Example

更新时间:2022-05-20 18:00:59

Use System Policy

Read-only access to wos

System authorization policy “CDNWCloudWOSReadOnlyAccess”. It means Read access for all resources in WOS(Object Storage)

Fully manage the permission for wos resources created by the creator

System authorization policy “CDNWCloudWOSResourceCreatorAccess”. It means Full operation permission for wos resources created by the creator

Fully manage the permissions of wos

System authorization policy “CDNWCloudWOSFullAccess”. It means Full access for all resources in WOS(Object Storage)

China Premium Service控制台自助配置功能上线
Note: System will use the smaller/smallest policy when you grant multiple system policies to sub accounts. If you want to grant FullAccess permission, please just authorize “CDNWCloudWOSFullAccess” only.

Use custom policy

  1. After creating a new custom policy, you can authorize the custom policy to specified users

China Premium Service控制台自助配置功能上线

Method 1: Use visual configuration to create a new strategy

China Premium Service控制台自助配置功能上线

China Premium Service控制台自助配置功能上线

Method 2: Use a script to configure a new policy

China Premium Service控制台自助配置功能上线

Script Policy Instances

Access to the list of spaces

An example of the authorization policy created is as follows:

{
    "version": "1",
    "statement": [{
        "effect": "allow",
        "action": ["wos:GetService"],
        "resource": ["wsc:wos:*:*:*"]
    }]
}

Note: To use the sub-account of the console, you need to have the permission to obtain the space list, otherwise you may not be able to use other operations on the console normally.

Fully manage the permissions of a bucket

Suppose the bucket name is “testbucket”. Then the authorization policy created is as follows:

{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": ["wos:*"],
            "resource": [
                "wsc:wos:*:*:testbucket",
                "wsc:wos:*:*:testbucket/*"
            ]
        }
    ]
}

Permission to operate a bucket resource

Assuming the bucket name is “testbucket”, the authorization policy created is as follows:


{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": ["wos:GetBucket"],
            "resource": ["wsc:wos:*:*:testbucket"]
        },
        {
            "effect": "allow",
            "action": [
                "wos:PutObject",
                "wos:GetObject",
                "wos:DeleteObject",
                "wos:AbortMultipartUpload",
                "wos:ListParts"
            ]
            "resource": [
                "wsc:wos:*:*:testbucket/*"
            ]
        }
    ]
}

WOS directory level permissions

Assuming the bucket name is “testbucket”, there are some directories under this bucket, namely photo, video, and music; each directory has a category directory. The directory tree structure is as follows:

testbucket (space)
├── photo
│ ├── 2017
│ └── 2018
├── video
│ ├── 2016
│ ├── 2017
│ └── 2018 // Grant this directory read-only permission
└── music
├── 2017
└── 2018

Suppose we need to authorize a sub-account to have read-only access to the testbucket/video/2018/ directory. Two scenarios are introduced below.
Scenario 1: The sub-account knows the path of the file and only needs the permission to read the content of the file, not the permission to list the file.
The feature of this scenario is that the sub-account knows the full path of the file and can use the complete file path to read it directly document content. Usually we will grant such authority to a software system, and the file path in the system conforms to a certain rule (for example, the file name is an employee ID).

{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "wos:GetObject"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket/video/2018/*"
            ]
        }
    ]
}

Scenario 2: The sub-account uses the object storage console to access the directory testbucket/video/2018/ and
needs to create the following permissions:

List all bucket permissions
View the permissions of all resources under testbucket
Permission to operate resources under testbucket/video/2018

{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "wos:GetService"
            ],
            "resource": [
                "wsc:wos:*:*:*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "wos:GetBucket"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "wos:PutObject",
                "wos:DeleteObject",
                "wos:PutFolder",
                "wos:PutMediaOperation"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket/video/2018/*"
            ]
        }
    ]
}

Access to view statistical analysis

An example of the authorization policy created is as follows:


{
    "version": "1",
    "statement": [{
        "action": ["wos:GetBucketAnalysis"],
        "effect": "allow",
        "resource": ["wsc:wos:*:*:*"]
    }]
}


本篇文档内容对您是否有帮助?
有帮助
我要反馈
提交成功!非常感谢您的反馈,我们会继续努力做到更好!