应用场景
用户A(用户ID为aaa11111111)有存储桶examplebucket1-a和examplebucket12-a,A0为A的子用户。A0、用户B(用户ID为bbb11111111)及其子用户B0根据业务需要,希望能访问A名下的存储桶examplebucket1-a和examplebucket12-a。A0、B、B0需要的权限如下:
- 用户B对A的存储桶 examplebucket1-a和 examplebucket2-a有列举和下载文件的权限。
- 子用户B0对A的存储桶 examplebucket1-a仅有下载以1为前缀文件的权限。
- 子用户A0对A的存储桶examplebucket2-a有列举、下载、删除文件的权限。
前提条件
开通对象存储(经典版)Ⅰ型服务。
具体操作
用户A登录控制台,进入“存储桶列表”。
- 点击examplebucket1-a后的“属性”,点击 “安全策略”>“编辑策略”>“编辑”,按如下规则编辑。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"UserBListGetObject", "Effect":"Allow", "Principal":{ "CTYUN": "arn:ctyun:iam::bbb11111111:root" }, "Action":[ "oos:GetObject", "oos:ListBucket" ], "Resource":[ "arn:ctyun:oos:::examplebucket1-a/*", "arn:ctyun:oos:::examplebucket1-a" ] }, { "Sid":"UserB0GetObject", "Effect":"Allow", "Principal":{ "CTYUN": "arn:ctyun:iam::bbb11111111:user/B0" }, "Action":"oos:GetObject", "Resource":[ "arn:ctyun:oos:::examplebucket1-a/1*" ] } ] }
- 点击examplebucket2-a后的“属性”,点击“安全策略”>“编辑策略”>“编辑”,按如下规则编辑。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"UserBGetListObject", "Effect":"Allow", "Principal":{ "CTYUN": "arn:ctyun:iam::bbb11111111:root" }, "Action":[ "oos:GetObject", "oos:ListBucket" ], "Resource":[ "arn:ctyun:oos:::examplebucket2-a/*", "arn:ctyun:oos:::examplebucket2-a" ] }, { "Sid":"UserA0GetListDeletObject", "Effect":"Allow", "Principal":{ "CTYUN": "arn:ctyun:iam:: aaa11111111:user/A0" }, "Action":[ "oos:GetObject", "oos:ListBucket", "oos:DeleteObject" ], "Resource":[ "arn:ctyun:oos:::examplebucket2-a/*", "arn:ctyun:oos:::examplebucket2-a" ] } ] }