Permissions and access control

更新时间:
复制 MD 格式

OSS Tables provides access control using resource policies based on the IAM Policy format. You can set these policies at the table bucket and table levels for fine-grained permission management.

Permission model

OSS Tables controls access using resource policies that follow the IAM policy format.

  • IAM policy format: Resource policies use the same IAM policy format as RAM policies and include standard fields such as Version, Statement, Effect, Action, Principal, and Resource.

  • Dual-level granularity: You can set resource policies at both the table bucket and table levels. A policy at the table bucket level applies to all tables within the bucket, while a policy at the table level applies only to the specified table.

  • Management: You can manage bucket authorization policies and RAM access control on the Access Control tab of the table bucket details page. This tab contains two subtabs: Bucket Authorization Policy and RAM Access Control.

  • Resource authorization: For table-related requests, both the table bucket policy and the table policy determine the final authorization result:

    Table bucket policy

    Table policy

    Authorization result

    Allow

    Allow

    Allow

    Allow

    Ignore

    Allow

    Allow

    Deny

    Deny

    Ignore

    Allow

    Allow

    Ignore

    Ignore

    Ignore

    Ignore

    Deny

    Deny

    Deny

    Allow

    Deny

    Deny

    Ignore

    Deny

    Deny

    Deny

    Deny

Bucket policy

Resource policies can be defined at two levels of granularity: Table Bucket and table.

Table bucket-level policy

A Table Bucket-level resource policy controls access to an entire Table Bucket and all the tables within it. The policy applies to all tables in the Table Bucket.

Console

You can configure a bucket policy in the OSS console. You can create policies by using a visual editor or by entering JSON.

  1. Log on to the OSS console. In the left-side navigation pane, select Table Bucket List.

  2. Click the name of the target Table Bucket to open its details page.

  3. Select the Access Control tab.

  4. On the Bucket Policy subtab, click Add Authorization.

  5. Select Add using visual editor or Add as JSON.

  6. Configure the following parameters:

    • Resource: Select the resources to authorize.

    • Action: Select the actions to allow or deny.

    • Condition: Specify the conditions for the policy (optional).

    • Principal: Specify the principal to which the policy applies.

    • Effect: Select Allow or Deny.

  7. Click OK.

After you complete the configuration, you can view the policy in the authorization list. The list displays information such as the resource, action, condition, principal, and effect. You can also edit or delete the policy in the Actions column.

Ossutil

# Set the resource policy for a Table Bucket
ossutil tables-api put-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --resource-policy '{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:GetTableBucket","oss:ListTables","oss:GetTable"],"Principal":["1142323451******"],"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket"]}]}'

# Get the resource policy for a Table Bucket
ossutil tables-api get-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket

# Delete the resource policy for a Table Bucket
ossutil tables-api delete-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket

SDK

Python

Set the resource policy for a Table Bucket (PutTableBucketPolicy)

import argparse
import json
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables

parser = argparse.ArgumentParser(description="put table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--policy', help='The resource policy JSON string.', required=True)

def main():
    args = parser.parse_args()

    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    cfg = oss.config.load_default()
    cfg.credentials_provider = credentials_provider
    cfg.region = args.region
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    client = oss_tables.Client(cfg)

    result = client.put_table_bucket_policy(oss_tables.models.PutTableBucketPolicyRequest(
        table_bucket_arn=args.table_bucket_arn,
        resource_policy=args.policy,
    ))

    print(f'status code: {result.status_code},'
          f' request id: {result.request_id}')
    print(f'successfully set policy for: {args.table_bucket_arn}')


if __name__ == "__main__":
    main()

Get the resource policy for a Table Bucket (GetTableBucketPolicy)

import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables

parser = argparse.ArgumentParser(description="get table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)

def main():
    args = parser.parse_args()

    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    cfg = oss.config.load_default()
    cfg.credentials_provider = credentials_provider
    cfg.region = args.region
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    client = oss_tables.Client(cfg)

    result = client.get_table_bucket_policy(oss_tables.models.GetTableBucketPolicyRequest(
        table_bucket_arn=args.table_bucket_arn,
    ))

    print(f'status code: {result.status_code},'
          f' request id: {result.request_id},'
          f' resource policy: {result.resource_policy}')


if __name__ == "__main__":
    main()

Delete the resource policy for a Table Bucket (DeleteTableBucketPolicy)

import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables

parser = argparse.ArgumentParser(description="delete table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)

def main():
    args = parser.parse_args()

    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    cfg = oss.config.load_default()
    cfg.credentials_provider = credentials_provider
    cfg.region = args.region
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    client = oss_tables.Client(cfg)

    result = client.delete_table_bucket_policy(oss_tables.models.DeleteTableBucketPolicyRequest(
        table_bucket_arn=args.table_bucket_arn,
    ))

    print(f'status code: {result.status_code},'
          f' request id: {result.request_id}')
    print(f'successfully deleted policy for: {args.table_bucket_arn}')


if __name__ == "__main__":
    main()

Go

Set the resource policy for a Table Bucket (PutTableBucketPolicy)

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)

var (
	region         string
	tableBucketArn string
)

func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
}

func main() {
	flag.Parse()
	if len(tableBucketArn) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, table bucket arn required")
	}

	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := tables.NewTablesClient(cfg)

	result, err := client.PutTableBucketPolicy(context.TODO(), &tables.PutTableBucketPolicyRequest{
		TableBucketARN: oss.Ptr(tableBucketArn),
		ResourcePolicy: oss.Ptr(`
			{
			   "Version":"1",
			   "Statement":[
			   {
				 "Action":[
				   "oss:GetTable",
				],
				"Effect":"Deny",
				"Principal":["1234567890"],
				"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/demo-bucket"]
			   }
			  ]
			 }
		`),
	})

	if err != nil {
		log.Fatalf("failed to put table bucket policy %v", err)
	}

	log.Printf("put table bucket policy result:%#v\n", result)
}

Get the resource policy for a Table Bucket (GetTableBucketPolicy)

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)

var (
	region         string
	tableBucketArn string
)

func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
}

func main() {
	flag.Parse()
	if len(tableBucketArn) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, table bucket arn required")
	}

	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := tables.NewTablesClient(cfg)

	result, err := client.GetTableBucketPolicy(context.TODO(), &tables.GetTableBucketPolicyRequest{
		TableBucketARN: oss.Ptr(tableBucketArn),
	})

	if err != nil {
		log.Fatalf("failed to get table bucket policy %v", err)
	}

	log.Printf("get table bucket policy result:%#v\n", result)
}

Delete the resource policy for a Table Bucket (DeleteTableBucketPolicy)

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)

var (
	region         string
	tableBucketArn string
)

func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
}

func main() {
	flag.Parse()
	if len(tableBucketArn) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, table bucket arn required")
	}

	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := tables.NewTablesClient(cfg)

	result, err := client.DeleteTableBucketPolicy(context.TODO(), &tables.DeleteTableBucketPolicyRequest{
		TableBucketARN: oss.Ptr(tableBucketArn),
	})

	if err != nil {
		log.Fatalf("failed to delete table bucket policy %v", err)
	}

	log.Printf("delete table bucket policy result:%#v\n", result)
}

Java

Set the resource policy for a Table Bucket (PutTableBucketPolicy)

import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;

public class PutTableBucketPolicySample {

    public static void main(String[] args) throws Exception {
        String region = "cn-hangzhou";
        String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
        String resourcePolicy = "{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":[\"oss:GetTable\"],\"Principal\":[\"1234567890\"],\"Resource\":[\"acs:osstables:cn-hangzhou:1234567890:bucket/demo-bucket/table/*\"]}]}";

        try (OSSTablesClient client = OSSTablesClient.newBuilder()
                .credentialsProvider(new EnvironmentVariableCredentialsProvider())
                .region(region)
                .build()) {
            PutTableBucketPolicyRequest request = PutTableBucketPolicyRequest.newBuilder()
                    .tableBucketARN(tableBucketARN)
                    .resourcePolicy(resourcePolicy)
                    .build();

            PutTableBucketPolicyResult result = client.putTableBucketPolicy(request);

            System.out.printf("Status code:%d, request id:%s%n",
                    result.statusCode(), result.requestId());
            System.out.printf("Successfully updated table bucket policy for ARN: %s%n", tableBucketARN);
        } catch (Exception e) {
            System.out.println("Error: " + e.getMessage());
        }
    }
}

Get the resource policy for a Table Bucket (GetTableBucketPolicy)

import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;

public class GetTableBucketPolicySample {

    public static void main(String[] args) throws Exception {
        String region = "cn-hangzhou";
        String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";

        try (OSSTablesClient client = OSSTablesClient.newBuilder()
                .credentialsProvider(new EnvironmentVariableCredentialsProvider())
                .region(region)
                .build()) {
            GetTableBucketPolicyRequest request = GetTableBucketPolicyRequest.newBuilder()
                    .tableBucketARN(tableBucketARN)
                    .build();

            GetTableBucketPolicyResult result = client.getTableBucketPolicy(request);

            System.out.printf("Status code:%d, request id:%s%n",
                    result.statusCode(), result.requestId());
            System.out.printf("Retrieved policy for table bucket: %s%n", tableBucketARN);
            if (result.resourcePolicy() != null) {
                System.out.printf("Policy: %s%n", result.resourcePolicy());
            } else {
                System.out.println("No policy set for this table bucket.");
            }
        } catch (Exception e) {
            System.out.println("Error: " + e.getMessage());
        }
    }
}

Delete the resource policy for a Table Bucket (DeleteTableBucketPolicy)

import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;

public class DeleteTableBucketPolicySample {

    public static void main(String[] args) throws Exception {
        String region = "cn-hangzhou";
        String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";

        try (OSSTablesClient client = OSSTablesClient.newBuilder()
                .credentialsProvider(new EnvironmentVariableCredentialsProvider())
                .region(region)
                .build()) {
            DeleteTableBucketPolicyRequest request = DeleteTableBucketPolicyRequest.newBuilder()
                    .tableBucketARN(tableBucketARN)
                    .build();

            DeleteTableBucketPolicyResult result = client.deleteTableBucketPolicy(request);

            System.out.printf("Status code:%d, request id:%s%n",
                    result.statusCode(), result.requestId());
            System.out.printf("Successfully deleted policy for table bucket ARN: %s%n", tableBucketARN);
        } catch (Exception e) {
            System.out.println("Error: " + e.getMessage());
        }
    }
}

API

Table-level policy

A table-level resource policy controls access to a single table.

Console

You can configure a table policy in the OSS console. You can create policies by using a visual editor or by entering JSON.

  1. Log on to the OSS console. In the left-side navigation pane, select Table Bucket List.

  2. Click the name of the target Table Bucket to open its details page.

  3. Select the Table List tab, and then click the target table name to open its details page.

  4. Under Access Control > Table Policy, click Add Authorization.

  5. Select Add using visual editor or Add as JSON.

  6. Configure the following parameters:

    • Resource: Select the resources to authorize.

    • Action: Select the actions to allow or deny.

    • Condition: Specify the conditions for the policy (optional).

    • Principal: Specify the principal to which the policy applies.

    • Effect: Select Allow or Deny.

  7. Click OK.

After you complete the configuration, you can view the policy in the authorization list. The list displays information such as the resource, action, condition, principal, and effect. You can also edit or delete the policy in the Actions column.

Ossutil

# Set the resource policy for a table
ossutil tables-api put-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytable --resource-policy '{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:GetTable","oss:CreateTable","oss:DeleteTable"],"Principal":["1142323451******"],"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket/table/c3a22d63-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]}]}'

# Get the resource policy for a table
ossutil tables-api get-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytable

# Delete the resource policy for a table
ossutil tables-api delete-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytable

SDK

Python

Set the resource policy for a table (PutTablePolicy)

import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables

parser = argparse.ArgumentParser(description="put table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
parser.add_argument('--policy', help='The resource policy JSON string.', required=True)

def main():
    args = parser.parse_args()

    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    cfg = oss.config.load_default()
    cfg.credentials_provider = credentials_provider
    cfg.region = args.region
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    client = oss_tables.Client(cfg)

    result = client.put_table_policy(oss_tables.models.PutTablePolicyRequest(
        table_bucket_arn=args.table_bucket_arn,
        namespace=args.namespace,
        name=args.name,
        resource_policy=args.policy,
    ))

    print(f'status code: {result.status_code},'
          f' request id: {result.request_id}')
    print(f'successfully set policy for: {args.namespace}/{args.name}')


if __name__ == "__main__":
    main()

Get the resource policy for a table (GetTablePolicy)

import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables

parser = argparse.ArgumentParser(description="get table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)

def main():
    args = parser.parse_args()

    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    cfg = oss.config.load_default()
    cfg.credentials_provider = credentials_provider
    cfg.region = args.region
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    client = oss_tables.Client(cfg)

    result = client.get_table_policy(oss_tables.models.GetTablePolicyRequest(
        table_bucket_arn=args.table_bucket_arn,
        namespace=args.namespace,
        name=args.name,
    ))

    print(f'status code: {result.status_code},'
          f' request id: {result.request_id},'
          f' resource policy: {result.resource_policy}')


if __name__ == "__main__":
    main()

Delete the resource policy for a table (DeleteTablePolicy)

import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables

parser = argparse.ArgumentParser(description="delete table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The endpoint for accessing OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)

def main():
    args = parser.parse_args()

    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    cfg = oss.config.load_default()
    cfg.credentials_provider = credentials_provider
    cfg.region = args.region
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    client = oss_tables.Client(cfg)

    result = client.delete_table_policy(oss_tables.models.DeleteTablePolicyRequest(
        table_bucket_arn=args.table_bucket_arn,
        namespace=args.namespace,
        name=args.name,
    ))

    print(f'status code: {result.status_code},'
          f' request id: {result.request_id}')
    print(f'successfully deleted policy for: {args.namespace}/{args.name}')


if __name__ == "__main__":
    main()

Go

Set the resource policy for a table (PutTablePolicy)

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)

var (
	region         string
	tableBucketArn string
	namespace      string
	name           string
)

func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
	flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
	flag.StringVar(&name, "name", "", "The name of the table.")
}

func main() {
	flag.Parse()
	if len(tableBucketArn) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, table bucket arn required")
	}

	if len(namespace) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, namespace name required")
	}

	if len(name) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, table name required")
	}

	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := tables.NewTablesClient(cfg)

	result, err := client.PutTablePolicy(context.TODO(), &tables.PutTablePolicyRequest{
		TableBucketARN: oss.Ptr(tableBucketArn),
		Namespace:      oss.Ptr(namespace),
		Name:           oss.Ptr(name),
		ResourcePolicy: oss.Ptr(`
			{
			   "Version":"1",
			   "Statement":[
			   {
				 "Action":[
				   "oss:GetTable"
				],
				"Effect":"Deny",
				"Principal":["1234567890"],
				"Resource":["acs:osstable:cn-hangzhou:1234567890:bucket/demo-bucket/table/*"]
			   }
			  ]
			 }
		`),
	})

	if err != nil {
		log.Fatalf("failed to put table policy %v", err)
	}

	log.Printf("put table policy result:%#v\n", result)
}

Get the resource policy for a table (GetTablePolicy)

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)

var (
	region         string
	tableBucketArn string
	namespace      string
	name           string
)

func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
	flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
	flag.StringVar(&name, "name", "", "The name of the table.")
}

func main() {
	flag.Parse()
	if len(tableBucketArn) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, table bucket arn required")
	}

	if len(namespace) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, namespace name required")
	}

	if len(name) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, table name required")
	}

	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := tables.NewTablesClient(cfg)

	result, err := client.GetTablePolicy(context.TODO(), &tables.GetTablePolicyRequest{
		TableBucketARN: oss.Ptr(tableBucketArn),
		Namespace:      oss.Ptr(namespace),
		Name:           oss.Ptr(name),
	})

	if err != nil {
		log.Fatalf("failed to get table policy %v", err)
	}

	log.Printf("get table policy result:%#v\n", result)
}

Delete the resource policy for a table (DeleteTablePolicy)

package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)

var (
	region         string
	tableBucketArn string
	namespace      string
	name           string
)

func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The ARN of the Table Bucket.")
	flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
	flag.StringVar(&name, "name", "", "The name of the table.")
}

func main() {
	flag.Parse()
	if len(tableBucketArn) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, table bucket arn required")
	}

	if len(namespace) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, namespace name required")
	}

	if len(name) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, table name required")
	}

	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	client := tables.NewTablesClient(cfg)

	result, err := client.DeleteTablePolicy(context.TODO(), &tables.DeleteTablePolicyRequest{
		TableBucketARN: oss.Ptr(tableBucketArn),
		Namespace:      oss.Ptr(namespace),
		Name:           oss.Ptr(name),
	})

	if err != nil {
		log.Fatalf("failed to delete table policy %v", err)
	}

	log.Printf("delete table policy result:%#v\n", result)
}

Java

Set the resource policy for a table (PutTablePolicy)

import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;

public class PutTablePolicySample {

    public static void main(String[] args) throws Exception {
        String region = "cn-hangzhou";
        String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
        String namespace = "mynamespace";
        String name = "mytable";
        String resourcePolicy = "{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":[\"oss:GetTable\"],\"Principal\":[\"1234567890\"],\"Resource\":[\"acs:osstables:cn-hangzhou:1234567890:bucket/demo-bucket/table/*\"]}]}";

        try (OSSTablesClient client = OSSTablesClient.newBuilder()
                .credentialsProvider(new EnvironmentVariableCredentialsProvider())
                .region(region)
                .build()) {
            PutTablePolicyRequest request = PutTablePolicyRequest.newBuilder()
                    .tableBucketARN(tableBucketARN)
                    .namespace(namespace)
                    .name(name)
                    .resourcePolicy(resourcePolicy)
                    .build();

            PutTablePolicyResult result = client.putTablePolicy(request);

            System.out.printf("Status code:%d, request id:%s%n",
                    result.statusCode(), result.requestId());
            System.out.printf("Successfully put table policy for table: %s/%s%n", namespace, name);
        } catch (Exception e) {
            System.out.println("Error: " + e.getMessage());
        }
    }
}

Get the resource policy for a table (GetTablePolicy)

import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;

public class GetTablePolicySample {

    public static void main(String[] args) throws Exception {
        String region = "cn-hangzhou";
        String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
        String namespace = "mynamespace";
        String name = "mytable";

        try (OSSTablesClient client = OSSTablesClient.newBuilder()
                .credentialsProvider(new EnvironmentVariableCredentialsProvider())
                .region(region)
                .build()) {
            GetTablePolicyRequest request = GetTablePolicyRequest.newBuilder()
                    .tableBucketARN(tableBucketARN)
                    .namespace(namespace)
                    .name(name)
                    .build();

            GetTablePolicyResult result = client.getTablePolicy(request);

            System.out.printf("Status code:%d, request id:%s%n",
                    result.statusCode(), result.requestId());
            System.out.printf("Resource policy: %s%n", result.resourcePolicy());
        } catch (Exception e) {
            System.out.println("Error: " + e.getMessage());
        }
    }
}

Delete the resource policy for a table (DeleteTablePolicy)

import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;

public class DeleteTablePolicySample {

    public static void main(String[] args) throws Exception {
        String region = "cn-hangzhou";
        String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
        String namespace = "mynamespace";
        String name = "mytable";

        try (OSSTablesClient client = OSSTablesClient.newBuilder()
                .credentialsProvider(new EnvironmentVariableCredentialsProvider())
                .region(region)
                .build()) {
            DeleteTablePolicyRequest request = DeleteTablePolicyRequest.newBuilder()
                    .tableBucketARN(tableBucketARN)
                    .namespace(namespace)
                    .name(name)
                    .build();

            DeleteTablePolicyResult result = client.deleteTablePolicy(request);

            System.out.printf("Status code:%d, request id:%s%n",
                    result.statusCode(), result.requestId());
            System.out.printf("Successfully deleted table policy for table: %s/%s%n", namespace, name);
        } catch (Exception e) {
            System.out.println("Error: " + e.getMessage());
        }
    }
}

API

RAM access control

Use RAM (Resource Access Management) to grant OSS Tables permissions to RAM users or roles. RAM policies use the standard IAM policy syntax. In the RAM console, you can attach custom policies to users, user groups, or roles.

  1. Log on to the OSS console. In the navigation pane on the left, choose Table Bucket List.

  2. Click the name of the target Table Bucket to open its details page.

  3. Choose the Access Control tab, and then click the RAM subtab.

  4. On the RAM access control page, click Go to RAM Console. In the RAM console, do the following:

    • Create a custom policy: On the policy management page in the RAM console, create a custom policy and specify the actions and resources for OSS Tables in the policy document.

    • Grant permissions to a user or role: Attach the policy to a RAM user, user group, or role.

RAM policy examples

The following examples show common RAM policies.

Grant read-only permissions for a Table Bucket

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetTableBucket",
        "oss:ListTableBuckets",
        "oss:ListNamespaces",
        "oss:GetNamespace",
        "oss:ListTables",
        "oss:GetTable",
        "oss:GetTableData",
        "oss:GetTablePolicy",
        "oss:GetTableBucketPolicy",
        "oss:GetTableMaintenanceConfiguration",
        "oss:GetTableBucketMaintenanceConfiguration",
        "oss:GetTableEncryption",
        "oss:GetTableBucketEncryption",
        "oss:GetTableMetadataLocation"
      ],
      "Resource": [
        "acs:osstables:cn-hangzhou:*:bucket/my-table-bucket",
        "acs:osstables:cn-hangzhou:*:bucket/my-table-bucket/*"
      ]
    }
  ]
}

Grant full management permissions for a specific Table Bucket

{                                                                                                
   "Version": "1",                                          
   "Statement": [                                                                                 
     {                                                                                            
       "Effect": "Allow",                                                                         
       "Action": "oss:*",                                                                         
       "Resource": [                                        
         "acs:osstables:cn-hangzhou:*:bucket/my-table-bucket",                                    
         "acs:osstables:cn-hangzhou:*:bucket/my-table-bucket/*"
       ]                                                                                          
     }                                                      
   ]                                                                                              
}  

Policy syntax

Resource policies for OSS Tables follow the IAM policy format. A policy is a JSON document with the following fields:

Parameter

Type

Required

Value

Description

Version

String

Yes

1

Specifies the policy language version. The value must be "1".

Statement

Array

Yes

Contains a list of statements. Each statement defines a permission rule.

Effect

String

Yes

Allow / Deny

Specifies whether the statement grants or denies permission. Valid values are Allow and Deny. A Deny effect takes precedence over an Allow effect.

Action

Array

Yes

oss:*

A list of actions that the statement allows or denies. Wildcards (*) are supported. For example, oss:GetTable retrieves table information, and oss:*Table* matches all actions that contain "Table" in their name.

Principal

Array

Yes

Account ID

Specifies the principal that the permissions apply to. Specify one or more Alibaba Cloud Account IDs.

Resource

Array

Yes

ARN

A list of ARNs identifying the resources to which this statement applies. Wildcards (*) are supported.

Condition

Object

No

Specifies the conditions under which the statement is effective. For example, you can restrict access based on the requester's IP address. This element uses the standard IAM Condition syntax.

Actions

The following table lists all actions supported by OSS Tables.

Resource level

Action

Description

Cross-account access

Table Bucket level

oss:CreateTableBucket

Creates a Table Bucket.

Not Allowed

oss:GetTableBucket

Gets information about a Table Bucket.

Allowed

oss:ListTableBuckets

Lists all Table Buckets owned by the requester.

Not Allowed

oss:DeleteTableBucket

Deletes a Table Bucket.

Allowed

oss:CreateNamespace

Creates a namespace.

Allowed

oss:DeleteNamespace

Deletes a namespace.

Allowed

oss:ListNamespaces

Lists all namespaces in a Table Bucket.

Allowed

oss:GetNamespace

Gets information about a namespace.

Allowed

oss:PutTableBucketPolicy

Sets the resource policy for a Table Bucket.

Not Allowed

oss:GetTableBucketPolicy

Gets the resource policy of a Table Bucket.

Not Allowed

oss:DeleteTableBucketPolicy

Deletes the resource policy of a Table Bucket.

Not Allowed

oss:GetTableBucketMaintenanceConfiguration

Gets the automatic maintenance configuration of a Table Bucket.

Allowed

oss:PutTableBucketMaintenanceConfiguration

Sets the automatic maintenance configuration for a Table Bucket.

Allowed

oss:PutTableBucketEncryption

Sets the encryption configuration for a Table Bucket.

Not Allowed

oss:GetTableBucketEncryption

Gets the encryption configuration of a Table Bucket.

Not Allowed

oss:DeleteTableBucketEncryption

Deletes the encryption configuration of a Table Bucket.

Not Allowed

Table level

oss:GetTableMaintenanceConfiguration

Gets the automatic maintenance configuration of a table.

Allowed

oss:PutTableMaintenanceConfiguration

Sets the automatic maintenance configuration for a table.

Allowed

oss:PutTablePolicy

Sets the resource policy for a table.

Not Allowed

oss:GetTablePolicy

Gets the resource policy of a table.

Not Allowed

oss:DeleteTablePolicy

Deletes the resource policy of a table.

Not Allowed

oss:CreateTable

Creates a table.

Allowed

oss:GetTable

Gets information about a table.

Allowed

oss:GetTableMetadataLocation

Gets the location of the metadata file for a table.

Allowed

oss:ListTables

Lists all tables in a Table Bucket.

Allowed

oss:RenameTable

Renames a table.

Allowed

oss:UpdateTableMetadataLocation

Updates the location of the metadata file for a table.

Allowed

oss:GetTableData

Reads data from a table.

Allowed

oss:PutTableData

Writes data to a table.

Allowed

oss:GetTableEncryption

Gets the encryption configuration of a table.

Not Allowed

oss:PutTableEncryption

Sets the encryption configuration for a table.

Not Allowed

oss:DeleteTable

Deletes a table.

Allowed

Resource ARN format

OSS Tables identifies resources using the following Alibaba Cloud Resource Name (ARN) format:

Resource level

Format

Example

Table Bucket

acs:osstables:{region}:{account_id}:bucket/{bucket_name}

acs:osstables:cn-beijing:1142323451804027:bucket/test-xx

Table

acs:osstables:{region}:{account_id}:bucket/{bucket_name}/table/{table_id}

acs:osstables:cn-beijing:1142323451804027:bucket/doc-test-1776656082/table/c3a22d63-xxxx-xxxx-xxxx-xxxxxxxxxxxx