更新时间:2022-01-07 15:41:24
System authorization policy “CDNWCloudWOSReadOnlyAccess”. It means Read access for all resources in WOS(Object Storage)
System authorization policy “CDNWCloudWOSResourceCreatorAccess”. It means Full operation permission for wos resources created by the creator
System authorization policy “CDNWCloudWOSFullAccess”. It means Full access for all resources in WOS(Object Storage)
Note: System will use the smaller/smallest policy when you grant multiple system policies to sub accounts. If you want to grant FullAccess permission, please just authorize “CDNWCloudWOSFullAccess” only.
An example of the authorization policy created is as follows:
{
"version": "1",
"statement": [{
"effect": "allow",
"action": ["wos:GetService"],
"resource": ["wsc:wos:*:*:*"]
}]
}
Note: To use the sub-account of the console, you need to have the permission to obtain the space list, otherwise you may not be able to use other operations on the console normally.
Suppose the bucket name is “testbucket”. Then the authorization policy created is as follows:
{
"version": "1",
"statement": [
{
"effect": "allow",
"action": ["wos:*"],
"resource": [
"wsc:wos:*:*:testbucket",
"wsc:wos:*:*:testbucket/*"
]
}
]
}
Assuming the bucket name is “testbucket”, the authorization policy created is as follows:
{
"version": "1",
"statement": [
{
"effect": "allow",
"action": ["wos:GetBucket"],
"resource": ["wsc:wos:*:*:testbucket"]
},
{
"effect": "allow",
"action": [
"wos:PutObject",
"wos:GetObject",
"wos:DeleteObject",
"wos:AbortMultipartUpload",
"wos:ListParts"
]
"resource": [
"wsc:wos:*:*:testbucket/*"
]
}
]
}
Assuming the bucket name is “testbucket”, there are some directories under this bucket, namely photo, video, and music; each directory has a category directory. The directory tree structure is as follows:
testbucket (space)
├── photo
│ ├── 2017
│ └── 2018
├── video
│ ├── 2016
│ ├── 2017
│ └── 2018 // Grant this directory read-only permission
└── music
├── 2017
└── 2018
Suppose we need to authorize a sub-account to have read-only access to the testbucket/video/2018/ directory. Two scenarios are introduced below.
Scenario 1: The sub-account knows the path of the file and only needs the permission to read the content of the file, not the permission to list the file.
The feature of this scenario is that the sub-account knows the full path of the file and can use the complete file path to read it directly document content. Usually we will grant such authority to a software system, and the file path in the system conforms to a certain rule (for example, the file name is an employee ID).
{
"version": "1",
"statement": [
{
"effect": "allow",
"action": [
"wos:GetObject"
],
"resource": [
"wsc:wos:*:*:testbucket/video/2018/*"
]
}
]
}
Scenario 2: The sub-account uses the object storage console to access the directory testbucket/video/2018/ and
needs to create the following permissions:
List all bucket permissions
View the permissions of all resources under testbucket
Permission to operate resources under testbucket/video/2018
{
"version": "1",
"statement": [
{
"effect": "allow",
"action": [
"wos:GetService"
],
"resource": [
"wsc:wos:*:*:*"
]
},
{
"effect": "allow",
"action": [
"wos:GetBucket"
],
"resource": [
"wsc:wos:*:*:testbucket"
]
},
{
"effect": "allow",
"action": [
"wos:PutObject",
"wos:DeleteObject",
"wos:PutFolder",
"wos:PutMediaOperation"
],
"resource": [
"wsc:wos:*:*:testbucket/video/2018/*"
]
}
]
}
An example of the authorization policy created is as follows:
{
"version": "1",
"statement": [{
"action": ["wos:GetBucketAnalysis"],
"effect": "allow",
"resource": ["wsc:wos:*:*:*"]
}]
}