Summary of permissions

Last updated:2021-04-28 11:04:11

By default, all KS3 resources, including buckets, objects, and related sub-resources such as lifecycle and ACL configurations, are private. They are accessible only to the resource owner, that is, the Kingsoft Cloud account that created the resources. The creator of a bucket can access all resources in the bucket.

The resource owner can configure an access policy to grant access permissions to other users.

KS3 resources

Buckets and objects are the main resources of KS3, and they have associated resources.
Buckets have the following sub-resources:

  • Bucket policies
  • ACLs
  • Lifecycle
  • Cross-origin resource sharing (CORS)
  • Logging

Objects have the following sub-resources:

  • ACLs

Authorized entities

  • Account

An account, or Kingsoft Cloud account, is the owner of Kingsoft Cloud resources. Resource usage is measured and billed on the account level. You must register an account before you can use the services provided by Kingsoft Cloud. In general, the username of an account is the identifier used for logging in to Kingsoft Cloud.

An account is the owner of the cloud computing resources under its name. It has full control over these resources. It is also the owner of the orders and bills for these resources. An account can access and manage any cloud computing resources that it owns.

  • IAM user

An IAM user is an authorization entity under an account. It is also a type of resource that belongs to the account. An IAM user does not own any cloud computing resources. Resource usage is not measured or billed on the IAM user level. An IAM user can manage the resources of an account after authorization from the account. The resources that an IAM user manages belong to an account and are paid for by the account. An IAM user does not have independent bills.

After an IAM user is authorized by an account, the IAM user can obtain a password or an AccessKey, with which the IAM user can log in to the Kingsoft Cloud console and call APIs to manage the resources of the account.

  • Role

A role is a type of virtual user or shadow user. It is an IAM user type. This type of virtual user has a defined identity, can be assigned a set of permissions through a policy, but does not have a password or an AccessKey. The difference between a role and an IAM user mainly lies in the way it is used. A role needs to be assigned to an entity user. The entity user then obtains a temporary security token for the role, with which the entity user can access authorized resources as the role.

  • Resource ownership

All KS3 resources are private by default. They are accessible only to the resource owner, that is, the Kingsoft Cloud account that created the resources.

  • The Kingsoft Cloud account that created the buckets and objects has full permissions on these resources.
  • IAM users do not own any resources. If an IAM user is authorized to upload an object, the account of the IAM user owns the object.
  • A bucket owner can authorize other Kingsoft Cloud accounts to upload objects to the bucket. In this case, these Kingsoft Cloud accounts own the objects. The bucket owner has full permissions on the objects owned by these Kingsoft Cloud accounts, and pays the bills.

Resource operations

KS3 provides a series of operations to manage KS3 resources.

Access policies

Access policies are classified into resource-based policies and user policies. A resource-based policy is an access policy attached to a resource (a bucket or an object), such as a bucket policy or an ACL. A user policy is an access policy attached to a user under an account.

image.png

  • ACL:
    Each bucket and object are associated with an ACL. An ACL can grant basic read/write permissions to other Kingsoft Cloud accounts. An ACL is expressed in XML format. In the following example, the bucket owner grants the read permission to another user.
<AccessControlPolicy>
   <Owner>
     <ID>Owner-User-Id</ID>
     <DisplayName>Owner-User-Name</DisplayName>
   </Owner>
   <AccessControlList>
      <Grant>
        <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
           <ID>User2-Id</ID>
           <DisplayName>User2-Name</DisplayName>
       </Grantee>
       <Permission>READ</Permission>
     </Grant>
...
   </AccessControlList>
</AccessControlPolicy>
  • Bucket policy:
    You can configure a bucket policy to allow other Kingsoft Cloud accounts or IAM users, including IAM users under your account and other accounts, to access a bucket or objects in the bucket. A bucket policy can supplement the ACL with more fine-grained authorization. A bucket policy is expressed in JSON format. In the following example, the bucket policy grants account 11123 full permissions on mybucket and all objects in mybucket.
{
    "Version":"2008-10-17",
    "Statement":[{
       "Sid":"1",
       "Effect":"Allow",
       "Principal":{"KSC":["krn:ksc:iam:::11123:root"]},
       "Action":["ks3:*"], 
       "Resource":["krn:ksc:ks3:::mybucket","krn:ksc:ks3:::mybucket/*"]
   }]
}

You can manage the access to KS3 resources by using
IAM. By using IAM, you can create IAM users, user groups, and roles under an account, and add user policies to allow them to access KS3 resources.

{
    "Version":"2015-11-01",
    "Statement":[{
    "Effect":"Allow",
    "Action":["ks3:*"],
    "Resource":["krn:ksc:ks3:::mybucket","krn:ksc:ks3:::mybucket/*"]
    }]
}

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

Insufficient
Outdated
Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈