteBucketWebsite

NOS 只读权限 ( NosReadOnlyAccess) 包括如下 Action:

  • comb:nos:GetObject
  • comb:nos:GetBucket
  • comb:nos:HeadObject
  • comb:nos:ListMultiUpload
  • comb:nos:GetBucketCors
  • comb:nos:GetBucketDefault404
  • comb:nos:GetBucketDomain
  • comb:nos:GetBucketLocation
  • comb:nos:GetBucketLoggingInfo
  • comb:nos:GetBucketMirrorStorage
  • comb:nos:GetBucketReferer
  • comb:nos:GetBucketSync
  • comb:nos:GetBucketWebsite

举例

Q1.只允许某个用户往某个桶里面进行对象的写入和读取该怎么写?

A: 如果要允许用户写入object 则 resource 要加comb:nos:::${bucketname} /*,但是此时该用户无法读取文件列表,如需读取文件列表需要对bucket赋予权限,如下所示:

{
    "version": 1,
    "statement": [
        {
            "action": [
                "comb:nos:*"
            ],
            "effect": "allow",
            "resource": [
                "comb:nos:*:*:${bucketname}",
                "comb:nos:*:*:${bucketname}/*"
            ]
        }
    ]
}