Object-level access control lets you grant different read/write permissions to individual objects in an OSS on CloudBox bucket, independent of the bucket's own permissions. Use object ACLs when different objects in the same bucket need different access levels.
Object ACLs support three permission levels:
| ACL | Who can access |
|---|
private | Only the object owner has full control. All other access is denied. |
public-read | Anyone can read the object, including anonymous requests. The owner retains full control. |
public-read-write | Anyone can read and write the object. The owner retains full control. |
Object ACL takes precedence over bucket ACL. If no object ACL is set, the object inherits the bucket's ACL. If an object ACL is set, it overrides the bucket ACL regardless of the bucket's permission level.
Warning Avoid setting public-read-write on objects unless your use case specifically requires anonymous write access. This allows anyone on the internet to modify or delete the object.
Prerequisites
Before you begin, make sure you have:
Set an object ACL
Use the Java SDK
Setting object ACLs via SDK requires Java SDK version 3.15.0 or later.
The following example sets the ACL of an object to private using Signature Version 4:
import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.model.CannedAccessControlList;
import com.aliyun.oss.common.auth.CredentialsProviderFactory;
import com.aliyun.oss.common.auth.EnvironmentVariableCredentialsProvider;
import com.aliyun.oss.ClientBuilderConfiguration;
import com.aliyun.oss.common.comm.SignVersion;
import com.aliyun.oss.common.auth.DefaultCredentialProvider;
public class Demo {
public static void main(String[] args) throws Exception {
// Specify the data endpoint of the OSS on CloudBox bucket.
String endpoint = "https://cb-f8z7yvzgwfkl9q0h****.cn-hangzhou.oss-cloudbox.aliyuncs.com";
// Obtain access credentials from environment variables. Before running this sample code, make sure the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
// Specify the name of the OSS on CloudBox bucket, such as examplebucket.
String bucketName = "examplebucket";
// Specify the region where the OSS on CloudBox bucket is located.
String region = "cn-hangzhou";
// Specify the CloudBox ID.
String cloudBoxId = "cb-f8z7yvzgwfkl9q0h****";
// Specify the full path of the object. The path cannot include the bucket name. Example: testfolder/exampleobject.txt.
String objectName = "testfolder/exampleobject.txt";
// Create an OSSClient instance.
// When the OSSClient instance is no longer used, call the shutdown method to release resources.
ClientBuilderConfiguration conf = new ClientBuilderConfiguration();
conf.setSignatureVersion(SignVersion.V4);
OSS ossClient = OSSClientBuilder.create()
.endpoint(endpoint)
.credentialsProvider(new DefaultCredentialProvider(credentialsProvider.getCredentials()))
.clientConfiguration(conf)
.region(region)
.cloudBoxId(cloudBoxId)
.build();
try {
// Set the access permissions of the object to private.
ossClient.setObjectAcl(bucketName, objectName, CannedAccessControlList.Private);
} catch (OSSException oe) {
System.out.println("Caught an OSSException, which means your request made it to OSS, "
+ "but was rejected with an error response for some reason.");
System.out.println("Error Message:" + oe.getErrorMessage());
System.out.println("Error Code:" + oe.getErrorCode());
System.out.println("Request ID:" + oe.getRequestId());
System.out.println("Host ID:" + oe.getHostId());
} catch (ClientException ce) {
System.out.println("Caught an ClientException, which means the client encountered "
+ "a serious internal problem while trying to communicate with OSS, "
+ "such as not being able to access the network.");
System.out.println("Error Message:" + ce.getMessage());
} finally {
if (ossClient != null) {
ossClient.shutdown();
}
}
}
}
Replace the placeholders with your actual values:
| Placeholder | Description | Example |
|---|
endpoint | Data endpoint of the OSS on CloudBox bucket | https://cb-f8z7yvzgwfkl9q0h****.cn-hangzhou.oss-cloudbox.aliyuncs.com |
bucketName | Name of the OSS on CloudBox bucket | examplebucket |
region | Region where the bucket is located | cn-hangzhou |
cloudBoxId | CloudBox ID | cb-f8z7yvzgwfkl9q0h**** |
objectName | Full path of the object, excluding the bucket name | testfolder/exampleobject.txt |
Use ossutil
For ossutil commands to set or modify an object ACL, see put-object-acl.
Use the REST API
To set an object ACL via HTTP requests, see PutObjectACL.
What's next
Object ACLs are one of several access control mechanisms in OSS on CloudBox. Depending on your requirements, consider combining them with: