OSS Tables基于IAM Policy格式的资源策略(Resource Policy)提供访问控制能力,支持在Table Bucket和Table两个级别设置资源策略,实现细粒度的权限管理。
权限模型
OSS Tables使用IAM Policy格式的资源策略(Resource Policy)进行访问控制,具有以下特点:
IAM Policy格式:资源策略采用与RAM Policy相同的IAM Policy格式,包含Version、Statement、Effect、Action、Principal、Resource等标准字段。
双级别粒度:支持在Table Bucket级别和Table级别两种粒度设置资源策略。Table Bucket级别的策略对Bucket下所有Table生效,Table级别的策略仅对指定Table生效。
优先级规则:Table级别策略的优先级高于Table Bucket级别策略。当两者同时存在时,Table级别的策略优先生效。
管理入口:在Table Bucket详情页的权限控制 Tab下管理Bucket授权策略和RAM访问控制。权限控制 Tab包含Bucket 授权策略和访问控制 RAM两个子Tab。
Bucket授权策略
资源策略分为Table Bucket级别和Table级别两种粒度。
Table Bucket级别资源策略
Table Bucket级别的资源策略用于控制对整个Table Bucket及其下所有Table的访问权限。
以下示例策略授予指定账号对Table Bucket的读取权限:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetTableBucket",
"oss:ListTables",
"oss:GetTable",
"oss:ListNamespaces"
],
"Principal": [
"1142323451******"
],
"Resource": [
"acs:osstables:cn-beijing:1142323451804027:bucket/doc-test-1776656082"
]
}
]
}控制台
通过OSS控制台的图形化界面配置Bucket授权策略,支持按图形策略添加和按语法策略添加两种方式。
登录OSS管理控制台,在左侧导航栏选择Table Bucket 列表。
单击目标Table Bucket名称,进入Table Bucket详情页。
选择权限控制 Tab。
在Bucket 授权策略子Tab下,单击新增授权。
选择按图形策略添加或按语法策略添加。
根据业务需求配置以下参数:
授权资源:选择需要授权的资源范围。
授权操作:选择允许或拒绝的操作类型。
条件:设置策略生效的条件(可选)。
授权用户:指定策略的授权对象。
效力:选择允许(Allow)或拒绝(Deny)。
单击确定完成授权配置。
配置完成后,在授权列表中查看已配置的策略。授权列表展示授权资源、授权操作、条件、授权用户、效力等信息,并支持在操作列对策略进行编辑或删除。
ossutil
# 设置Table Bucket资源策略
ossutil tables-api put-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --resource-policy '{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:GetTableBucket","oss:ListTables","oss:GetTable"],"Principal":["1142323451******"],"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket"]}]}'
# 获取Table Bucket资源策略
ossutil tables-api get-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket
# 删除Table Bucket资源策略
ossutil tables-api delete-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucketSDK
Python
设置Table Bucket资源策略(PutTableBucketPolicy)
import argparse
import json
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="put table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--policy', help='The resource policy JSON string.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.put_table_bucket_policy(oss_tables.models.PutTableBucketPolicyRequest(
table_bucket_arn=args.table_bucket_arn,
resource_policy=args.policy,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully set policy for: {args.table_bucket_arn}')
if __name__ == "__main__":
main()获取Table Bucket资源策略(GetTableBucketPolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="get table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.get_table_bucket_policy(oss_tables.models.GetTableBucketPolicyRequest(
table_bucket_arn=args.table_bucket_arn,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id},'
f' resource policy: {result.resource_policy}')
if __name__ == "__main__":
main()删除Table Bucket资源策略(DeleteTableBucketPolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="delete table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.delete_table_bucket_policy(oss_tables.models.DeleteTableBucketPolicyRequest(
table_bucket_arn=args.table_bucket_arn,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully deleted policy for: {args.table_bucket_arn}')
if __name__ == "__main__":
main()Go
设置Table Bucket资源策略(PutTableBucketPolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.PutTableBucketPolicy(context.TODO(), &tables.PutTableBucketPolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
ResourcePolicy: oss.Ptr(`
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:GetTable",
],
"Effect":"Deny",
"Principal":["1234567890"],
"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/demo-bucket"]
}
]
}
`),
})
if err != nil {
log.Fatalf("failed to put table bucket policy %v", err)
}
log.Printf("put table bucket policy result:%#v\n", result)
}获取Table Bucket资源策略(GetTableBucketPolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.GetTableBucketPolicy(context.TODO(), &tables.GetTableBucketPolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
})
if err != nil {
log.Fatalf("failed to get table bucket policy %v", err)
}
log.Printf("get table bucket policy result:%#v\n", result)
}删除Table Bucket资源策略(DeleteTableBucketPolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.DeleteTableBucketPolicy(context.TODO(), &tables.DeleteTableBucketPolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
})
if err != nil {
log.Fatalf("failed to delete table bucket policy %v", err)
}
log.Printf("delete table bucket policy result:%#v\n", result)
}Java
设置Table Bucket资源策略(PutTableBucketPolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class PutTableBucketPolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String resourcePolicy = "{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":[\"oss:GetTable\"],\"Principal\":[\"1234567890\"],\"Resource\":[\"acs:osstable:cn-hangzhou:1234567890:bucket/demo-bucket/table/*\"]}]}";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
PutTableBucketPolicyRequest request = PutTableBucketPolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.resourcePolicy(resourcePolicy)
.build();
PutTableBucketPolicyResult result = client.putTableBucketPolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully updated table bucket policy for ARN: %s%n", tableBucketARN);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}获取Table Bucket资源策略(GetTableBucketPolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class GetTableBucketPolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
GetTableBucketPolicyRequest request = GetTableBucketPolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.build();
GetTableBucketPolicyResult result = client.getTableBucketPolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Retrieved policy for table bucket: %s%n", tableBucketARN);
if (result.resourcePolicy() != null) {
System.out.printf("Policy: %s%n", result.resourcePolicy());
} else {
System.out.println("No policy set for this table bucket.");
}
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}删除Table Bucket资源策略(DeleteTableBucketPolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class DeleteTableBucketPolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
DeleteTableBucketPolicyRequest request = DeleteTableBucketPolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.build();
DeleteTableBucketPolicyResult result = client.deleteTableBucketPolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully deleted policy for table bucket ARN: %s%n", tableBucketARN);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}API
设置Table Bucket资源策略:PutTableBucketPolicy
获取Table Bucket资源策略:GetTableBucketPolicy
删除Table Bucket资源策略:DeleteTableBucketPolicy
Table级别资源策略
Table级别的资源策略用于控制对单个Table的访问权限,其优先级高于Table Bucket级别策略。
以下示例策略授予指定账号对特定Table的读写权限:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetTable",
"oss:CreateTable",
"oss:DeleteTable"
],
"Principal": [
"1142323451******"
],
"Resource": [
"acs:osstables:cn-beijing:1142323451804027:bucket/doc-test-1776656082/table/c3a22d63-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
]
}
]
}控制台
通过OSS控制台的图形化界面配置Bucket授权策略,支持按图形策略添加和按语法策略添加两种方式。
登录OSS管理控制台,在左侧导航栏选择Table Bucket 列表。
单击目标Table Bucket名称,进入Table Bucket详情页。
选择Table 列表 Tab,进入目标Table 详情页。
在权限控制 > Table 授权策略子Tab下,单击新增授权。
选择按图形策略添加或按语法策略添加。
根据业务需求配置以下参数:
授权资源:选择需要授权的资源范围。
授权操作:选择允许或拒绝的操作类型。
条件:设置策略生效的条件(可选)。
授权用户:指定策略的授权对象。
效力:选择允许(Allow)或拒绝(Deny)。
单击确定完成授权配置。
配置完成后,在授权列表中查看已配置的策略。授权列表展示授权资源、授权操作、条件、授权用户、效力等信息,并支持在操作列对策略进行编辑或删除。
ossutil
# 设置Table资源策略
ossutil tables-api put-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytable --resource-policy '{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:GetTable","oss:CreateTable","oss:DeleteTable"],"Principal":["1142323451******"],"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket/table/c3a22d63-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]}]}'
# 获取Table资源策略
ossutil tables-api get-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytable
# 删除Table资源策略
ossutil tables-api delete-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytableSDK
Python
设置Table资源策略(PutTablePolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="put table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
parser.add_argument('--policy', help='The resource policy JSON string.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.put_table_policy(oss_tables.models.PutTablePolicyRequest(
table_bucket_arn=args.table_bucket_arn,
namespace=args.namespace,
name=args.name,
resource_policy=args.policy,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully set policy for: {args.namespace}/{args.name}')
if __name__ == "__main__":
main()获取Table资源策略(GetTablePolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="get table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.get_table_policy(oss_tables.models.GetTablePolicyRequest(
table_bucket_arn=args.table_bucket_arn,
namespace=args.namespace,
name=args.name,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id},'
f' resource policy: {result.resource_policy}')
if __name__ == "__main__":
main()删除Table资源策略(DeleteTablePolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="delete table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.delete_table_policy(oss_tables.models.DeleteTablePolicyRequest(
table_bucket_arn=args.table_bucket_arn,
namespace=args.namespace,
name=args.name,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully deleted policy for: {args.namespace}/{args.name}')
if __name__ == "__main__":
main()Go
设置Table资源策略(PutTablePolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
namespace string
name string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
flag.StringVar(&name, "name", "", "The name of the table.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(namespace) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, namespace name required")
}
if len(name) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table name required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.PutTablePolicy(context.TODO(), &tables.PutTablePolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
Namespace: oss.Ptr(namespace),
Name: oss.Ptr(name),
ResourcePolicy: oss.Ptr(`
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:GetTable"
],
"Effect":"Deny",
"Principal":["1234567890"],
"Resource":["acs:osstable:cn-hangzhou:1234567890:bucket/demo-bucket/table/*"]
}
]
}
`),
})
if err != nil {
log.Fatalf("failed to put table policy %v", err)
}
log.Printf("put table policy result:%#v\n", result)
}获取Table资源策略(GetTablePolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
namespace string
name string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
flag.StringVar(&name, "name", "", "The name of the table.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(namespace) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, namespace name required")
}
if len(name) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table name required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.GetTablePolicy(context.TODO(), &tables.GetTablePolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
Namespace: oss.Ptr(namespace),
Name: oss.Ptr(name),
})
if err != nil {
log.Fatalf("failed to get table policy %v", err)
}
log.Printf("get table policy result:%#v\n", result)
}删除Table资源策略(DeleteTablePolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
namespace string
name string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
flag.StringVar(&name, "name", "", "The name of the table.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(namespace) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, namespace name required")
}
if len(name) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table name required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.DeleteTablePolicy(context.TODO(), &tables.DeleteTablePolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
Namespace: oss.Ptr(namespace),
Name: oss.Ptr(name),
})
if err != nil {
log.Fatalf("failed to delete table policy %v", err)
}
log.Printf("delete table policy result:%#v\n", result)
}Java
设置Table资源策略(PutTablePolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class PutTablePolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String namespace = "mynamespace";
String name = "mytable";
String resourcePolicy = "{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":[\"oss:GetTable\"],\"Principal\":[\"1234567890\"],\"Resource\":[\"acs:osstable:cn-hangzhou:1234567890:bucket/demo-bucket/table/*\"]}]}";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
PutTablePolicyRequest request = PutTablePolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.namespace(namespace)
.name(name)
.resourcePolicy(resourcePolicy)
.build();
PutTablePolicyResult result = client.putTablePolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully put table policy for table: %s/%s%n", namespace, name);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}获取Table资源策略(GetTablePolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class GetTablePolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String namespace = "mynamespace";
String name = "mytable";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
GetTablePolicyRequest request = GetTablePolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.namespace(namespace)
.name(name)
.build();
GetTablePolicyResult result = client.getTablePolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Resource policy: %s%n", result.resourcePolicy());
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}删除Table资源策略(DeleteTablePolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class DeleteTablePolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String namespace = "mynamespace";
String name = "mytable";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
DeleteTablePolicyRequest request = DeleteTablePolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.namespace(namespace)
.name(name)
.build();
DeleteTablePolicyResult result = client.deleteTablePolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully deleted table policy for table: %s/%s%n", namespace, name);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}API
设置Table资源策略:PutTablePolicy
获取Table资源策略:GetTablePolicy
删除Table资源策略:DeleteTablePolicy
RAM访问控制
通过RAM(Resource Access Management)为子用户或角色授予OSS Tables相关权限。RAM Policy使用标准的IAM Policy语法,可在RAM控制台中对用户、用户组或角色附加自定义权限策略。
登录OSS管理控制台,在左侧导航栏选择Table Bucket 列表。
单击目标Table Bucket名称,进入Table Bucket详情页。
选择权限控制 Tab,然后单击访问控制 RAM子Tab。
在访问控制 RAM页面,单击前往RAM控制台设置,跳转到RAM控制台进行以下操作:
创建自定义权限策略:在RAM控制台的权限策略管理页面,创建自定义权限策略,在策略内容中配置OSS Tables相关Action和Resource。
为用户或角色授权:将创建的权限策略附加到RAM用户、用户组或角色上。
RAM Policy示例
以下为常见的RAM Policy配置示例。
授予Table Bucket只读权限
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetTableBucket",
"oss:ListTableBuckets",
"oss:ListNamespaces",
"oss:GetNamespace",
"oss:ListTables",
"oss:GetTable",
"oss:GetTableMetadataLocation"
],
"Resource": [
"acs:osstables:*:*:bucket/*"
]
}
]
}授予特定Table Bucket的完全管理权限
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket",
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket/*"
]
}
]
} 资源策略语法
OSS Tables的资源策略采用IAM Policy格式,策略文档为JSON格式,包含以下字段:
字段 | 类型 | 是否必填 | 取值 | 说明 |
Version | String | 是 | 1 | 策略版本号,固定为"1"。 |
Statement | Array | 是 | — | 授权语句列表,每个语句定义一条授权规则。 |
Effect | String | 是 | Allow / Deny | 授权效力。Allow表示允许,Deny表示拒绝。Deny的优先级高于Allow。 |
Action | Array | 是 | oss:* | 操作列表,支持通配符*。例如oss:GetTable表示获取表信息,oss:*Table*匹配所有包含Table的操作。 |
Principal | Array | 是 | 账号ID | 授权主体,填写阿里云账号ID。可指定多个账号。 |
Resource | Array | 是 | ARN | 资源ARN列表,指定策略生效的资源范围。支持通配符*。 |
Condition | Object | 否 | — | 策略生效条件。支持IP地址限制等条件,使用标准IAM Condition语法。 |
权限操作列表
以下为OSS Tables支持的所有Action列表:
Action | 说明 | 资源级别 |
oss:CreateTableBucket | 创建Table Bucket。 | Table Bucket |
oss:DeleteTableBucket | 删除Table Bucket。 | Table Bucket |
oss:GetTableBucket | 获取Table Bucket信息。 | Table Bucket |
oss:ListTableBuckets | 列举请求者拥有的所有Table Bucket。 | Table Bucket |
oss:PutTableBucketPolicy | 设置Table Bucket的资源策略。 | Table Bucket |
oss:GetTableBucketPolicy | 获取Table Bucket的资源策略。 | Table Bucket |
oss:DeleteTableBucketPolicy | 删除Table Bucket的资源策略。 | Table Bucket |
oss:PutTableBucketEncryption | 设置Table Bucket的加密配置。 | Table Bucket |
oss:GetTableBucketEncryption | 获取Table Bucket的加密配置。 | Table Bucket |
oss:DeleteTableBucketEncryption | 删除Table Bucket的加密配置。 | Table Bucket |
oss:GetTableBucketMaintenanceConfiguration | 获取Table Bucket的自动维护配置。 | Table Bucket |
oss:PutTableBucketMaintenanceConfiguration | 设置Table Bucket的自动维护配置。 | Table Bucket |
oss:CreateNamespace | 创建Namespace。 | Namespace |
oss:DeleteNamespace | 删除Namespace。 | Namespace |
oss:ListNamespaces | 列举Table Bucket中的所有Namespace。 | Namespace |
oss:GetNamespace | 获取Namespace信息。 | Namespace |
oss:CreateTable | 创建Table。 | Table |
oss:DeleteTable | 删除Table。 | Table |
oss:GetTable | 获取Table信息。 | Table |
oss:ListTables | 列举Table Bucket中的所有Table。 | Table |
oss:RenameTable | 重命名Table。 | Table |
oss:UpdateTableMetadataLocation | 更新指定表的Metadata文件位置。 | Table |
oss:GetTableMetadataLocation | 获取指定表的Metadata文件位置信息 | Table |
oss:GetTableEncryption | 获取Table的加密配置。 | Table |
oss:PutTablePolicy | 设置Table的资源策略。 | Table |
oss:GetTablePolicy | 获取Table的资源策略。 | Table |
oss:DeleteTablePolicy | 删除Table的资源策略。 | Table |
oss:GetTableMaintenanceConfiguration | 获取Table的自动维护配置。 | Table |
oss:PutTableMaintenanceConfiguration | 设置Table的自动维护配置。 | Table |
oss:GetTableMaintenanceJobStatus | 获取Table的自动维护任务执行状态。 | Table |
资源ARN格式
OSS Tables使用以下ARN(Alibaba Cloud Resource Name)格式标识资源:
资源级别 | 格式 | 示例 |
所有Tables资源 |
|
|
Table Bucket |
|
|
Table |
|
|
该文章对您有帮助吗?