Example_IAM_Object Storage User Guide-文档中心

Use System Policy

Read-only access to wos

System authorization policy “CDNWCloudWOSReadOnlyAccess”. It means Read access for all resources in WOS(Object Storage)

Fully manage the permission for wos resources created by the creator

System authorization policy “CDNWCloudWOSResourceCreatorAccess”. It means Full operation permission for wos resources created by the creator

Fully manage the permissions of wos

System authorization policy “CDNWCloudWOSFullAccess”. It means Full access for all resources in WOS(Object Storage)

[New Feature] WAF Rule Template
Note: System will use the smaller/smallest policy when you grant multiple system policies to sub accounts. If you want to grant FullAccess permission, please just authorize “CDNWCloudWOSFullAccess” only.

Use custom policy

After creating a new custom policy, you can authorize the custom policy to specified users

[New Feature] WAF Rule Template

Method 1: Use visual configuration to create a new strategy

[New Feature] WAF Rule Template

Method 2: Use a script to configure a new policy

[New Feature] WAF Rule Template

Script Policy Instances

Access to the list of spaces

An example of the authorization policy created is as follows:

{
    "version": "1",
    "statement": [{
        "effect": "allow",
        "action": ["wos:GetService"],
        "resource": ["wsc:wos:*:*:*"]
    }]
}

Note: To use the sub-account of the console, you need to have the permission to obtain the space list, otherwise you may not be able to use other operations on the console normally.

Fully manage the permissions of a bucket

Suppose the bucket name is “testbucket”. Then the authorization policy created is as follows:

{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": ["wos:*"],
            "resource": [
                "wsc:wos:*:*:testbucket",
                "wsc:wos:*:*:testbucket/*"
            ]
        }
    ]
}

Permission to operate a bucket resource

Assuming the bucket name is “testbucket”, the authorization policy created is as follows:


{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": ["wos:GetBucket"],
            "resource": ["wsc:wos:*:*:testbucket"]
        },
        {
            "effect": "allow",
            "action": [
                "wos:PutObject",
                "wos:GetObject",
                "wos:DeleteObject",
                "wos:AbortMultipartUpload",
                "wos:ListParts"
            ]
            "resource": [
                "wsc:wos:*:*:testbucket/*"
            ]
        }
    ]
}

WOS directory level permissions

Assuming the bucket name is “testbucket”, there are some directories under this bucket, namely photo, video, and music; each directory has a category directory. The directory tree structure is as follows:

testbucket (space)
├── photo
│ ├── 2017
│ └── 2018
├── video
│ ├── 2016
│ ├── 2017
│ └── 2018 // Grant this directory read-only permission
└── music
├── 2017
└── 2018

Suppose we need to authorize a sub-account to have read-only access to the testbucket/video/2018/ directory. Two scenarios are introduced below.
Scenario 1: The sub-account knows the path of the file and only needs the permission to read the content of the file, not the permission to list the file.
The feature of this scenario is that the sub-account knows the full path of the file and can use the complete file path to read it directly document content. Usually we will grant such authority to a software system, and the file path in the system conforms to a certain rule (for example, the file name is an employee ID).

{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "wos:GetObject"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket/video/2018/*"
            ]
        }
    ]
}

Scenario 2: The sub-account uses the object storage console to access the directory testbucket/video/2018/ and
needs to create the following permissions:

List all bucket permissions
View the permissions of all resources under testbucket
Permission to operate resources under testbucket/video/2018

{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "wos:GetService"
            ],
            "resource": [
                "wsc:wos:*:*:*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "wos:GetBucket"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "wos:PutObject",
                "wos:DeleteObject",
                "wos:PutFolder",
                "wos:PutMediaOperation"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket/video/2018/*"
            ]
        }
    ]
}

Access to view statistical analysis

An example of the authorization policy created is as follows:


{
    "version": "1",
    "statement": [{
        "action": ["wos:GetBucketAnalysis"],
        "effect": "allow",
        "resource": ["wsc:wos:*:*:*"]
    }]
}

Media Delivery

Cloud Security

Web Performance

Enterprise Application

Storage

Console Guide

API Docs

Example

Use System Policy

Read-only access to wos

Fully manage the permission for wos resources created by the creator

Fully manage the permissions of wos

Use custom policy

Method 1: Use visual configuration to create a new strategy

Method 2: Use a script to configure a new policy

Script Policy Instances

Access to the list of spaces

Fully manage the permissions of a bucket

Permission to operate a bucket resource

WOS directory level permissions

Access to view statistical analysis

目录