All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term

Documentation

Permission management

Last updated:2023-01-10 16:02:55

1. How can I obtain the access key IDs and access key secrets?

2. What is the difference between the KS3 AKs/SKs and Kingsoft Cloud AKs/SKs?

3. What types of ACLs are available for bucket and object access control?

4. Can an anonymous user access an object in a bucket with the public-read ACL?

5. Can I modify the ACL configuration for a bucket or object?

6. Why is it sometimes very slow to modify the access permissions of a directory/folder on the console?

7. Can I assign permissions of a bucket or object to specific users?

8. Can KS3 control access from certain IP addresses or domains?


1. How can I obtain the access key IDs and access key secrets?

The AK/SK management module of KS3 was under Object Storage > Account Settings before April 27, 2017. From April 27, 2017, it is in the unified identity and access control management system of Kingsoft Cloud. If you have old KS3 keys, move the pointer over the account name at the upper-right corner of the page and select Accesskeys from the drop-down menu. Then, click the Object storage key tab to view the keys. For more information, see Activate KS3 service.

2. What is the difference between the KS3 AKs/SKs and Kingsoft Cloud AKs/SKs?

KS3 AKs/SKs are restricted to KS3. You cannot use them to access other Kingsoft Cloud products. From April 24, 2017, you can use your KS3 keys created before April 24, 2017 but you can only disable or delete them. You cannot re-enable them after disabling them. You cannot create KS3 keys either. It is recommended that you enter the AK management page and click New Key to create AKs or SKs. You can use the created keys to access all Kingsoft Cloud services, including KS3.

3. What types of ACLs are available for bucket and object access control?

The following types of ACLs are available for bucket access control:

  • public-read-write: Anyone (including anonymous users) can perform List, Put, and Delete operations on the objects in the bucket.
  • public-read: Anyone (including anonymous users) can perform List operations on the objects in the bucket. But Put and Delete operations are not allowed. Note that a read operation on the bucket is different from a read operation on an object.
  • private: Only the creator of the bucket has all permissions. No one else can access the bucket.

The following types of ACLs are available for object access control:

  • public-read: Anyone (including anonymous users) can read (download) the object.
  • private: Only the owner of the object can manipulate the object.

For more information, see API document.

4. Can an anonymous user access an object in a bucket with the public-read ACL?

Having the read permission on a bucket does not mean having the read permission on objects in the bucket. The read permission on a bucket allows you to perform List operations on the objects in the bucket. For anonymous users to access an object, you must also set the permissions of the object to Public.

5. Can I modify the ACL configuration for a bucket or object?

KS3 provides public-read-write, public-read, and private ACLs for bucket access control and public-read and private ACLs for object access control.

Yes. You can use one of the following methods to modify the ACL configuration for a bucket or object:

  • Use an API: Use the PUT Bucket ACL) or PUT Object ACL) interfaces to grant access permissions of a bucket or object to users.
  • Use an SDK: KS3 provides SDKs for Java, PHP, Python, Android, IOS, JavaScript, Node.js, C#, GO, and C/C++.
  • Use the console:
    • To modify the ACL configuration for a bucket, log in to the console, select the target bucket, and click Space Settings. Then, on the Permissions tab, select Bucket Permissions and click Confirm.
    • To modify the ACL configuration for an object (file or directory), log in to the console and move the pointer over the target object. The object row turns gray and the Edit button appears. Click the Edit button, enter Yes in the dialog box that appears, and click Submit.
6. Why is it sometimes very slow to modify the access permissions of a directory/folder on the console?

In KS3, directory (or folder) is a virtual concept. The directory or folder of a file is actually the prefix of the key value of the object. Access permission configuration modifications for a directory or folder on the console affects all objects whose key value prefixes contain the directory. If a large number of files exist in the directory, the delete queue might include many pending items. As a best practice, use an API to traverse the file list and call the interface to modify the access permission configurations.

7. Can I assign permissions of a bucket or object to specific users?

Yes. You can configure a bucket policy to achieve the goal. You can use the policy to precisely specify the resources that a user can access and the operations that the user can perform on the resources. This feature requires that you are the owner of the bucket. Use one of the following methods:

8. Can KS3 control access from certain IP addresses or domains?

Yes. KS3 supports the door chain feature, that is, the domain access blacklist or whitelist. You can add the names of the banned source domains to the blacklist. To reject access from certain IP addresses, you use the conditions in the bucket policy to specify the source IP addresses. For more information, see the Detailed explanation of Condition section in Bucket Policy.

On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback