RAM(Resource Access Management)是阿里云提供的资源访问控制服务,RAM Policy是基于用户的授权策略。通过设置RAM Policy,您可以集中管理您的用户(例如员工、系统或应用程序),以及控制用户可以访问您名下哪些资源的权限,例如限制您的用户只拥有对某一个Bucket的读权限。
- RAM Policy操作比较复杂,强烈推荐您使用简单易用的图形化配置方式Bucket Policy。
- 如果您选择使用RAM Policy,建议您通过官方工具RAM策略编辑器快速生成所需的RAM Policy。
常见Policy示例
- 完全授权的Policy
完全授权的Policy表示允许应用可以对OSS进行任何操作。
警告 完全授权的Policy对移动应用来说是不安全的授权,不推荐使用。{ "Statement": [ { "Action": [ "oss:*" ], "Effect": "Allow", "Resource": ["acs:oss:*:*:*"] } ], "Version": "1" }对OSS的操作 结果 列举所有创建的Bucket 成功 上传不带前缀的Object,test.txt 成功 下载不带前缀的Object,test.txt 成功 上传带前缀的Object,user1/test.txt 成功 下载带前缀的Object,user1/test.txt 成功 列举不带前缀的Object,test.txt 成功 列举带前缀的Object,user1/test.txt 成功 - 不限制前缀的只读不写Policy
此Policy表示应用对Bucket
app-base-oss下所有的Object可列举,可下载。{ "Statement": [ { "Action": [ "oss:GetObject", "oss:ListObjects" ], "Effect": "Allow", "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"] } ], "Version": "1" }对OSS的操作 结果 列举所有创建的Bucket 失败 上传不带前缀的Object,test.txt 失败 下载不带前缀的Object,test.txt 成功 上传带前缀的Object,user1/test.txt 失败 下载带前缀的Object,user1/test.txt 成功 列举不带前缀的Object,test.txt 成功 列举带前缀的Object,user1/test.txt 成功 - 限制前缀的只读不写Policy
此Policy表示应用对Bucket
app-base-oss下带有前缀user1/的Object可列举、可下载,但无法下载其他前缀的Object。采用此种Policy,如果不同的应用对应不同的前缀,就可以达到在同一个Bucket中空间隔离的效果。{ "Statement": [ { "Action": [ "oss:GetObject", "oss:ListObjects" ], "Effect": "Allow", "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"] } ], "Version": "1" }对OSS的操作 结果 列举所有创建的Bucket 失败 上传不带前缀的Object,test.txt 失败 下载不带前缀的Object,test.txt 失败 上传带前缀的Object,user1/test.txt 失败 下载带前缀的Object,user1/test.txt 成功 列举不带前缀的Object,test.txt 成功 列举带前缀的Object,user1/test.txt 成功 - 不限制前缀的只写不读Policy
此Policy表示应用可以对Bucket
app-base-oss上传Object。{ "Statement": [ { "Action": [ "oss:PutObject" ], "Effect": "Allow", "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"] } ], "Version": "1" }对OSS的操作 结果 列举所有创建的Bucket 失败 上传不带前缀的Object,test.txt 成功 下载不带前缀的Object,test.txt 失败 上传带前缀的Object,user1/test.txt 成功 下载带前缀的Object,user1/test.txt 成功 列举不带前缀的Object,test.txt 成功 列举带前缀的Object,user1/test.txt 成功 - 限制前缀的只写不读Policy
此Policy表示应用可以对Bucket
app-base-oss下带有前缀user1/的Object进行上传。但无法上传其他前缀的Object。采用此种Policy,如果不同的应用对应不同的前缀,就可以达到在同一个Bucket中空间隔离的效果。{ "Statement": [ { "Action": [ "oss:PutObject" ], "Effect": "Allow", "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"] } ], "Version": "1" }对OSS的操作 结果 列举所有创建的Bucket 失败 上传不带前缀的Object,test.txt 失败 下载不带前缀的Object,test.txt 失败 上传带前缀的Object,user1/test.txt 成功 下载带前缀的Object,user1/test.txt 失败 列举不带前缀的Object,test.txt 失败 列举带前缀的Object,user1/test.txt 失败 - 不限制前缀的读写Policy
此Policy表示应用可以对Bucket
app-base-oss下所有的Object进行列举、下载、上传和删除。{ "Statement": [ { "Action": [ "oss:GetObject", "oss:PutObject", "oss:DeleteObject", "oss:ListParts", "oss:AbortMultipartUpload", "oss:ListObjects" ], "Effect": "Allow", "Resource": ["acs:oss:*:*:app-base-oss/*", "acs:oss:*:*:app-base-oss"] } ], "Version": "1" }对OSS的操作 结果 列举所有创建的Bucket 失败 上传不带前缀的Object,test.txt 成功 下载不带前缀的Object,test.txt 成功 上传带前缀的Object,user1/test.txt 成功 下载带前缀的Object,user1/test.txt 成功 列举不带前缀的Object,test.txt 成功 列举带前缀的Object,user1/test.txt 成功 - 限制前缀的读写Policy
此Policy表示应用可以对Bucket
app-base-oss下带有前缀user1/的Object进行列举、下载、上传和删除,但无法对其他前缀的Object进行读写。采用此种Policy,如果不同的应用对应不同的前缀,就可以达到在同一个Bucket中空间隔离的效果。{ "Statement": [ { "Action": [ "oss:GetObject", "oss:PutObject", "oss:DeleteObject", "oss:ListParts", "oss:AbortMultipartUpload", "oss:ListObjects" ], "Effect": "Allow", "Resource": ["acs:oss:*:*:app-base-oss/user1/*", "acs:oss:*:*:app-base-oss"] } ], "Version": "1" }对OSS的操作 结果 列举所有创建的Bucket 失败 上传不带前缀的Object,test.txt 失败 下载不带前缀的Object,test.txt 失败 上传带前缀的Object,user1/test.txt 成功 下载带前缀的Object,user1/test.txt 成功 列举不带前缀的Object,test.txt 成功 列举带前缀的Object,user1/test.txt 成功
复杂Policy示例
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetBucketAcl",
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:1775305056529849:mybucket"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk",
"oss:Prefix": "foo"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
},
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:1775305056529849:mybucket/file*"
],
"Effect": "Allow",
"Condition": {
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
}
]
}这是一个较为复杂的授权 Policy,用户用这样的一个Policy通过RAM或STS服务向其他用户授权。Policy当中有一个Statement(一条Policy当中可以有多条Statement)。Statement里面规定了相应的Action、Resource、Effect和Condition。
这条Policy把用户自己名下的mybucket和mybucket/file*这些资源授权给相应的用户,并且支持GetBucketAcl、GetBucket、PutObject、GetObject和DeleteObject这几种操作。Condition中的条件表示UserAgent为java-sdk,源IP为192.168.0.1的时候鉴权才能通过,被授权的用户才能访问相关的资源。Prefix这个Condition是在GetBucket(ListObjects)的时候起作用的,关于这个字段的详情请参见GetBucket(ListObjects)。
Version
Version定义了Policy的版本,本文档中Version设置为1。
Statement
通过Statement描述授权语义,其中可以根据业务场景包含多条语义,每条包含对Action、Effect、Resource和Condition的描述。每次请求系统会逐条依次匹配检查,所有匹配成功的Statement会根据Effect的设置不同分为通过(Allow)、禁止(Deny),其中禁止(Deny)的优先。如果匹配成功的都为通过,该条请求即鉴权通过。如果匹配成功有一条禁止,或者没有任何条目匹配成功,该条请求被禁止访问。
Action
Action分为三大类:
- Service级别操作,对应的是GetService操作,用来列出所有属于该用户的Bucket列表。
- Bucket级别操作,对应类似于oss:PutBucketAcl、oss:GetBucketLocation之类的操作,操作的对象是Bucket,它们的名称和相应的接口名称一一对应。
- Object级别操作,分为oss:GetObject、oss:PutObject、oss:DeleteObject和oss:AbortMultipartUpload,操作对象是Object。
如想授权某一类的Object的操作,可以选择这几种的一种或几种。另外,所有的Action前面都必须加上oss:,如上面例子所示。Action是一个列表,可以有多个Action。具体的Action和API接口的对应关系如下:
- Service级别
API Action GetService(ListBuckets) oss:ListBuckets - Bucket 级别
API Action PutBucket oss:PutBucket GetBucket(ListObjects) oss:ListObjects PutBucketAcl oss:PutBucketAcl GetBucketAcl oss:GetBucketAcl DeleteBucket oss:DeleteBucket GetBucketLocation oss:GetBucketLocation GetBucketInfo oss:GetBucketInfo GetBucketLogging oss:GetBucketLogging PutBucketLogging oss:PutBucketLogging DeleteBucketLogging oss:DeleteBucketLogging GetBucketWebsite oss:GetBucketWebsite PutBucketWebsite oss:PutBucketWebsite DeleteBucketWebsite oss:DeleteBucketWebsite GetBucketReferer oss:GetBucketReferer PutBucketReferer oss:PutBucketReferer GetBucketLifecycle oss:GetBucketLifecycle PutBucketLifecycle oss:PutBucketLifecycle DeleteBucketLifecycle oss:DeleteBucketLifecycle ListMultipartUploads oss:ListMultipartUploads ListParts oss:ListParts PutBucketCors oss:PutBucketCors GetBucketCors oss:GetBucketCors DeleteBucketCors oss:DeleteBucketCors PutBucketVersioning oss:PutBucketVersioning GetBucketVersions(ListObjectVersions) oss::ListObjectVersions PutBucketPolicy oss:PutBucketPolicy GetBucketPolicy oss:GetBucketPolicy DeleteBucketPolicy oss:DeleteBucketPolicy PutBucketTags oss:PutBucketTagging GetBucketTags oss:GetBucketTagging DeleteBucketTags oss:DeleteBucketTagging PutBucketEncryption oss:PutBucketEncryption GetBucketEncryption oss:GetBucketEncryption DeleteBucketEncryption oss:DeleteBucketEncryption PutBucketRequestPayment oss:PutBucketRequestPayment GetBucketRequestPayment oss:GetBucketRequestPayment PutBucketReplication oss:PutBucketReplication GetBucketReplication oss:GetBucketReplication DeleteBucketReplication oss:DeleteBucketReplication GetBucketReplicationLocation oss:GetBucketReplicationLocation GetBucketReplicationProgress oss:GetBucketReplicationProgress - Object级别
API Action PutObject oss:PutObject PostObject InitiateMultipartUpload UploadPart CompleteMultipart AppendObject CompleteMultipartUpload PutSymlink GetObject oss:GetObject HeadObject GetObjectMeta SelectObject GetSymlink DeleteObject oss:DeleteObject DeleteMultipleObjects CopyObject oss:GetObject,oss:PutObject UploadPartCopy GetObjectAcl oss:GetObjectAcl PutObjectAcl oss:PutObjectAcl RestoreObject oss:RestoreObject PutObjectTagging oss:PutObjectTagging GetObjectTagging oss:GetObjectTagging DeleteObjectTagging oss:DeleteObjectTagging PutLiveChannel oss:PutLiveChannel ListLiveChannel oss:ListLiveChannel DeleteLiveChannel oss:DeleteLiveChannel PutLiveChannelStatus oss:PutLiveChannelStatus GetLiveChannelInfo oss:GetLiveChannel GetLiveChannelStat oss:GetLiveChannelStat GetLiveChannelHistory oss:GetLiveChannelHistory PostVodPlaylist oss:PostVodPlaylist GetVodPlaylist oss:GetVodPlaylist ImgSaveAs oss:PostProcessTask AbortMultipartUpload oss:AbortMultipartUpload
Resource
Resource指代的是OSS上面的某个具体的资源或者某些资源,支持通配符星号(*)。resource的规则是acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}。对于所有Bucket级别的操作来说不需要最后的斜杠和{object_name},即acs:oss:{region}:{bucket_owner}:{bucket_name}。Resource也是一个列表,可以有多个Resource。其中的region字段暂时不做支持,设置为*。
Effect
Effect代表本条的Statement的授权的结果,分为Allow和Deny,分别指代通过和禁止。多条Statement同时匹配成功时,禁止(Deny)的优先级更高。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:*"
],
"Resource": [
"acs:oss:*:*:bucketname"
]
},
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:bucketname/index/*",
]
}
]
}Condition
Condition代表Policy授权的一些条件,上面的示例里面可以设置对于acs:UserAgent的检查、acs:SourceIp的检查,还可以使用oss:Prefix项在GetBucket的时候对资源进行限制。
OSS支持的Condition如下:
| Condition | 功能 | 合法取值 |
|---|---|---|
| acs:SourceIp | 指定ip网段 | 普通的ip,支持*通配 |
| acs:UserAgent | 指定http useragent 头 | 字符串 |
| acs:CurrentTime | 指定合法的访问时间 | ISO8601格式 |
| acs:SecureTransport | 是否是HTTPS协议 | “true”或者”false” |
| oss:Prefix | 用作ListObjects时的prefix | 合法的object name |
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:*"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"acs:SecureTransport": [
"true"
]
}
}
}
]
}最佳实践
OSS提供了RAM策略编辑器帮助您快速生成RAM Policy。您也可以使用图形化管理工具ossbrowser 的简化 Policy 授权,一键完成对子账号授予特定Bucket或特定目录的权限 。
针对具体场景更多的授权策略配置示例请参见教程示例:控制存储空间和文件夹的访问权限。
在文档使用中是否遇到以下问题
更多建议
匿名提交