Instances

最終更新日:2022-01-07 15:41:24

Use System Policy

Read-only access to wos

System authorization policy “CDNWCloudWOSReadOnlyAccess”. It means Read access for all resources in WOS(Object Storage)

Fully manage the permission for wos resources created by the creator

System authorization policy “CDNWCloudWOSResourceCreatorAccess”. It means Full operation permission for wos resources created by the creator

Fully manage the permissions of wos

System authorization policy “CDNWCloudWOSFullAccess”. It means Full access for all resources in WOS(Object Storage)

image.png
Note: System will use the smaller/smallest policy when you grant multiple system policies to sub accounts. If you want to grant FullAccess permission, please just authorize “CDNWCloudWOSFullAccess” only.

Use custom policy

  1. After creating a new custom policy, you can authorize the custom policy to specified users

image.png

Method 1: Use visual configuration to create a new strategy

image.png

image.png

Method 2: Use a script to configure a new policy

image.png

Script Policy Instances

Access to the list of spaces

An example of the authorization policy created is as follows:

{
    "version": "1",
    "statement": [{
        "effect": "allow",
        "action": ["wos:GetService"],
        "resource": ["wsc:wos:*:*:*"]
    }]
}

Note: To use the sub-account of the console, you need to have the permission to obtain the space list, otherwise you may not be able to use other operations on the console normally.

Fully manage the permissions of a bucket

Suppose the bucket name is “testbucket”. Then the authorization policy created is as follows:

{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": ["wos:*"],
            "resource": [
                "wsc:wos:*:*:testbucket",
                "wsc:wos:*:*:testbucket/*"
            ]
        }
    ]
}

Permission to operate a bucket resource

Assuming the bucket name is “testbucket”, the authorization policy created is as follows:


{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": ["wos:GetBucket"],
            "resource": ["wsc:wos:*:*:testbucket"]
        },
        {
            "effect": "allow",
            "action": [
                "wos:PutObject",
                "wos:GetObject",
                "wos:DeleteObject",
                "wos:AbortMultipartUpload",
                "wos:ListParts"
            ]
            "resource": [
                "wsc:wos:*:*:testbucket/*"
            ]
        }
    ]
}

WOS directory level permissions

Assuming the bucket name is “testbucket”, there are some directories under this bucket, namely photo, video, and music; each directory has a category directory. The directory tree structure is as follows:

testbucket (space)
├── photo
│ ├── 2017
│ └── 2018
├── video
│ ├── 2016
│ ├── 2017
│ └── 2018 // Grant this directory read-only permission
└── music
├── 2017
└── 2018

Suppose we need to authorize a sub-account to have read-only access to the testbucket/video/2018/ directory. Two scenarios are introduced below.
Scenario 1: The sub-account knows the path of the file and only needs the permission to read the content of the file, not the permission to list the file.
The feature of this scenario is that the sub-account knows the full path of the file and can use the complete file path to read it directly document content. Usually we will grant such authority to a software system, and the file path in the system conforms to a certain rule (for example, the file name is an employee ID).

{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "wos:GetObject"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket/video/2018/*"
            ]
        }
    ]
}

Scenario 2: The sub-account uses the object storage console to access the directory testbucket/video/2018/ and
needs to create the following permissions:

List all bucket permissions
View the permissions of all resources under testbucket
Permission to operate resources under testbucket/video/2018

{
    "version": "1",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "wos:GetService"
            ],
            "resource": [
                "wsc:wos:*:*:*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "wos:GetBucket"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "wos:PutObject",
                "wos:DeleteObject",
                "wos:PutFolder",
                "wos:PutMediaOperation"
            ],
            "resource": [
                "wsc:wos:*:*:testbucket/video/2018/*"
            ]
        }
    ]
}

Access to view statistical analysis

An example of the authorization policy created is as follows:


{
    "version": "1",
    "statement": [{
        "action": ["wos:GetBucketAnalysis"],
        "effect": "allow",
        "resource": ["wsc:wos:*:*:*"]
    }]
}