Create an access control list for a bucket
A PUT issued to a bucket with the necessary query parameter creates or
replaces an access control list (ACL) for that bucket. Access control lists allow for granting
different sets of permissions to different storage accounts using the account’s ID, or by using a
pre-made ACL.
ACLs can use pre-made permissions sets (or ‘canned ACLs’) or be customized in the body of the
request. Pre-made ACLs are specified using the x-amz-acl header and custom ACLs are
specified using XML in the request payload. Only one method (header or payload) can be used in a
single request.
This operation does not make use of additional operation specific query parameters.
ACL grantees can be specified using any of the following methods:
| Method | Description | Example |
|---|---|---|
| Canonical ID | User account UUID |
43a89ab8-a5e9-44bf-9671-d23a8729b2e0
|
| Email Address | Username of user account as set in COS Manager |
user1
|
| URI | Used for pre-defined groups. COS supports the All Users Group for bucket ACLs and the All Users Group and Authenticated Users URIs for Object ACLs. All other predefined groups are unsupported. |
http://acs.amazonaws.com/groups/global/AllUsers or
http://acs.amazonaws.com/groups/global/AuthenticatedUsers
|
The assigned permissions behave as follows:
| Permission | When granted on a bucket | When granted on an object |
|---|---|---|
| READ | Allows grantee to list and read all objects in bucket | Allows grantee to read object data and metadata |
| WRITE | Allows grantee to create, overwrite and delete any object in bucket. Cannot be granted independently from READ permission. | N/A |
| READ_ACP | This permission does not exist for buckets; default setting is FULL_CONTROL | Allows grantee to read object ACL |
| WRITE_ACP | Default setting is FULL_CONTROL | Allows grantee to write ACL for applicable object |
| FULL_CONTROL | Allows grantee READ, WRITE, READ_ACP and WRITE_ACP permissions on bucket | Allows grantee READ, READ_ACP and WRITE_ACP permissions on object |
Note: The READ_ACP, WRITE_ACP, and
FULL_CONTROL permissions are implied by the bucket “own” permission. When any of
these permissions are assigned to a grantee in a bucket ACL, that grantee will be granted the bucket
“own” permission.
The following canned ACLs are supported by IBM COS. Values not listed below are not supported.
| Canned ACL | Applies to | Notes |
|---|---|---|
| private | Bucket and object | When set on a bucket, the requestor is interpreted as the bucket owner. |
| public-read | Bucket and object | When set on a bucket, the requestor is interpreted as the bucket owner. |
| public-read-write | Bucket and object | When set on a bucket, the requestor is interpreted as the bucket owner. |
| authenticated-read | Bucket and object | Supported when set on an object only. Not supported as a bucket ACL. |
Syntax
PUT https://{endpoint}/{bucket-name}?acl= # path style
PUT https://{bucket-name}.{endpoint}?acl= # virtual host style
Sample request of a basic pre-made ACL
This is an example of specifying a pre-made ACL to allow for public-read access
to the “example” bucket. This allows any storage account to view the bucket’s contents and ACL
details.
PUT /example?acl= HTTP/1.1
Authorization: {authorization-string}
x-amz-date: 20161011T190354Z
x-amz-acl: public-read
Host: 67.228.254.193
Sample response
HTTP/1.1 200 OK
Date: Tue, 4 Oct 2016 19:03:55 GMT
X-Clv-Request-Id: 73d3cd4a-ff1d-4ac9-b9bb-43529b11356a
Accept-Ranges: bytes
Server: Cleversafe/3.9.0.129
X-Clv-S3-Version: 2.5
x-amz-request-id: 73d3cd4a-ff1d-4ac9-b9bb-43529b11356a
Content-Length: 0
Sample request Custom ACL
This is an example of specifying a custom ACL to allow for another user using their username to view the ACL for the “example” bucket, but not to list objects stored inside the bucket. A third account is given full access to the same bucket as another element of the same ACL. All authenticated users of the system can list objects in the bucket.
PUT /example?acl= HTTP/1.1
Authorization: {authorization-string}
x-amz-date: 20161011T190354Z
Host: 67.228.254.193
<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Owner>
<ID>{owner-storage-account-uuid}</ID>
<DisplayName>OwnerDisplayName</DisplayName>
</Owner>
<AccessControlList>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AmazonCustomerByEmail">
<ID>{username}</ID>
<DisplayName>Grantee1DisplayName</DisplayName>
</Grantee>
<Permission>READ_ACP</Permission>
</Grant>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
<ID>{second-grantee-storage-account-uuid}</ID>
<DisplayName>Grantee2DisplayName</DisplayName>
</Grantee>
<Permission>FULL_CONTROL</Permission>
</Grant>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<ID>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</ID>
</Grantee>
<Permission>READ</Permission>
</Grant>
</AccessControlList>
</AccessControlPolicy>
Sample response
HTTP/1.1 200 OK
Date: Tue, 4 Oct 2016 19:03:55 GMT
X-Clv-Request-Id: 73d3cd4a-ff1d-4ac9-b9bb-43529b11356a
Accept-Ranges: bytes
Server: Cleversafe/3.9.0.129
X-Clv-S3-Version: 2.5
x-amz-request-id: 73d3cd4a-ff1d-4ac9-b9bb-43529b11356a