OSS Tables基于IAM Policy格式的资源策略(Resource Policy)提供访问控制能力,支持在Table Bucket和Table两个级别设置资源策略,实现细粒度的权限管理。
权限模型
OSS Tables使用IAM Policy格式的资源策略(Resource Policy)进行访问控制,具有以下特点:
IAM Policy格式:资源策略采用与RAM Policy相同的IAM Policy格式,包含Version、Statement、Effect、Action、Principal、Resource等标准字段。
双级别粒度:支持在Table Bucket级别和Table级别两种粒度设置资源策略。Table Bucket级别的策略对Bucket下所有Table生效,Table级别的策略仅对指定Table生效。
管理入口:在Table Bucket详情页的权限控制 Tab下管理Bucket授权策略和RAM访问控制。权限控制 Tab包含Bucket 授权策略和访问控制 RAM两个子Tab。
资源鉴权:对于 Table 相关请求,最终鉴权结果由 Table Bucket Policy 和 Table Policy 共同决定:
Table Bucket Policy
Table Policy
鉴权结果
Allow
Allow
Allow
Allow
Ignore
Allow
Allow
Deny
Deny
Ignore
Allow
Allow
Ignore
Ignore
Ignore
Ignore
Deny
Deny
Deny
Allow
Deny
Deny
Ignore
Deny
Deny
Deny
Deny
Bucket授权策略
资源策略分为Table Bucket级别和Table级别两种粒度。
Table Bucket级别资源策略
Table Bucket级别的资源策略用于控制对整个Table Bucket及其下所有Table的访问权限。Table Bucket的权限策略将作用于其下所有Table。
控制台
通过OSS控制台的图形化界面配置Bucket授权策略,支持按图形策略添加和按语法策略添加两种方式。
登录OSS管理控制台,在左侧导航栏选择Table Bucket 列表。
单击目标Table Bucket名称,进入Table Bucket详情页。
选择权限控制 Tab。
在Bucket 授权策略子Tab下,单击新增授权。
选择按图形策略添加或按语法策略添加。
根据业务需求配置以下参数:
授权资源:选择需要授权的资源范围。
授权操作:选择允许或拒绝的操作类型。
条件:设置策略生效的条件(可选)。
授权用户:指定策略的授权对象。
效力:选择允许(Allow)或拒绝(Deny)。
单击确定完成授权配置。
配置完成后,在授权列表中查看已配置的策略。授权列表展示授权资源、授权操作、条件、授权用户、效力等信息,并支持在操作列对策略进行编辑或删除。
ossutil
# 设置Table Bucket资源策略
ossutil tables-api put-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --resource-policy '{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:GetTableBucket","oss:ListTables","oss:GetTable"],"Principal":["1142323451******"],"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket"]}]}'
# 获取Table Bucket资源策略
ossutil tables-api get-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket
# 删除Table Bucket资源策略
ossutil tables-api delete-table-bucket-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucketSDK
Python
设置Table Bucket资源策略(PutTableBucketPolicy)
import argparse
import json
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="put table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--policy', help='The resource policy JSON string.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.put_table_bucket_policy(oss_tables.models.PutTableBucketPolicyRequest(
table_bucket_arn=args.table_bucket_arn,
resource_policy=args.policy,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully set policy for: {args.table_bucket_arn}')
if __name__ == "__main__":
main()获取Table Bucket资源策略(GetTableBucketPolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="get table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.get_table_bucket_policy(oss_tables.models.GetTableBucketPolicyRequest(
table_bucket_arn=args.table_bucket_arn,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id},'
f' resource policy: {result.resource_policy}')
if __name__ == "__main__":
main()删除Table Bucket资源策略(DeleteTableBucketPolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="delete table bucket policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.delete_table_bucket_policy(oss_tables.models.DeleteTableBucketPolicyRequest(
table_bucket_arn=args.table_bucket_arn,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully deleted policy for: {args.table_bucket_arn}')
if __name__ == "__main__":
main()Go
设置Table Bucket资源策略(PutTableBucketPolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.PutTableBucketPolicy(context.TODO(), &tables.PutTableBucketPolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
ResourcePolicy: oss.Ptr(`
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:GetTable",
],
"Effect":"Deny",
"Principal":["1234567890"],
"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/demo-bucket"]
}
]
}
`),
})
if err != nil {
log.Fatalf("failed to put table bucket policy %v", err)
}
log.Printf("put table bucket policy result:%#v\n", result)
}获取Table Bucket资源策略(GetTableBucketPolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.GetTableBucketPolicy(context.TODO(), &tables.GetTableBucketPolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
})
if err != nil {
log.Fatalf("failed to get table bucket policy %v", err)
}
log.Printf("get table bucket policy result:%#v\n", result)
}删除Table Bucket资源策略(DeleteTableBucketPolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.DeleteTableBucketPolicy(context.TODO(), &tables.DeleteTableBucketPolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
})
if err != nil {
log.Fatalf("failed to delete table bucket policy %v", err)
}
log.Printf("delete table bucket policy result:%#v\n", result)
}Java
设置Table Bucket资源策略(PutTableBucketPolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class PutTableBucketPolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String resourcePolicy = "{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":[\"oss:GetTable\"],\"Principal\":[\"1234567890\"],\"Resource\":[\"acs:osstable:cn-hangzhou:1234567890:bucket/demo-bucket/table/*\"]}]}";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
PutTableBucketPolicyRequest request = PutTableBucketPolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.resourcePolicy(resourcePolicy)
.build();
PutTableBucketPolicyResult result = client.putTableBucketPolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully updated table bucket policy for ARN: %s%n", tableBucketARN);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}获取Table Bucket资源策略(GetTableBucketPolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class GetTableBucketPolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
GetTableBucketPolicyRequest request = GetTableBucketPolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.build();
GetTableBucketPolicyResult result = client.getTableBucketPolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Retrieved policy for table bucket: %s%n", tableBucketARN);
if (result.resourcePolicy() != null) {
System.out.printf("Policy: %s%n", result.resourcePolicy());
} else {
System.out.println("No policy set for this table bucket.");
}
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}删除Table Bucket资源策略(DeleteTableBucketPolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class DeleteTableBucketPolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
DeleteTableBucketPolicyRequest request = DeleteTableBucketPolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.build();
DeleteTableBucketPolicyResult result = client.deleteTableBucketPolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully deleted policy for table bucket ARN: %s%n", tableBucketARN);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}API
设置Table Bucket资源策略:PutTableBucketPolicy
获取Table Bucket资源策略:GetTableBucketPolicy
删除Table Bucket资源策略:DeleteTableBucketPolicy
Table级别资源策略
Table级别的资源策略用于控制对单个Table的访问权限。
控制台
通过OSS控制台的图形化界面配置Bucket授权策略,支持按图形策略添加和按语法策略添加两种方式。
登录OSS管理控制台,在左侧导航栏选择Table Bucket 列表。
单击目标Table Bucket名称,进入Table Bucket详情页。
选择Table 列表 Tab,进入目标Table 详情页。
在权限控制 > Table 授权策略子Tab下,单击新增授权。
选择按图形策略添加或按语法策略添加。
根据业务需求配置以下参数:
授权资源:选择需要授权的资源范围。
授权操作:选择允许或拒绝的操作类型。
条件:设置策略生效的条件(可选)。
授权用户:指定策略的授权对象。
效力:选择允许(Allow)或拒绝(Deny)。
单击确定完成授权配置。
配置完成后,在授权列表中查看已配置的策略。授权列表展示授权资源、授权操作、条件、授权用户、效力等信息,并支持在操作列对策略进行编辑或删除。
ossutil
# 设置Table资源策略
ossutil tables-api put-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytable --resource-policy '{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:GetTable","oss:CreateTable","oss:DeleteTable"],"Principal":["1142323451******"],"Resource":["acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket/table/c3a22d63-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]}]}'
# 获取Table资源策略
ossutil tables-api get-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytable
# 删除Table资源策略
ossutil tables-api delete-table-policy --table-bucket-arn acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket --namespace mynamespace --name mytableSDK
Python
设置Table资源策略(PutTablePolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="put table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
parser.add_argument('--policy', help='The resource policy JSON string.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.put_table_policy(oss_tables.models.PutTablePolicyRequest(
table_bucket_arn=args.table_bucket_arn,
namespace=args.namespace,
name=args.name,
resource_policy=args.policy,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully set policy for: {args.namespace}/{args.name}')
if __name__ == "__main__":
main()获取Table资源策略(GetTablePolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="get table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.get_table_policy(oss_tables.models.GetTablePolicyRequest(
table_bucket_arn=args.table_bucket_arn,
namespace=args.namespace,
name=args.name,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id},'
f' resource policy: {result.resource_policy}')
if __name__ == "__main__":
main()删除Table资源策略(DeleteTablePolicy)
import argparse
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.tables as oss_tables
parser = argparse.ArgumentParser(description="delete table policy sample")
parser.add_argument('--region', help='The region in which the table bucket is located.', required=True)
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS Tables.')
parser.add_argument('--table-bucket-arn', help='The ARN of the table bucket.', required=True)
parser.add_argument('--namespace', help='The namespace of the table.', required=True)
parser.add_argument('--name', help='The name of the table.', required=True)
def main():
args = parser.parse_args()
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
cfg.region = args.region
if args.endpoint is not None:
cfg.endpoint = args.endpoint
client = oss_tables.Client(cfg)
result = client.delete_table_policy(oss_tables.models.DeleteTablePolicyRequest(
table_bucket_arn=args.table_bucket_arn,
namespace=args.namespace,
name=args.name,
))
print(f'status code: {result.status_code},'
f' request id: {result.request_id}')
print(f'successfully deleted policy for: {args.namespace}/{args.name}')
if __name__ == "__main__":
main()Go
设置Table资源策略(PutTablePolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
namespace string
name string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
flag.StringVar(&name, "name", "", "The name of the table.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(namespace) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, namespace name required")
}
if len(name) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table name required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.PutTablePolicy(context.TODO(), &tables.PutTablePolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
Namespace: oss.Ptr(namespace),
Name: oss.Ptr(name),
ResourcePolicy: oss.Ptr(`
{
"Version":"1",
"Statement":[
{
"Action":[
"oss:GetTable"
],
"Effect":"Deny",
"Principal":["1234567890"],
"Resource":["acs:osstable:cn-hangzhou:1234567890:bucket/demo-bucket/table/*"]
}
]
}
`),
})
if err != nil {
log.Fatalf("failed to put table policy %v", err)
}
log.Printf("put table policy result:%#v\n", result)
}获取Table资源策略(GetTablePolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
namespace string
name string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
flag.StringVar(&name, "name", "", "The name of the table.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(namespace) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, namespace name required")
}
if len(name) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table name required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.GetTablePolicy(context.TODO(), &tables.GetTablePolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
Namespace: oss.Ptr(namespace),
Name: oss.Ptr(name),
})
if err != nil {
log.Fatalf("failed to get table policy %v", err)
}
log.Printf("get table policy result:%#v\n", result)
}删除Table资源策略(DeleteTablePolicy)
package main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/tables"
)
var (
region string
tableBucketArn string
namespace string
name string
)
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&tableBucketArn, "table-bucket-arn", "", "The arn of the table bucket.")
flag.StringVar(&namespace, "namespace", "", "The name of the namespace.")
flag.StringVar(&name, "name", "", "The name of the table.")
}
func main() {
flag.Parse()
if len(tableBucketArn) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table bucket arn required")
}
if len(namespace) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, namespace name required")
}
if len(name) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, table name required")
}
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
client := tables.NewTablesClient(cfg)
result, err := client.DeleteTablePolicy(context.TODO(), &tables.DeleteTablePolicyRequest{
TableBucketARN: oss.Ptr(tableBucketArn),
Namespace: oss.Ptr(namespace),
Name: oss.Ptr(name),
})
if err != nil {
log.Fatalf("failed to delete table policy %v", err)
}
log.Printf("delete table policy result:%#v\n", result)
}Java
设置Table资源策略(PutTablePolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class PutTablePolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String namespace = "mynamespace";
String name = "mytable";
String resourcePolicy = "{\"Version\":\"1\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":[\"oss:GetTable\"],\"Principal\":[\"1234567890\"],\"Resource\":[\"acs:osstable:cn-hangzhou:1234567890:bucket/demo-bucket/table/*\"]}]}";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
PutTablePolicyRequest request = PutTablePolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.namespace(namespace)
.name(name)
.resourcePolicy(resourcePolicy)
.build();
PutTablePolicyResult result = client.putTablePolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully put table policy for table: %s/%s%n", namespace, name);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}获取Table资源策略(GetTablePolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class GetTablePolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String namespace = "mynamespace";
String name = "mytable";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
GetTablePolicyRequest request = GetTablePolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.namespace(namespace)
.name(name)
.build();
GetTablePolicyResult result = client.getTablePolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Resource policy: %s%n", result.resourcePolicy());
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}删除Table资源策略(DeleteTablePolicy)
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.tables.OSSTablesClient;
import com.aliyun.sdk.service.oss2.tables.models.*;
public class DeleteTablePolicySample {
public static void main(String[] args) throws Exception {
String region = "cn-hangzhou";
String tableBucketARN = "acs:osstables:cn-hangzhou:1234567890:bucket/mytablebucket";
String namespace = "mynamespace";
String name = "mytable";
try (OSSTablesClient client = OSSTablesClient.newBuilder()
.credentialsProvider(new EnvironmentVariableCredentialsProvider())
.region(region)
.build()) {
DeleteTablePolicyRequest request = DeleteTablePolicyRequest.newBuilder()
.tableBucketARN(tableBucketARN)
.namespace(namespace)
.name(name)
.build();
DeleteTablePolicyResult result = client.deleteTablePolicy(request);
System.out.printf("Status code:%d, request id:%s%n",
result.statusCode(), result.requestId());
System.out.printf("Successfully deleted table policy for table: %s/%s%n", namespace, name);
} catch (Exception e) {
System.out.println("Error: " + e.getMessage());
}
}
}API
设置Table资源策略:PutTablePolicy
获取Table资源策略:GetTablePolicy
删除Table资源策略:DeleteTablePolicy
RAM访问控制
通过RAM(Resource Access Management)为子用户或角色授予OSS Tables相关权限。RAM Policy使用标准的IAM Policy语法,可在RAM控制台中对用户、用户组或角色附加自定义权限策略。
登录OSS管理控制台,在左侧导航栏选择Table Bucket 列表。
单击目标Table Bucket名称,进入Table Bucket详情页。
选择权限控制 Tab,然后单击访问控制 RAM子Tab。
在访问控制 RAM页面,单击前往RAM控制台设置,跳转到RAM控制台进行以下操作:
创建自定义权限策略:在RAM控制台的权限策略管理页面,创建自定义权限策略,在策略内容中配置OSS Tables相关Action和Resource。
为用户或角色授权:将创建的权限策略附加到RAM用户、用户组或角色上。
RAM Policy示例
以下为常见的RAM Policy配置示例。
授予Table Bucket只读权限
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetTableBucket",
"oss:ListTableBuckets",
"oss:ListNamespaces",
"oss:GetNamespace",
"oss:ListTables",
"oss:GetTable",
"oss:GetTableData",
"oss:GetTablePolicy",
"oss:GetTableBucketPolicy",
"oss:GetTableMaintenanceConfiguration",
"oss:GetTableBucketMaintenanceConfiguration",
"oss:GetTableEncryption",
"oss:GetTableBucketEncryption",
"oss:GetTableMetadataLocation"
],
"Resource": [
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket",
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket/*"
]
}
]
}授予特定Table Bucket的完全管理权限
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket",
"acs:osstables:cn-hangzhou:*:bucket/my-table-bucket/*"
]
}
]
} 资源策略语法
OSS Tables的资源策略采用IAM Policy格式,策略文档为JSON格式,包含以下字段:
字段 | 类型 | 是否必填 | 取值 | 说明 |
Version | String | 是 | 1 | 策略版本号,固定为"1"。 |
Statement | Array | 是 | — | 授权语句列表,每个语句定义一条授权规则。 |
Effect | String | 是 | Allow / Deny | 授权效力。Allow表示允许,Deny表示拒绝。Deny的优先级高于Allow。 |
Action | Array | 是 | oss:* | 操作列表,支持通配符*。例如oss:GetTable表示获取表信息,oss:*Table*匹配所有包含Table的操作。 |
Principal | Array | 是 | 账号ID | 授权主体,填写阿里云账号ID。可指定多个账号。 |
Resource | Array | 是 | ARN | 资源ARN列表,指定策略生效的资源范围。支持通配符*。 |
Condition | Object | 否 | — | 策略生效条件。支持IP地址限制等条件,使用标准IAM Condition语法。 |
权限操作列表
以下为OSS Tables支持的所有Action列表:
资源级别 | Action | 说明 | 跨账号访问 |
Table Bucket 级别 | oss:CreateTableBucket | 创建Table Bucket。 | 不允许 |
oss:GetTableBucket | 获取Table Bucket信息。 | 允许 | |
oss:ListTableBuckets | 列举请求者拥有的所有Table Bucket。 | 不允许 | |
oss:DeleteTableBucket | 删除Table Bucket。 | 允许 | |
oss:CreateNamespace | 创建Namespace。 | 允许 | |
oss:DeleteNamespace | 删除Namespace。 | 允许 | |
oss:ListNamespaces | 列举Table Bucket中的所有Namespace。 | 允许 | |
oss:GetNamespace | 获取Namespace信息。 | 允许 | |
oss:PutTableBucketPolicy | 设置Table Bucket的资源策略。 | 不允许 | |
oss:GetTableBucketPolicy | 获取Table Bucket的资源策略。 | 不允许 | |
oss:DeleteTableBucketPolicy | 删除Table Bucket的资源策略。 | 不允许 | |
oss:GetTableBucketMaintenanceConfiguration | 获取Table Bucket的自动维护配置。 | 允许 | |
oss:PutTableBucketMaintenanceConfiguration | 设置Table Bucket的自动维护配置。 | 允许 | |
oss:PutTableBucketEncryption | 设置Table Bucket的加密配置。 | 不允许 | |
oss:GetTableBucketEncryption | 获取Table Bucket的加密配置。 | 不允许 | |
oss:DeleteTableBucketEncryption | 删除Table Bucket的加密配置。 | 不允许 | |
Table 级别 | oss:GetTableMaintenanceConfiguration | 获取Table的自动维护配置。 | 允许 |
oss:PutTableMaintenanceConfiguration | 设置Table的自动维护配置。 | 允许 | |
oss:PutTablePolicy | 设置Table的资源策略。 | 不允许 | |
oss:GetTablePolicy | 获取Table的资源策略。 | 不允许 | |
oss:DeleteTablePolicy | 删除Table的资源策略。 | 不允许 | |
oss:CreateTable | 创建Table。 | 允许 | |
oss:GetTable | 获取Table信息。 | 允许 | |
oss:GetTableMetadataLocation | 获取指定表的Metadata文件位置信息 | 允许 | |
oss:ListTables | 列举Table Bucket中的所有Table。 | 允许 | |
oss:RenameTable | 重命名Table。 | 允许 | |
oss:UpdateTableMetadataLocation | 更新指定表的Metadata文件位置。 | 允许 | |
oss:GetTableData | 获取 Table 中的数据。 | 允许 | |
oss:PutTableData | 向 Table 中写入数据。 | 允许 | |
oss:GetTableEncryption | 获取Table的加密配置。 | 不允许 | |
oss:PutTableEncryption | 修改Table的加密配置。 | 不允许 | |
oss:DeleteTable | 删除Table。 | 允许 |
资源ARN格式
OSS Tables使用以下ARN(Alibaba Cloud Resource Name)格式标识资源:
资源级别 | 格式 | 示例 |
Table Bucket |
|
|
Table |
|
|
该文章对您有帮助吗?