OSS Tables provides access control using resource policies based on the IAM Policy format. You can set these policies at the table bucket and table levels for fine-grained permission management.
Permission model
OSS Tables controls access using resource policies that follow the IAM policy format.
IAM policy format: Resource policies use the same IAM policy format as RAM policies and include standard fields such as
Version,Statement,Effect,Action,Principal, andResource.Dual-level granularity: You can set resource policies at both the table bucket and table levels. A policy at the table bucket level applies to all tables within the bucket, while a policy at the table level applies only to the specified table.
Management: You can manage bucket authorization policies and RAM access control on the Access Control tab of the table bucket details page. This tab contains two subtabs: Bucket Authorization Policy and RAM Access Control.
Resource authorization: For table-related requests, both the table bucket policy and the table policy determine the final authorization result:
Table bucket policy
Table policy
Authorization result
Allow
Allow
Allow
Allow
Ignore
Allow
Allow
Deny
Deny
Ignore
Allow
Allow
Ignore
Ignore
Ignore
Ignore
Deny
Deny
Deny
Allow
Deny
Deny
Ignore
Deny
Deny
Deny
Deny
Bucket policy
Resource policies can be defined at two levels of granularity: Table Bucket and table.
Table bucket-level policy
A Table Bucket-level resource policy controls access to an entire Table Bucket and all the tables within it. The policy applies to all tables in the Table Bucket.
Console
You can configure a bucket policy in the OSS console. You can create policies by using a visual editor or by entering JSON.
Log on to the OSS console. In the left-side navigation pane, select Table Bucket List.
Click the name of the target Table Bucket to open its details page.
Select the Access Control tab.
On the Bucket Policy subtab, click Add Authorization.
Select Add using visual editor or Add as JSON.
Configure the following parameters:
Resource: Select the resources to authorize.
Action: Select the actions to allow or deny.
Condition: Specify the conditions for the policy (optional).
Principal: Specify the principal to which the policy applies.
Effect: Select Allow or Deny.
Click OK.
After you complete the configuration, you can view the policy in the authorization list. The list displays information such as the resource, action, condition, principal, and effect. You can also edit or delete the policy in the Actions column.
Ossutil
# Set the resource policy for a Table Bucket
ossutil tables-api put-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --resource-policy '{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:GetTableBucket","oss:ListTables","oss:GetTable"],"Principal":["1142323451******"],"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket"]}]}'
# Get the resource policy for a Table Bucket
ossutil tables-api get-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket
# Delete the resource policy for a Table Bucket
ossutil tables-api delete-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucketSDK
Python
Set the resource policy for a Table Bucket (PutTableBucketPolicy)
import argparse
import json
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="put table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--policy', help='The resource policy JSON string.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.put_table_bucket_policy(oss_tables.models.PutTableBucketPolicyRequest(
table_bucket_arn=args.table_bucket_arn,
resource_policy=args.policy,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully set policy for: {args.table_bucket_arn}')
if __name__ == "__main__":
main()Get the resource policy for a Table Bucket (GetTableBucketPolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="get table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.get_table_bucket_policy(oss_tables.models.GetTableBucketPolicyRequest(
table_bucket_arn=args.table_bucket_arn,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id},'
f' resource policy: {result.resource_policy}')
if __name__ == "__main__":
main()Delete the resource policy for a Table Bucket (DeleteTableBucketPolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="delete table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.delete_table_bucket_policy(oss_tables.models.DeleteTableBucketPolicyRequest(
table_bucket_arn=args.table_bucket_arn,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully deleted policy for: {args.table_bucket_arn}')
if __name__ == "__main__":
main()Go
Set the resource policy for a Table Bucket (PutTableBucketPolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.PutTableBucketPolicy(context.TODO(), &tables.PutTableBucketPolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
ResourcePolicy: oss.Ptr(`
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:GetTable",
],
"Effect":"Deny",
"Principal":["1234567890"],
"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/demo-bucket"]
}
]
}
`),
})
if err != nil {
log.Fatalf("failed to put table bucket policy %v", err)
}
log.Printf("put table bucket policy result:%#v\n", result)
}Get the resource policy for a Table Bucket (GetTableBucketPolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.GetTableBucketPolicy(context.TODO(), &tables.GetTableBucketPolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
})
if err != nil {
log.Fatalf("failed to get table bucket policy %v", err)
}
log.Printf("get table bucket policy result:%#v\n", result)
}Delete the resource policy for a Table Bucket (DeleteTableBucketPolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.DeleteTableBucketPolicy(context.TODO(), &tables.DeleteTableBucketPolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
})
if err != nil {
log.Fatalf("failed to delete table bucket policy %v", err)
}
log.Printf("delete table bucket policy result:%#v\n", result)
}Java
Set the resource policy for a Table Bucket (PutTableBucketPolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class PutTableBucketPolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String resourcePolicy = "{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":[\"oss:GetTable\"],\"Principal\":[\"1234567890\"],\"Resource\":[\"acs:osstables:cn-hangzhou:1234567890:bucket/demo-bucket/table/*\"]}]}";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
PutTableBucketPolicyRequest request = PutTableBucketPolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.resourcePolicy(resourcePolicy)
.build();
PutTableBucketPolicyResult result = client.putTableBucketPolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully updated table bucket policy for ARN: %s%n", tableBucketARN);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}Get the resource policy for a Table Bucket (GetTableBucketPolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class GetTableBucketPolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
GetTableBucketPolicyRequest request = GetTableBucketPolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.build();
GetTableBucketPolicyResult result = client.getTableBucketPolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Retrieved policy for table bucket: %s%n", tableBucketARN);
if (result.resourcePolicy() != null) {
System.out.printf("Policy: %s%n", result.resourcePolicy());
} else {
System.out.println("No policy set for this table bucket.");
}
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}Delete the resource policy for a Table Bucket (DeleteTableBucketPolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class DeleteTableBucketPolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
DeleteTableBucketPolicyRequest request = DeleteTableBucketPolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.build();
DeleteTableBucketPolicyResult result = client.deleteTableBucketPolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully deleted policy for table bucket ARN: %s%n", tableBucketARN);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}API
Set the resource policy for a Table Bucket: PutTableBucketPolicy
Get the resource policy for a Table Bucket: GetTableBucketPolicy
Delete the resource policy for a Table Bucket: DeleteTableBucketPolicy
Table-level policy
A table-level resource policy controls access to a single table.
Console
You can configure a table policy in the OSS console. You can create policies by using a visual editor or by entering JSON.
Log on to the OSS console. In the left-side navigation pane, select Table Bucket List.
Click the name of the target Table Bucket to open its details page.
Select the Table List tab, and then click the target table name to open its details page.
Under Access Control > Table Policy, click Add Authorization.
Select Add using visual editor or Add as JSON.
Configure the following parameters:
Resource: Select the resources to authorize.
Action: Select the actions to allow or deny.
Condition: Specify the conditions for the policy (optional).
Principal: Specify the principal to which the policy applies.
Effect: Select Allow or Deny.
Click OK.
After you complete the configuration, you can view the policy in the authorization list. The list displays information such as the resource, action, condition, principal, and effect. You can also edit or delete the policy in the Actions column.
Ossutil
# Set the resource policy for a table
ossutil tables-api put-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytable --resource-policy '{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:GetTable","oss:CreateTable","oss:DeleteTable"],"Principal":["1142323451******"],"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket/table/c3a22d63-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]}]}'
# Get the resource policy for a table
ossutil tables-api get-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytable
# Delete the resource policy for a table
ossutil tables-api delete-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytableSDK
Python
Set the resource policy for a table (PutTablePolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="put table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
parser.add_argument('--policy', help='The resource policy JSON string.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.put_table_policy(oss_tables.models.PutTablePolicyRequest(
table_bucket_arn=args.table_bucket_arn,
namespace=args.namespace,
name=args.name,
resource_policy=args.policy,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully set policy for: {args.namespace}/{args.name}')
if __name__ == "__main__":
main()Get the resource policy for a table (GetTablePolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="get table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.get_table_policy(oss_tables.models.GetTablePolicyRequest(
table_bucket_arn=args.table_bucket_arn,
namespace=args.namespace,
name=args.name,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id},'
f' resource policy: {result.resource_policy}')
if __name__ == "__main__":
main()Delete the resource policy for a table (DeleteTablePolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="delete table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.delete_table_policy(oss_tables.models.DeleteTablePolicyRequest(
table_bucket_arn=args.table_bucket_arn,
namespace=args.namespace,
name=args.name,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully deleted policy for: {args.namespace}/{args.name}')
if __name__ == "__main__":
main()Go
Set the resource policy for a table (PutTablePolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
namespace string
name string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
flag.StringVar(&name, "name", "", "The name of the table.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(namespace) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, namespace name required")
}
if len(name) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table name required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.PutTablePolicy(context.TODO(), &tables.PutTablePolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
Namespace: oss.Ptr(namespace),
Name: oss.Ptr(name),
ResourcePolicy: oss.Ptr(`
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:GetTable"
],
"Effect":"Deny",
"Principal":["1234567890"],
"Resource":["acs:osstable:cn-hangzhou:1234567890:bucket/demo-bucket/table/*"]
}
]
}
`),
})
if err != nil {
log.Fatalf("failed to put table policy %v", err)
}
log.Printf("put table policy result:%#v\n", result)
}Get the resource policy for a table (GetTablePolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
namespace string
name string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
flag.StringVar(&name, "name", "", "The name of the table.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(namespace) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, namespace name required")
}
if len(name) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table name required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.GetTablePolicy(context.TODO(), &tables.GetTablePolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
Namespace: oss.Ptr(namespace),
Name: oss.Ptr(name),
})
if err != nil {
log.Fatalf("failed to get table policy %v", err)
}
log.Printf("get table policy result:%#v\n", result)
}Delete the resource policy for a table (DeleteTablePolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
namespace string
name string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
flag.StringVar(&name, "name", "", "The name of the table.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(namespace) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, namespace name required")
}
if len(name) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table name required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.DeleteTablePolicy(context.TODO(), &tables.DeleteTablePolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
Namespace: oss.Ptr(namespace),
Name: oss.Ptr(name),
})
if err != nil {
log.Fatalf("failed to delete table policy %v", err)
}
log.Printf("delete table policy result:%#v\n", result)
}Java
Set the resource policy for a table (PutTablePolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class PutTablePolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String namespace = "mynamespace";
String name = "mytable";
String resourcePolicy = "{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":[\"oss:GetTable\"],\"Principal\":[\"1234567890\"],\"Resource\":[\"acs:osstables:cn-hangzhou:1234567890:bucket/demo-bucket/table/*\"]}]}";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
PutTablePolicyRequest request = PutTablePolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.namespace(namespace)
.name(name)
.resourcePolicy(resourcePolicy)
.build();
PutTablePolicyResult result = client.putTablePolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully put table policy for table: %s/%s%n", namespace, name);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}Get the resource policy for a table (GetTablePolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class GetTablePolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String namespace = "mynamespace";
String name = "mytable";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
GetTablePolicyRequest request = GetTablePolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.namespace(namespace)
.name(name)
.build();
GetTablePolicyResult result = client.getTablePolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Resource policy: %s%n", result.resourcePolicy());
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}Delete the resource policy for a table (DeleteTablePolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class DeleteTablePolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String namespace = "mynamespace";
String name = "mytable";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
DeleteTablePolicyRequest request = DeleteTablePolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.namespace(namespace)
.name(name)
.build();
DeleteTablePolicyResult result = client.deleteTablePolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully deleted table policy for table: %s/%s%n", namespace, name);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}API
Set the resource policy for a table: PutTablePolicy
Get the resource policy for a table: GetTablePolicy
Delete the resource policy for a table: DeleteTablePolicy
RAM access control
Use RAM (Resource Access Management) to grant OSS Tables permissions to RAM users or roles. RAM policies use the standard IAM policy syntax. In the RAM console, you can attach custom policies to users, user groups, or roles.
Log on to the OSS console. In the navigation pane on the left, choose Table Bucket List.
Click the name of the target Table Bucket to open its details page.
Choose the Access Control tab, and then click the RAM subtab.
On the RAM access control page, click Go to RAM Console. In the RAM console, do the following:
Create a custom policy: On the policy management page in the RAM console, create a custom policy and specify the actions and resources for OSS Tables in the policy document.
Grant permissions to a user or role: Attach the policy to a RAM user, user group, or role.
RAM policy examples
The following examples show common RAM policies.
Grant read-only permissions for a Table Bucket
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetTableBucket",
"oss:ListTableBuckets",
"oss:ListNamespaces",
"oss:GetNamespace",
"oss:ListTables",
"oss:GetTable",
"oss:GetTableData",
"oss:GetTablePolicy",
"oss:GetTableBucketPolicy",
"oss:GetTableMaintenanceConfiguration",
"oss:GetTableBucketMaintenanceConfiguration",
"oss:GetTableEncryption",
"oss:GetTableBucketEncryption",
"oss:GetTableMetadataLocation"
],
"Resource": [
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket",
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket/*"
]
}
]
}Grant full management permissions for a specific Table Bucket
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket",
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket/*"
]
}
]
} Policy syntax
Resource policies for OSS Tables follow the IAM policy format. A policy is a JSON document with the following fields:
Parameter | Type | Required | Value | Description |
Version | String | Yes | 1 | Specifies the policy language version. The value must be "1". |
Statement | Array | Yes | — | Contains a list of statements. Each statement defines a permission rule. |
Effect | String | Yes | Allow / Deny | Specifies whether the statement grants or denies permission. Valid values are |
Action | Array | Yes | oss:* | A list of actions that the statement allows or denies. Wildcards (*) are supported. For example, |
Principal | Array | Yes | Account ID | Specifies the principal that the permissions apply to. Specify one or more Alibaba Cloud Account IDs. |
Resource | Array | Yes | ARN | A list of ARNs identifying the resources to which this statement applies. Wildcards (*) are supported. |
Condition | Object | No | — | Specifies the conditions under which the statement is effective. For example, you can restrict access based on the requester's IP address. This element uses the standard IAM |
Actions
The following table lists all actions supported by OSS Tables.
Resource level | Action | Description | Cross-account access |
Table Bucket level | oss:CreateTableBucket | Creates a Table Bucket. | Not Allowed |
oss:GetTableBucket | Gets information about a Table Bucket. | Allowed | |
oss:ListTableBuckets | Lists all Table Buckets owned by the requester. | Not Allowed | |
oss:DeleteTableBucket | Deletes a Table Bucket. | Allowed | |
oss:CreateNamespace | Creates a namespace. | Allowed | |
oss:DeleteNamespace | Deletes a namespace. | Allowed | |
oss:ListNamespaces | Lists all namespaces in a Table Bucket. | Allowed | |
oss:GetNamespace | Gets information about a namespace. | Allowed | |
oss:PutTableBucketPolicy | Sets the resource policy for a Table Bucket. | Not Allowed | |
oss:GetTableBucketPolicy | Gets the resource policy of a Table Bucket. | Not Allowed | |
oss:DeleteTableBucketPolicy | Deletes the resource policy of a Table Bucket. | Not Allowed | |
oss:GetTableBucketMaintenanceConfiguration | Gets the automatic maintenance configuration of a Table Bucket. | Allowed | |
oss:PutTableBucketMaintenanceConfiguration | Sets the automatic maintenance configuration for a Table Bucket. | Allowed | |
oss:PutTableBucketEncryption | Sets the encryption configuration for a Table Bucket. | Not Allowed | |
oss:GetTableBucketEncryption | Gets the encryption configuration of a Table Bucket. | Not Allowed | |
oss:DeleteTableBucketEncryption | Deletes the encryption configuration of a Table Bucket. | Not Allowed | |
Table level | oss:GetTableMaintenanceConfiguration | Gets the automatic maintenance configuration of a table. | Allowed |
oss:PutTableMaintenanceConfiguration | Sets the automatic maintenance configuration for a table. | Allowed | |
oss:PutTablePolicy | Sets the resource policy for a table. | Not Allowed | |
oss:GetTablePolicy | Gets the resource policy of a table. | Not Allowed | |
oss:DeleteTablePolicy | Deletes the resource policy of a table. | Not Allowed | |
oss:CreateTable | Creates a table. | Allowed | |
oss:GetTable | Gets information about a table. | Allowed | |
oss:GetTableMetadataLocation | Gets the location of the metadata file for a table. | Allowed | |
oss:ListTables | Lists all tables in a Table Bucket. | Allowed | |
oss:RenameTable | Renames a table. | Allowed | |
oss:UpdateTableMetadataLocation | Updates the location of the metadata file for a table. | Allowed | |
oss:GetTableData | Reads data from a table. | Allowed | |
oss:PutTableData | Writes data to a table. | Allowed | |
oss:GetTableEncryption | Gets the encryption configuration of a table. | Not Allowed | |
oss:PutTableEncryption | Sets the encryption configuration for a table. | Not Allowed | |
oss:DeleteTable | Deletes a table. | Allowed |
Resource ARN format
OSS Tables identifies resources using the following Alibaba Cloud Resource Name (ARN) format:
Resource level | Format | Example |
Table Bucket |
|
|
Table |
|
|