子账号权限管理
可授权 NOS Action 和对应资源
Note
${bucket} 和 ${object} 分别表示具体桶名称以及对象名称 ${region}表示分区名称,目前支持 * 、cn-east-1、cn-north-1,其中 * 表示所有分区,cn-east-1表示杭州分区,cn-north-1表示北京分区
| Action | Action 描述 | 资源 |
|---|---|---|
| comb:nos:PutObject | 上传对象至桶 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:DeleteObject | 删除对象 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:DeleteMultiObject | 删除多个对象 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetObject | 读取对象内容 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:PutBucket | 创建桶 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucket | 拉取全部对象 | comb:nos:${region}:*:${bucket} |
| comb:nos:HeadObject | 获取对象信息 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:InitMultiUpload | 初始化分块上传 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:UploadPart | 上传分块数据 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:CompleteMultiUpload | 提交分块上传 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:ListPart | 拉取全部分块信息 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:ListMultiUpload | 列出桶的分块上传列表 | comb:nos:${region}:*:${bucket} |
| comb:nos:AbortMultiUpload | 终止分块上传 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:CopyObject | 拷贝对象 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:MoveObject | 移动对象 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:UpdateObjectMeta | 修改对象元数据 | comb:nos:${region}:*:${bucket}/${object} |
| comb:nos:PutBucketAcl | 修改桶的ACL | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucketCors | 获取桶的跨域信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:PutBucketCors | 增加桶的跨域信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:DeleteBucketCors | 删除桶的跨域信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucketDefault404 | 获取桶的静态网页default404信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:PutBucketDefault404 | 设置桶的静态网页default404信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucketDomain | 获取桶的自定义域名 | comb:nos:${region}:*:${bucket} |
| comb:nos:PutBucketDomain | 增加桶的自定义域名 | comb:nos:${region}:*:${bucket} |
| comb:nos:DeleteBucketDomain | 删除桶的自定义域名 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucketLocation | 获取桶的分区 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucketLoggingInfo | 获取桶的日志信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:PutLoggingInfo | 设置桶的日志信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucketMirrorStorage | 获取桶的镜像回源信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:PutBucketMirrorStorage | 设置桶的镜像回源信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucketReferer | 获取桶的referer防盗链信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:PutBucketReferer | 设置桶的referer防盗链信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucketSync | 获取桶的跨分区同步信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:PutBucketSync | 设置桶的跨分区同步信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:DelBucketSync | 删除桶的跨分区同步信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:GetBucketWebsite | 获取桶的静态网站配置信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:PutBucketWebsite | 设置桶的静态网站配置信息 | comb:nos:${region}:*:${bucket} |
| comb:nos:DeleteBucketWebsite | 删除桶的静态网站配置信息 | comb:nos:${region}:*:${bucket} |
NOS API 接口和对应的 NOS Action
Note
ListBucket 的 Action 默认对所有子账号开放。
| API | Action 描述 | Action |
|---|---|---|
| PutObject | 上传对象至桶 | comb:nos:PutObject |
| DeleteObject | 删除对象 | comb:nos:DeleteObject |
| DeleteMultiObject | 删除多个对象 | comb:nos:DeleteMultiObject |
| GetObject | 读取对象内容 | comb:nos:GetObject |
| GetBucket | 拉取全部对象 | comb:nos:GetBucket |
| PutBucket | 创建桶 | comb:nos:PutBucket |
| ListObject | 拉取全部对象 | comb:nos:GetBucket |
| HeadObject | 获取对象信息 | comb:nos:HeadObject |
| InitMultiUpload | 初始化分块上传 | comb:nos:InitMultiUpload |
| UploadPart | 上传分块数据 | comb:nos:UploadPart |
| CompleteMultiUpload | 提交分块上传 | comb:nos:CompleteMultiUpload |
| ListPart | 拉取全部分块信息 | comb:nos:ListPart |
| ListMultiUpload | 列出桶的分块上传列表 | comb:nos:ListMultiUpload |
| AbortMultiUpload | 终止分块上传 | comb:nos:AbortMultiUpload |
| CopyObject | 拷贝对象 | comb:nos:CopyObject |
| MoveObject | 移动对象 | comb:nos:MoveObject |
| UpdateObjectMeta | 修改对象元数据 | comb:nos:UpdateObjectMeta |
| PutBucketAcl | 修改桶的ACL | comb:nos:PutBucketAcl |
| GetBucketCors | 获取桶的跨域信息 | comb:nos:GetBucketCors |
| PutBucketCors | 增加桶的跨域信息 | comb:nos:PutBucketCors |
| DeleteBucketCors | 删除桶的跨域信息 | comb:nos:DeleteBucketCors |
| GetBucketDefault404 | 获取桶的静态网页default404信息 | comb:nos:GetBucketDefault404 |
| PutBucketDefault404 | 设置桶的静态网页default404信息 | comb:nos:PutBucketDefault404 |
| GetBucketDomain | 获取桶的自定义域名 | comb:nos:GetBucketDomain |
| PutBucketDomain | 增加桶的自定义域名 | comb:nos:PutBucketDomain |
| DeleteBucketDomain | 删除桶的自定义域名 | comb:nos:DeleteBucketDomain |
| GetBucketLocation | 获取桶的分区 | comb:nos:GetBucketLocation |
| GetBucketLoggingInfo | 获取桶的日志信息 | comb:nos:GetBucketLoggingInfo |
| PutLoggingInfo | 设置桶的日志信息 | comb:nos:PutLoggingInfo |
| GetBucketMirrorStorage | 获取桶的镜像回源信息 | comb:nos:GetBucketMirrorStorage |
| PutBucketMirrorStorage | 设置桶的镜像回源信息 | comb:nos:PutBucketMirrorStorage |
| GetBucketReferer | 获取桶的referer防盗链信息 | comb:nos:GetBucketReferer |
| PutBucketReferer | 设置桶的referer防盗链信息 | comb:nos:PutBucketReferer |
| GetBucketSync | 获取桶的跨分区同步信息 | comb:nos:GetBucketSync |
| PutBucketSync | 设置桶的跨分区同步信息 | comb:nos:PutBucketSync |
| DelBucketSync | 删除桶的跨分区同步信息 | comb:nos:DelBucketSync |
| GetBucketWebsite | 获取桶的静态网站配置信息 | comb:nos:GetBucketWebsite |
| PutBucketWebsite | 设置桶的静态网站配置信息 | comb:nos:PutBucketWebsite |
| DeleteBucketWebsite | 删除桶的静态网站配置信息 | comb:nos:DeleteBucketWebsite |
策略管理
NOS 管理权限 (NosFullAccess) 包括如下 Action:
- comb:nos:PutObject
- comb:nos:DeleteObject
- comb:nos:DeleteMultiObject
- comb:nos:GetObject
- comb:nos:GetBucket
- comb:nos:PutBucket
- comb:nos:HeadObject
- comb:nos:InitMultiUpload
- comb:nos:UploadPart
- comb:nos:CompleteMultiUpload
- comb:nos:ListPart
- comb:nos:ListMultiUpload
- comb:nos:AbortMultiUpload
- comb:nos:CopyObject
- comb:nos:MoveObject
- comb:nos:UpdateObjectMeta
- comb:nos:PutBucketAcl
- comb:nos:GetBucketCors
- comb:nos:PutBucketCors
- comb:nos:DeleteBucketCors
- comb:nos:GetBucketDefault404
- comb:nos:PutBucketDefault404
- comb:nos:GetBucketDomain
- comb:nos:PutBucketDomain
- comb:nos:DeleteBucketDomain
- comb:nos:GetBucketLocation
- comb:nos:GetBucketLoggingInfo
- comb:nos:PutLoggingInfo
- comb:nos:GetBucketMirrorStorage
- comb:nos:PutBucketMirrorStorage
- comb:nos:GetBucketReferer
- comb:nos:PutBucketReferer
- comb:nos:GetBucketSync
- comb:nos:PutBucketSync
- comb:nos:DelBucketSync
- comb:nos:GetBucketWebsite
- comb:nos:PutBucketWebsite
- comb:nos:DeleteBucketWebsite
NOS 只读权限 ( NosReadOnlyAccess) 包括如下 Action:
- comb:nos:GetObject
- comb:nos:GetBucket
- comb:nos:HeadObject
- comb:nos:ListMultiUpload
- comb:nos:GetBucketCors
- comb:nos:GetBucketDefault404
- comb:nos:GetBucketDomain
- comb:nos:GetBucketLocation
- comb:nos:GetBucketLoggingInfo
- comb:nos:GetBucketMirrorStorage
- comb:nos:GetBucketReferer
- comb:nos:GetBucketSync
- comb:nos:GetBucketWebsite
举例
Q1.只允许某个用户往某个桶里面进行对象的写入和读取该怎么写?
A: 如果要允许用户写入object 则 resource 要加comb:nos:::${bucketname} /*,但是此时该用户无法读取文件列表,如需读取文件列表需要对bucket赋予权限,如下所示:
{
"version": 1,
"statement": [
{
"action": [
"comb:nos:*"
],
"effect": "allow",
"resource": [
"comb:nos:*:*:${bucketname}",
"comb:nos:*:*:${bucketname}/*"
]
}
]
}
