Skip to content

Access Control (1) - ACL -

By defining Access Control List (ACL), users manage groups who has accessibility to buckets and objects. The default ACL grants the resource owner accessibility to their group's data. By changing default setting, ACL grants control to specific ABCI groups or everyone.

What to Configure

For each bucket and object, ACL configures who is grantee and what permission is granted.

The table below lists grantees. ABCI group is the smallest grantee unit. Therefore, specific single Cloud Storage Account can not be the grantee.

Grantee Description
ABCI group Specific groups can be allowed to access buckets and object that belong to other groups. All accounts under the group obtain accessibility.
Everyone who has ABCI Storage Account everyone who has ABCI Cloud Storage account can access resources. Access Key is required for authentication.
Anyone Anyone can access with no authentication.

Buckets and Objects have different lists of permissions.

Here is a table for buckets.

Permission Description
read Allows grantee to list the objects in the bucket
write Allows grantee to create, delete and overwrite objects in the bucket
read-acp Allows grantee to overwrite the ACL of the bucket
write-acp Allows grantee to overwrite the ACL of the bucket
full-control Grants all permissions listed above to grantee

The table below is for objetcs.

Permission Description
read Allows grantee to read the object data
write Not applicable
read-acp Allows grantee to read the ACL of the object
write-acp Allows grantee to overwrite the ACL of the object
full-control Grants all permissions listed above to grantee

A default ACL grants full control to belonged ABCI group for the buckets and objects.

As for ACL includes typical pairs of grantees and permissions for general situation, such as opening to the internet, the standard ACLs are available. The standard ACLs are shown in later section.

How to Set ACL (Examples)

Share Objects between ABCI Groups

This part explains how to share objects between ABCI groups. For example, we grant the ABCI Group 'gaa11111' permission to the object 'testdata' under the ABCI group 'gaa0000'.

Source ABCI group Shared ABCI group
gaa00000 gaa11111

Detail

Bucket name prefix Object name
test-share test/ testdata

At first, the owner needs to get ID of the grantee. Ask the grantee to run the commaned 's3 list-bucket', obtain the ID and let the source know it.

$ aws --endpoint-url https://s3.abci.ai s3api list-buckets
{
    "Buckets": [
        {
            "Name": "gaa11111-bucket-1",
            "CreationDate": "2019-08-22T11:36:17.523Z"
        }
    ],
    "Owner": {
        "DisplayName": "gaa11111",
regular ID->"ID": "1a2bc03fa4ee5ba678b90cc1a234f5f67f890f1f2341fa56a78901234cc5fad6"
    }
}

Then the source sets ACL of the object as shown below. To grant 'read', use option '--grant-read' and specify the grantee's ID.

[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api put-object-acl --grant-read id=1a2bc03fa4ee5ba678b90cc1a234f5f67f890f1f2341fa56a78901234cc5fad6 --bucket test-share --key test/testdata

Confirm if it has been done successfully. As shown below, the Grants element indentifies 'gaa11111' as a grantee with permission 'READ'.

[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api get-object-acl --bucket test-share --key test/testdata
{
    "Owner": {
        "DisplayName": "gaa00000",
        "ID": "f12d0fa66ea4df5418c0c6234fd5eb3a9f4409bf50b5a58983a30be8f9a42bda"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "gaa11111",
                "ID": "1a2bc03fa4ee5ba678b90cc1a234f5f67f890f1f2341fa56a78901234cc5fad6",
                "Type": "CanonicalUser"
            },
            "Permission": "READ"
        }
    ]
}

By setting ACL to private as following, user can retrieve default ACL setting.

[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api put-object-acl --acl private --bucket test-share --key test/testdata

When a user not belonging to your ABCI group puts objects on your bucket, your ABCI group is charged for them.

Open to All Accounts on ABCI Cloud Storage

In order to open a object to all accounts on ABCI Cloud Storage, specify authenticated-read for --acl. The following example opens the object 'dataset.txt' under the bucket 'gaa00000-bucket-2' to the public.

[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api put-object-acl --acl authenticated-read  --bucket gaa00000-bucket-2 --key dataset.txt

When adding an object to a bucket by running the aws s3api put-object, acl setting mentioned above can be done simultaneously. See the help that is shown by aws s3api put-object help.

Public Access

Two standard ACLs open buckets and objects to the public, which enable any internet users to access data. See the table below.

Standard ACL Bucket Object
public-read Opens the list of objects under specified bucket to the internet. Opens specified objects to the internet. Users with appropreate account can do this.
public-read-write Anyone on the internet can read and overwite the objects under the bucket and set ACL of the bucket. Anyone on the internet can read and overwite the objects and set ACL of the object.

Caution

Before you grant read access to everyone in the world, please read the following agreements carefully, and make sure it is appropriate to do so.

Caution

Please do not use 'public-read-write' due to the possibility of unintended use by a third party.

Default standard ACL is set to be private. To terminate public access, use standard ACLs.

Public Buckets

By applying the standard ACL 'public-read' to a bucket, the list of objects in the bucket is opened to public. Here is an example.

ACL to be applied Bucket to be opened
public-read test-pub

Configure 'public-read' with 'put-bucket-acl'. To check the current configuration, run the command get-bucket-acl. Make sure that the grantee with URI "http://acs.amazonaws.com/groups/global/AllUsers" meaning public is added and permission 'READ' is given to it.

[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api put-bucket-acl --acl public-read --bucket test-pub
[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api get-bucket-acl --bucket test-pub
{
    "Owner": {
        "DisplayName": "gxx00000",
        "ID": "f12d0fa66ea4df5418c0c6234fd5eb3a9f4409bf50b5a58983a30be8f9a42bda"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "gxx00000",
                "ID": "f12d0fa66ea4df5418c0c6234fd5eb3a9f4409bf50b5a58983a30be8f9a42bda",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        }
    ]
}

To confirm if it works properly, access https://test-pub.s3.abci.ai by any internet browser. If using Firefox, an XML including the list of objects will be shown.

The example following shows how to stop opening to the public and retrieve default setting. Confirm that the grantee added before is deleted and the permission of the ABCI group is 'FULL_CONTROL'.

[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api put-bucket-acl --acl private --bucket test-pub
[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api get-bucket-acl --bucket test-pub
{
    "Owner": {
        "DisplayName": "gxx00000",
        "ID": "f12d0fa66ea4df5418c0c6234fd5eb3a9f4409bf50b5a58983a30be8f9a42bda"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "gxx00000",
                "ID": "f12d0fa66ea4df5418c0c6234fd5eb3a9f4409bf50b5a58983a30be8f9a42bda",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}

Public Objects

By applying the standard ACL 'public-read' to an object, the object is opened to public. The following example shows the detail.

ACL to be applied Bucket prefix Object to be opened
public-read test-pub2 test/ test.txt

Configure 'public-read' with 'put-object-acl'. To check the current configuration, run the command get-object-acl. Make sure that the grantee with URI "http://acs.amazonaws.com/groups/global/AllUsers" meaning public is added and permission 'READ' is given to it.

[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api put-object-acl --bucket test-pub2 --acl public-read --key test/test.txt
[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api get-object-acl--bucket test-pub2 --key test/test.txt
{
    "Owner": {
        "DisplayName": "gxx00000",
        "ID": "f12d0fa66ea4df5418c0c6234fd5eb3a9f4409bf50b5a58983a30be8f9a42bda" 
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "gxx00000",
                "ID": "f12d0fa66ea4df5418c0c6234fd5eb3a9f4409bf50b5a58983a30be8f9a42bda",
                "Type": "CanonicalUser" 
            },
            "Permission": "FULL_CONTROL" 
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers" 
            },
            "Permission": "READ" 
        }
    ]
}

To confirm if it works properly, access https://test-pub2.s3.abci.ai/test/test.txt by any internet browser. If using Firefox, a list of objects will be shown.

The example following shows how to stop opening to the public and retrieve default setting. Confirm that the grantee added before is deleted and the permission of the ABCI group is 'FULL_CONTROL'.

[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api put-object-acl --acl private --bucket  test-pub2 --key test/test.txt
[username@es1 ~]$ aws --endpoint-url https://s3.abci.ai s3api get-object-acl --bucket test-pub2 --key test/test.txt
{
    "Owner": {
        "DisplayName": "gxx00000",
        "ID": "f12d0fa66ea4df5418c0c6234fd5eb3a9f4409bf50b5a58983a30be8f9a42bda"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "gxx00000",
                "ID": "f12d0fa66ea4df5418c0c6234fd5eb3a9f4409bf50b5a58983a30be8f9a42bda",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}