PrevNext
search by keyword

Recent Pages

Documentation
Cloud Object Storage
    Documentation
    Download PDF

    Basic Concepts of Access Control

    Last updated: 2020-08-31 12:03:24
    Download PDF

      Concept

      You can grant access permissions by specifying a person to perform a specified action on specified resources under a specified condition. Generally, the following four elements are used to describe an access permission action: identity, resource, action, and condition (optional).

      Elements for Access Permissions

      Tencent Cloud's identity

      When you apply for a Tencent Cloud account, the system will create a root account for logging in to the Tencent Cloud services. The Tencent Cloud root account manages different types of users with different roles using the user management feature. User types include collaborator, message recipient, sub-user, and role. For more information, see CAM Identity Management and Glossary.

      COS resources

      Bucket and Object are the basic resources of the COS service, and they have subresources associated with them.

      Bucket's subresources include:

      • acl and policy: access control information of a bucket
      • website: static website hosting configuration of a bucket
      • tagging: tag information of a bucket
      • cors: cross-origin configuration of a bucket
      • lifecycle: lifecycle configuration of a bucket

      Object's subresources include:

      • acl: access control information of an object
      • restore: restore configuration of an archive object

      COS operations

      COS provides a range of API operations on various resources. For more information, see Operation List.

      CAM Overview

      Private principle

      Note:
      By default, all Tencent Cloud COS resources are private.

      • The resource owner (the Tencent Cloud root account creating a bucket resource) has the highest permission on the resource, and can grant access permissions to others or anonymous users by editing and writing an access policy.

      • When a Tencent Cloud CAM account is used to create a bucket or upload an object, its parent root account is the resource owner.

      • The root account of the bucket owner can authorize other Tencent Cloud root accounts to upload objects (i.e. cross-account upload). In this case, the object owner is still the root account of the bucket owner.

      Access control policy

      Resource-based policy

      Tencent Cloud COS supports access control at both bucket and object dimensions, as detailed below:

      Dimension Type Language Supported Identity Supported Resource Granularity Supported Action Supported Effect
      Bucket Access policy language (Policy) JSON Sub-accounts, roles, Tencent Cloud services, other root accounts, anonymous users, etc. Buckets, objects, prefixes, etc. Each specific action Allow/Deny
      Bucket Access Control List (ACL) XML Other root accounts, anonymous users, etc. Buckets Read and write actions Allow
      Object Access Control List (ACL) XML Other root accounts, anonymous users, etc. Objects Read and write actions Allow

      Bucket Policy

      A bucket policy is described in JSON language, and supports granting anonymous identities or any Tencent Cloud CAM account the permissions to access and perform operations on buckets and objects. In Tencent Cloud COS, the bucket policy can be used to manage almost all operations in the bucket. It is recommended that you use a bucket policy to manage access policies that cannot be described using ACLs.

      A Tencent Cloud root account has the highest permission on its resources (including buckets). Even if you can set limits on almost all operations in the bucket policy, the root account always has the permission for the PUT Bucket Policy operation, and can call this operation without checking the bucket policy.

      The following policy allows anonymous users to access all objects in the bucket examplebucket-1250000000 in Guangzhou, and to download all objects (GetObject) in the bucket without signature verification. In this case, any anonymous user who knows the URL can download the objects (similar to public-read):

      {
  "Statement": [
    {
      "Principal": "*",
      "Effect": "Allow",
      "Action": ["cos:GetObject"],
      "Resource": ["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]
    }
  ],
  "Version": "2.0"
}

      ACL

      An ACL is described in the XML language. It is a list of specified grantees and permissions granted, which is associated with resources. Each bucket and object has an associated ACL to grant basic read and write permissions to anonymous users or other Tencent Clouds root accounts.

      The resource owner always has FULL_CONTROL permission on the resource, regardless of whether this is described in the issued ACL.

      The bucket ACL in this example describes the full control permission of the bucket owner (UIN: 100000000001):

      <AccessControlPolicy>
  <Owner>
    <ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="RootAccount">
        <ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

      The object ACL in this example describes the full control permission of the object owner (UIN: 100000000001) and grants the read permission to all users (the public-read permission to anonymous users):

      <AccessControlPolicy>
  <Owner>
    <ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee>
        <ID>qcs::cam::uin/100000000001:uin/100000000001</ID>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee>
        <URI>http://cam.qcloud.com/groups/global/AllUsers</URI>
      </Grantee>
      <Permission>READ</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

      User-based policy

      In CAM, you can grant different permissions to different types of users under the root account.

      The biggest difference between a user policy and a bucket policy is that the user policy only describes effect, action, resource, and condition (optional), but not principal. Therefore, you have to write a user policy first, and then associate it manually with a sub-user, a user group or a role. Besides, the user policy cannot grant anonymous users access to resources or operations.

      You can associate a preset policy for authorization, or write a user policy and associate it with a specified identity to manage access for your users.

      The following policy example grants the permission to perform all COS operations on the bucket examplebucket-1250000000 in Guangzhou. You need to save the policy and then associate it with a CAM sub-user, a user group or a role before it takes effect.

      {
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["cos:*"],
      "Resource": [
          "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*",
          "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/"
      ]
    }
  ],
  "Version": "2.0"
}
      tencent
      Copyright © 2013-2022 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy