All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term

Documentation

How does KS3 authorize requests

Last updated:2021-04-28 11:04:11

When receiving a bucket or object operation request, KS3 verifies whether the requester has the necessary permissions.

KS3 evaluates all related access policies, user policies, and resource-based policies including bucket policies, bucket ACLs, and object ACLs, to decide whether to allow the request. KS3 denies the request if the request goes against any policy.

Here are some examples:

  • If the requester is an IAM user, KS3 determines whether the Kingsoft Cloud account to which the IAM user belongs has granted necessary permissions to the IAM user by using a user policy. If the Kingsoft Cloud account is the resource owner, it can also grant necessary permissions to the IAM user by using a bucket policy.

  • If the IAM user is authorized by the Kingsoft Cloud account, KS3 further determines whether the resource owner has granted necessary permissions to the IAM user by using a bucket policy or the Kingsoft Cloud account by using a bucket policy, a bucket ACL, or an object ACL. However, if the Kingsoft Cloud account is the resource owner, the IAM user does not need to be authorized by a bucket policy.

  • If the requester is a Kingsoft Cloud account, KS3 determines whether it is the resource owner. If not, the Kingsoft Cloud account must obtain permissions from the resource owner. The resource owner can grant permissions by using a bucket policy, a bucket ACL, or an object ACL.

  • If the requester is an anonymous user, KS3 determines whether the resource is public or whether the resource owner has authorized anonymous users by using a bucket policy.

The following figure shows the flowchart. image.png

  • User context: If the requester is an IAM user, it must be authorized by the Kingsoft Cloud account to which it belongs. KS3 also determines whether the Kingsoft Cloud account has necessary permissions.

    Note: If the Kingsoft Cloud account is the resource owner, it can also grant necessary permissions to the IAM user by using a bucket policy or an ACL.

  • Resource context: The requester must be authorized by the resource owner to perform specific operations. The resource owner can grant permissions to the IAM user or the Kingsoft Cloud account to which the IAM user belongs by using a user policy, a bucket policy, or an ACL.

    Note: If the Kingsoft Cloud account is the resource owner and has granted permissions to the IAM user by using a user policy, the request can pass the resource context verification if the bucket policy neither allows nor denies the request.

On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback