tencent cloud

Cloud Object Storage

Release Notes and Announcements
Release Notes
Announcements
Product Introduction
Overview
Features
Use Cases
Strengths
Concepts
Regions and Access Endpoints
Specifications and Limits
Service Regions and Service Providers
Billing
Billing Overview
Billing Method
Billable Items
Free Tier
Billing Examples
Viewing and Downloading Bill
Payment Overdue
FAQs
Getting Started
Console
Getting Started with COSBrowser
User Guide
Creating Request
Bucket
Object
Data Management
Batch Operation
Global Acceleration
Monitoring and Alarms
Operations Center
Data Processing
Content Moderation
Smart Toolbox
Data Processing Workflow
Application Integration
User Tools
Tool Overview
Installation and Configuration of Environment
COSBrowser
COSCLI (Beta)
COSCMD
COS Migration
FTP Server
Hadoop
COSDistCp
HDFS TO COS
GooseFS-Lite
Online Tools
Diagnostic Tool
Use Cases
Overview
Access Control and Permission Management
Performance Optimization
Accessing COS with AWS S3 SDK
Data Disaster Recovery and Backup
Domain Name Management Practice
Image Processing
Audio/Video Practices
Workflow
Direct Data Upload
Content Moderation
Data Security
Data Verification
Big Data Practice
COS Cost Optimization Solutions
Using COS in the Third-party Applications
Migration Guide
Migrating Local Data to COS
Migrating Data from Third-Party Cloud Storage Service to COS
Migrating Data from URL to COS
Migrating Data Within COS
Migrating Data Between HDFS and COS
Data Lake Storage
Cloud Native Datalake Storage
Metadata Accelerator
GooseFS
Data Processing
Data Processing Overview
Image Processing
Media Processing
Content Moderation
File Processing Service
File Preview
Troubleshooting
Obtaining RequestId
Slow Upload over Public Network
403 Error for COS Access
Resource Access Error
POST Object Common Exceptions
API Documentation
Introduction
Common Request Headers
Common Response Headers
Error Codes
Request Signature
Action List
Service APIs
Bucket APIs
Object APIs
Batch Operation APIs
Data Processing APIs
Job and Workflow
Content Moderation APIs
Cloud Antivirus API
SDK Documentation
SDK Overview
Preparations
Android SDK
C SDK
C++ SDK
.NET(C#) SDK
Flutter SDK
Go SDK
iOS SDK
Java SDK
JavaScript SDK
Node.js SDK
PHP SDK
Python SDK
React Native SDK
Mini Program SDK
Error Codes
Harmony SDK
Endpoint SDK Quality Optimization
Security and Compliance
Data Disaster Recovery
Data Security
Cloud Access Management
FAQs
Popular Questions
General
Billing
Domain Name Compliance Issues
Bucket Configuration
Domain Names and CDN
Object Operations
Logging and Monitoring
Permission Management
Data Processing
Data Security
Pre-signed URL Issues
SDKs
Tools
APIs
Agreements
Service Level Agreement
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentaçãoCloud Object StorageSecurity and ComplianceCloud Access ManagementAccess Permission Configuration DescriptionAccess Control OverviewBasic Concepts of Access Control

Basic Concepts of Access Control

PDF
Modo Foco
Tamanho da Fonte
Última atualização: 2024-03-25 15:33:39
COS resources (buckets and objects) are private by default. Only Tencent Cloud root accounts (resource owners) can access and modify them. Other unauthorized users (such as sub-accounts and anonymous users) cannot access objects by using URLs.
After creating a Tencent Cloud sub-account, you can configure an access policy to authorize it. If you want to open up resources (buckets, objects, and directories) to non-Tencent Cloud users, you can set the permissions of the resources to public read.




Access Control Elements

You can grant access permissions by specifying a user to perform a specified action on specified resources under a specified condition. Generally, the following four elements are used to describe an access policy: principal, resource, action, and condition (optional).




Access Policy Elements

Tencent Cloud identity (principal)

When you sign up for a Tencent Cloud account, the system creates a root account identity for you to log in to Tencent Cloud services. With the root account, you can use the user management feature to manage different user types, such as collaborator, message recipient, sub-user, and role. For more information, see User Types and Glossary of CAM.
Note:
Suppose you want to authorize a colleague, you first need to create a sub-user in the CAM console, select a bucket policy, ACL, and/or user policy to set specific permissions for the sub-user.

COS resources

Buckets and objects are basic resources of the COS service. Folders are a special type of object. You can authorize objects in a folder by authorizing the folder. For more information, see Setting Folder Permissions.
Buckets and objects have subresources associated with them.
Subresources associated with a bucket include:
acl and policy: Access control list of a bucket
website: Static website hosting configuration of a bucket
tagging: Tag information of a bucket
cors: Cross-origin resource sharing (CORS) configuration of a bucket
lifecycle: Lifecycle configuration of a bucket
Subresources associated with an object include:
acl: Access control information of an object
restore: Restoration configuration of an archived object

COS operations (actions)

COS provides a range of API operations on various resources. For more information, see Operation List.

COS conditions (optional)

COS conditions refer to conditions for permissions to take effect, such as VPC and VIP. For more information, see Conditions.

Private Principle

Note:
COS resources are private by default.
The resource owner (the Tencent Cloud root account creating a bucket resource) has the highest permission on the resource, and can grant access permissions to others or anonymous users by writing or modifying an access policy.
When a CAM account is used to create a bucket or upload an object, its parent root account is the resource owner.
The root account of a bucket owner can authorize other Tencent Cloud root accounts to upload objects (i.e. cross-account upload). In this case, the object owner is still the root account of the bucket owner.

Access Control Methods

COS provides multiple permission setting methods to implement access control, including bucket policy, user policy (CAM policy), bucket ACL, and object ACL.
These methods can be categorized into resource-based authorization and user-based authorization based on the starting point of policy setting, or categorized into policy-based authorization and ACL-based authorization based on the authorization mode.



Categorization option 1: Resource-based authorization vs. user-based authorization


Resource-based authorization: Resource policies associate permissions with specific resources, including bucket policies, bucket ACLs, and object ACLs. Resource policies can be configured in the COS console or through APIs.
User-based authorization: User policies (CAM policies) associate permissions with users. When configuring a user-based policy, you don't need to specify users. Instead, you only need to specify resources, actions, conditions, and so on. User policies can be configured in the CAM console.
Categorization option 2: Policy-based authorization vs. ACL-based authorization


Policy-based authorization: Both user policies (CAM policies) and bucket policies implement authorization based on complete policy syntax. They authorize refined actions specific to each API and allow specifying the allow or deny effect.
ACL-based authorization: Bucket ACLs and object ACLs are implemented based on ACLs. An ACL is a list of specified grantees and granted permissions, which is associated with resources and corresponds to organized and abstracted permissions. ACLs allow specifying only the allow effect.

Resource-based policy

Resource-based policies are categorized into three types: bucket policy, bucket ACL, and object ACL. COS supports access control at both the bucket and object levels as detailed below:
Dimension
Type
Language
Supported Identity
Supported Resource Granularity
Supported Action
Supported Effect
Bucket
Access policy language (Policy)
JSON
Sub-accounts, roles, Tencent Cloud services, other root accounts, anonymous users, etc.
Buckets, objects, prefixes, etc.
Each specific action
Allow/Deny
Bucket
Access control list (ACL)
XML
Other root accounts, sub-accounts, anonymous users, etc.
Buckets
Read and write actions
Allow
Object
Access control list (ACL)
XML
Other root accounts, sub-accounts, anonymous users, etc.
Objects
Read and write actions
Allow

Bucket policy

A bucket policy is described in JSON language and supports granting anonymous identities or any Tencent Cloud CAM accounts the permissions to access and manipulate buckets and objects. In COS, a bucket policy can be used to manage almost all operations in the bucket. We recommend you use a bucket policy to manage access policies that cannot be described by ACLs. For more information, see Bucket Policy.
Note:
A Tencent Cloud root account has the highest permission on its resources (including buckets). Although you can set limits on almost all operations in a bucket policy, the root account always has the permission for the PUT Bucket Policy operation and can call this operation without checking the bucket policy.
The following policy allows anonymous users to access all objects in the bucket examplebucket-1250000000 in Guangzhou and to download all objects (via GetObject) in the bucket without signature verification. In this case, any anonymous user who knows the URLs can download the objects (similar to public read):
{
  "Statement": [
    {
      "Principal": "*",
      "Effect": "Allow",
      "Action": ["cos:GetObject"],
      "Resource": ["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]
    }
  ],
  "Version": "2.0"
}

ACL

An ACL is described in XML language. It is a list of specified grantees and granted permissions. Each bucket or object has an associated ACL, which allows granting basis read/write permissions to anonymous users or other Tencent Cloud root accounts. For more information, see ACL.
Note:
The resource owner always has the FULL_CONTROL permission on the resource, regardless of whether this is described in the distributed ACL.
The bucket ACL in the following example describes the full control permission of the bucket owner (UIN: 100000000001):
<AccessControlPolicy>
  <Owner>
    <ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="RootAccount">
        <ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>
The object ACL in the following example describes the full control permission of the object owner (UIN: 100000000001) and grants the read permission to all users (the public-read permission to anonymous users):
<AccessControlPolicy>
  <Owner>
    <ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee>
        <ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee>
        <URI>http://cam.qcloud.com/groups/global/AllUsers</URI>
      </Grantee>
      <Permission>READ</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

User policy

In CAM, you can grant different permissions to different types of users under a root account.
The biggest difference between a user policy and a bucket policy is that the former only describes the effect, action, resource, and condition (optional) but not the principal. Therefore, you have to write a user policy first, and then associate it manually with a sub-user, user group, or role. Besides, a user policy cannot grant anonymous users access to resources or operations.
You can associate a preset policy for authorization as described in Authorization Management, or write a user policy by referring to Element Reference and associate it with a specified identity to manage user access. For more information, see User Policy.
The following sample policy grants the permission to perform all COS operations on the bucket examplebucket-1250000000 in Guangzhou. You need to save the policy and then associate it with a CAM sub-user, user group, or role before it can take effect.
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["cos:*"],
      "Resource": [
          "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*",
          "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ],
  "Version": "2.0"
}

Anterior: Bucket Encryption OverviewPróximo: COS Authorization and Identity Verification Process

Ajuda e Suporte

Esta página foi útil?

comentários